Monday, January 8, 2007

Ajax Security -- Changing the nature of the Attack Surface...

Jeremiah Grossman of Whitehat Security published an article titled Myth-Busting AJAX (In)security. In this article, he posed two interesting questions (with answers)...

Does AJAX cause a larger “Attack Surface”?
No.

Does AJAX make the “Attack Surface” harder to find?
Yes and No.

Technically, I agree. But Ajax does in fact change the nature of the Attack Surface. In a traditional dynamic page-based web application - the web application reacts to page-level HTTP requests and responds with page-level responses. And the response is a full page rendered in HTML.

So although possible, the responses were not easy to digest quickly unless tagged with explicit ids, names, or class identifiers.

With Ajax, the request/response food chain acts more like an API library function calls which is what makes them more attractive. So security vulnerabilities like the one found in gmail are easy to exploit and take advantage of.

To eliminate or minimize these types of problems -- Developers must treat every Ajax entry-point as if its a published and self-documented API function call. Assume that somebody, somewhere will figure out how to call your API out-of-context. And the developer needs to takes steps to make that risk as close to zero as possible.

No comments: