- We design and build extraordinary applications for companies looking to make the next great idea a reality.
- learn more
Ajax security surprises: web-aggregators, offline applications and frameworks
I'm still absorbing the densely packed information from "Ajax Security," the first-rate book by Billy Hoffman and Bryan Sullivan that I recently recommended in these pages. Here, in no particular order, are three of the most surprising lessons imparted by Messrs. Sullivan and Hoffman:
Web aggregators and SSL
This is probably a great big "duh" to some developers, but web aggregators such as iGoogle and NetVibes often compromise the security of otherwise SSL-encrypted web applications when funneling content from them to your personalized homepage:
Now, consider what happens when you use a Gmail widget on an aggregate site like NetVibes. Sharp-eyed readers will notice the URL for NetVibes ... is http://www.netvibes.com. This is not an encrypted connection! NetVibes sends user data in the clear from the aggregate to the user.... NetVibes makes an SSL connection to Gmail, and then NetVibes degrades the level of security by transmitting the data over an unencrypted connection. Our attacker ... can steal the data much more easily now. NetVibes is not providing the same level of security that a user would receive if he accessed Gmail directly. This situation is not unique to NetVibes and Gmail.... At the time of publication, every major aggregate Web site the authors examined downgraded security on data from secure sources. [emphasis theirs]
Offline applications and client-side validation
Security experts, including Hoffman and Sullivan, have long trumpeted the danger of relying on client-side input validation without parallel server-side validation. But with offline applications, they argue, client-side validation becomes absolutely necessary:
[O]ffline Ajax frameworks increase the client's role in business logic. In fact, offline Ajax applications strive to make the concept of online or offline completely transparent to the user.... [T]his means the user is interacting with client-side code, which stores everything the user is doing and synchronizes the data with the Web server when the client connects to the Internet. If no client-side input validation occurs, then the client-side logic is vulnerable to all kinds of parameter manipulation attacks.... Ajax applications already push more of a Web application to the client, and offline Ajax applications do push even more logic to the client. Just as we perform whitelist input validation on the server for security purposes, developers must perform client-side validation to ensure the security of their offline Ajax applications.
Ajax frameworks and function clobbering
When an attacker gains access to a web server and appends JavaScript code to a running Ajax application, it's much easier to inflict damage on apps that employ well-known JavaScript frameworks:
[T]his works with any framework and almost any JavaScript function.... Consider Dojo.Storage, which provides an abstraction layer to the various mechanisms for client-side storage.... Ironically, most of the functions to access client-side storage methods cannot be hooked because of how they are implemented. We cannot, for example, clobber the ActionScript functions exposed by a Flash object from browsers that we can clobber. Thus we cannot hook read and writes on the document.cookie object (at least we can't for all browsers). However, by hijacking the abstraction function in Dojo.Storage, attackers can intercept all data as it moves in and out of client-side storage, regardless of where the data is actually stored on the client. Essentially, certain browser functionality cannot be shimmed directly for all browsers, but frameworks that abstract this functionality can, themselves, be shimmed, accomplishing the same thing. Even worse ... shim code that hijacks frameworks isn't Web site or domain specific. The same playload can be used against multiple Web sites.
The book itself, of course, documents dozens more specific security vulnerabilities - as well as best practices for protecting your application against them. I said it before, and I'll say it again: "Ajax Security" is required reading for any professional software engineer.
(On a totally unrelated note, I loved the authors' repeated shoutouts in their example code to Brad Neuberg, author of Dojo.Offline and creator of Really Simple History.)
Topics: Best Practices, Books, Review, Security
Comments: 2 so far
Leave a comment
About Pathfinder
Recent
- Project Website Part 4: Drag and Drop in jQuery
- The App Store, iPhone, and You
- Multiple Column Sorting with Drag and Drop using Scriptaculous
- Five jQuery plugins that are a joy to use
- Visualizing Your Database Schema Entirely in Rails
- jQuery plugins: Five tips for separating the good from the bad and the ugly
- Resolved: Should schema.rb be included in your source control?
- Flash 10 - FileReference Runtime Access
- Papervision3d 2.0 (Great White) in Flex 3 (Part I)
- MetaWidget - Convention over Configuration UI
Archives
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
Topics
.NET
3d
Accessibility
actionscript
activerecord
Add new tag
Adobe
Adobe AIR
Advertising
agile
Agile Development
AIR
Ajax
Ajax Applications
Ajax Bookmarking
Ajax Components
Ajax Development
Ajax Examples
Ajax Frameworks
Ajax Intervention
Ajax libraries
AJAX Obfuscation
Ajax Performance
Ajax Products
Ajax Tools
Ajax Widgets
Analysis
Android
Announcement
Announcements
antennae
Apollo
Application Architecture
Application Development
ASP.NET
Asynchronous Processing
awards
Back Button
Benchmarking
Best Practices
BJAX
Blaze Advisor
blog
blogging
Books
Browsers
Business Reasons for Ajax
Business Rules
C#
Canvas
Case Studies
Chicago
CMS
COBOL
Code Generation
Color
COMET
Conference
Consistency
Content Management
CRM
CSS
Design
Design Patterns
Desktop
Desktop RIA
Developer's Notebook
Diagnose
Dojo
Domain Knowledge
Drools
Echo2
Echo3
Editorial
ERP
Ethnographic Research
Ext JS
Facebook
FileReference
Firefox
Firefox Extensions
Flash
flash awards
flash player 10
Flex
flexunit
Flow
Frameworks
front end development
Games
Google
Google Gears
Grails
Graphics
Greasemonkey
Groovy
GStreamer
Gwittir
GWT
Healthcare
Hibernate
IDE
Ideation
IE
IE6
IE7
IE8
ILOG JRules
Information Architecture
Innovation
Instructional Design
Interaction Design
Interview
iPhone
iTunes
Java
Javascript
JavaScript frameworks
Javascript Libraries
JBoss Rules
Jess
Jetty
Jobs
jQuery
JSF
JSON
JSR-94
Lazlo
Legacy Systems
LinkedIn
Mac
Mash Note
Mashups
MetaWidget
Methodology
Microformats
Microsoft
Mobile
Mootools
Mozilla
Music
MVC
Office
Open Screen
Open Source
Opera
pagination
Pair Programming
papervision3d
Patterns
Peer Creation
Performance
Personas
PHP
plugin
process
Web/Tech
Progressive Enhancement
Project Website
Prototype
Prototyping
QA
qooxdoo
Radiant CMS
rails
Really Simple History
Requirements
Requirements
Alice Toth
Requirements Visualization
RETE
Review
Rich Interactions
ruby
Ruby on Rails
SaaS
Safari
San Francisco
Scalability
Scenarios
Scriptaculous
SDLC
Search
Security
Selenium
Semantic web
SEO
Server Side
Silverlight
SOA
Social Networking
Software Processes
Songbird
Sprajax
Spreadsheets
Standards
Story Telling
Struts
Task Flows
Test Driven Development
Testing
Tools
Training
Trends
Tumblr
Tutorial
Tutorials
Unit Tests
Usability
Usability Testing
User Experience
user experience design
user interface
User Interface Standards
User Research
UXD
Video
Visualization
VLC
Volta
Web/Tech
Web 2.0
Web Design
Web Development
Webkit
Weblogs
Web Services
Web Standards
Widgets
will_paginate
Windows
Wireframes
WordPress
workflow
XML
XUL
Zeigarnik
Zeigarnik Effect
ZK
I haven’t seen the book yet; are they positive or negative shoutouts?
Brad
Comment by Brad Neuberg, Thursday, January 31, 2008 @ 5:54 pm
@Brad: Kind of … Neutral. Your name pops up in example code, and so, I think, does the Coding in Paradise URL. It’s more in-jokey than anything. They talk a lot about Dojo Storage and Dojo Offline, so obviously they know your work.
Comment by Brian Dillard, Tuesday, February 5, 2008 @ 4:42 pm