Cenzic 232 Patent
Paid Advertising
web application security lab

Article on Top 10 Web 2.0 Specific Security Issues

Well it was interesting to see that on a recent article by Help-Net Security they report that Cross Site Scripting was the number one security issue that plagues Web 2.0 technologies. This is a pretty interesting take one one fairly major issue - not that XSS is or isn’t bad but how AJAX increases the attack surface.

To quote the article:

In the last few months, several cross-site scripting attacks have been observed, where malicious JavaScript code from a particular Web site gets executed on the victim’s browser thereby compromising information. A recent example is the Yamanner worm that exploited cross-site scripting opportunities in Yahoo mail’s AJAX call. Another recent example is the Samy worm that exploited MySpace.com’s cross-site scripting flaw. AJAX gets executed on the client-side by allowing an incorrectly written script to be exploited by an attacker. The attacker is only required to craft a malicious link to coax unsuspecting users to visit a certain page from their Web browsers. This vulnerability existed in traditional applications as well but AJAX has added a new dimension to it.

I think the only difference between AJAX applications and normal web applications from an XSS perspective is that I’ve seen more examples where application developers attempt to do the escaping at the client level rather than at the server level. That creates several attack points instead of just one. Instead of just having to encode the output at the server level now it muddies the water.

Muddying the waters might not sound like a big deal but XSS is a terribly complex issue. It’s hard enough to keep the server output from executing HTML (and just because it appears hidden doesn’t actually mean it is hidden if I send the user there directly). Now you have to worry about it in two places or more. In the case of the JSON issue in Google that I found they had three or four places (once at the server and a few places in the JavaScript code) that required different types of filtering for the different applications. Ugly!

Think about other places where muddying the water has become an issue - Firefox plugins and PHP plugins. Need I say more? Since they are different developers with different skillsets they will no doubt miss the security aspects. Since it’s two developers instead of one (as JavaScript and the server side code are most likely different languages) you’re twice as likely to have security holes.

So while I don’t think AJAX adds any additional attack vectors it definitely does increase the attack surface area and the potential for exploitation. Further attacks against web 2.0 technologies will be released in the future as browser technology evolves but for now things are about the same as they have been for traditional web applications. Muddying the water is bad, trust me.

Comments are closed.