GWT: Advanced AJAX Security
Billy Hoffman gave a talk on advanced AJAX security at the recent Google Web Toolkit (GWT) conference in San Francisco. Hoffman manages HP Security Labs, which was SPIDynamics until HP acquired it this year, along with Hoffman. He focuses on automated discovery of Web application vulnerabilities and Web crawling technologies.
Hackers Love AJAX
According to Hoffman, AJAX is a hacker's dream come true. It offers an increased "attack surface," direct Application Programming Interface (API) access, vulnerability to reverse engineering, susceptibility to amplifying Web attacks and vulnerability to offline attacks. He said Microsoft is the worst at opening the door to hackers because nearly everything with Structured Query Language (SQL) statements is SQL-injectible, allowing direct access to the database server. Plus, he said, "much expert advice is blatantly wrong."
Hoffman demo'd what he was talking about in the form of a sample AJAX travel Web site, Hacker Vacations.com, "Where You Can Name Your Own Price." The site lets you find flights and place bids on seats. He built it using "expert" advice from popular books, how-to articles and forums. Nothing bad was cooked on purpose.
Hackers Love Firebug
He used Inspect for FindFlights, showing that you cannot trust that anything you put in the client will hide your code from even amateur hackers. He hit "CTL-U" to see "hidden" source, and then inserted a breakpoint in the code. Then, using Firefox, he unearthed a giant dataset table that got returned underneath the "available flights" actually displayed.
"I just got access to more flights than the app is supposed to give me access to," he explained. He then was able to manipulate the AJAX calls to hold particular seats.
Hoffman said a client-side pricing attack was done in 1997 against CD Universe, in which a hacker was able to buy CDs for one cent for three months until the scam was discovered. Hoffman did the same thing with seat pricing on his demo app, pointing out that "I can tamper with variable values while they're being used in Web 2.0."
In Web 1.0, such functionality was mapped in the server. But now it's being pushed to the perimeter. It gives attackers a blueprint of how to use your app.
Hackers Love Granular APIs
Hoffman calls it the "API Domino Effect." He uses Firebug to look for the callback function to see what's coming back from the server. In this way, he gains access to holdSeat(flightID), thence to makeOffer(price,flightID), thence to bookSeat(flightID) and finally to pay dirt: debitAccount(price).
From a security viewpoint, the APIs are too granular, with too much exposed on the client. Coders will throw everything into one file, and then reference it from parts of the Web site that are public. He showed a real-world example that let him use SQL commands to get valuable passwords, and how an exposed administrative API let him get into SetPrivateData on the server when he was supposed to only be able to access GetPublicData.
Obfuscation and Lazy Loading Won't Guard Code
Stop JSON Hijacking
In general, Hoffman says that if you want to secure AJAX applications you must do six things:
- Perform authentication/authorization checks on both Web pages and Web services.
- Group code libraries by function.
- Validate all input for your application, including HTTP headers, cookies, query string and POST data.
- Verify data type, length and format.
- Always use parameterized queries.
- Always encode output appropriately.
He wound up by touting the new book he coauthored, Ajax Security. He certainly made a case for AJAX developers thinking long and hard about this topic.