Click here to receive your FREE subscription to Campus Technology
News
GWT: Advanced AJAX Security
1/3/2008
Hoffman demo'd what he was talking about in the form of a sample AJAX travel Web site, Hacker Vacations.com, "Where You Can Name Your Own Price." The site lets you find flights and place bids on seats. He built it using "expert" advice from popular books, how-to articles and forums. Nothing bad was cooked on purpose.
Hackers Love Firebug
Hoffman showed how the Web site was riddled with typical security defects. He looked at the underlying code using Firebug. "It makes my job [as a hacker] so easy," he said. This free tool lets you edit, debug, and monitor CSS, HTML and JavaScript live in any Web page.
He used Inspect for FindFlights, showing that you cannot trust that anything you put in the client will hide your code from even amateur hackers. He hit "CTL-U" to see "hidden" source, and then inserted a breakpoint in the code. Then, using Firefox, he unearthed a giant dataset table that got returned underneath the "available flights" actually displayed.
"I just got access to more flights than the app is supposed to give me access to," he explained. He then was able to manipulate the AJAX calls to hold particular seats.
Hoffman said a client-side pricing attack was done in 1997 against CD Universe, in which a hacker was able to buy CDs for one cent for three months until the scam was discovered. Hoffman did the same thing with seat pricing on his demo app, pointing out that "I can tamper with variable values while they're being used in Web 2.0."
In Web 1.0, such functionality was mapped in the server. But now it's being pushed to the perimeter. It gives attackers a blueprint of how to use your app.
Hackers Love Granular APIs
Hoffman calls it the "API Domino Effect." He uses Firebug to look for the callback function to see what's coming back from the server. In this way, he gains access to holdSeat(flightID), thence to makeOffer(price,flightID), thence to bookSeat(flightID) and finally to pay dirt: debitAccount(price).
From a security viewpoint, the APIs are too granular, with too much exposed on the client. Coders will throw everything into one file, and then reference it from parts of the Web site that are public. He showed a real-world example that let him use SQL commands to get valuable passwords, and how an exposed administrative API let him get into SetPrivateData on the server when he was supposed to only be able to access GetPublicData.
Obfuscation and Lazy Loading Won't Guard Code
Next Hoffman showed how hackers defeat logic protection through obfuscation, which encrypts code, and lazy loading, which defers object initialization until the time it's needed. He showed how easily some obfuscation can be disambiguated using a JS parser he'd written. He did concede that Firebug can't debug dynamic code, including JSON responses, remote scripting and lazy loading. It's a matter of "view source" versus "view generated source." Consequently, you need a way to monitor JavaScript environments.
Recommended Reading
- Fixed-Mobile Convergence: Dartmouth Beefs Up Cell Coverage, Cuts Costs
Problems with cell phone coverage aren't uncommon on college campuses. There are two main reasons: The beefy structure of historic buildings can block cellular reception within walls, and, on more remote campuses outside cities, signal coverage can be light.
- Thompson Rivers U Deploys Unified Digital Campus for ERP
Thompson Rivers University (TRU) in British Columbia has selected SunGard Higher Education's Banner Unified Digital Campus (UDC) to integrate its ERP systems.
- DV Kitchen Web Video Publishing System Released
DVcreators.net has released DV Kitchen, a new video encoding and publishing application for Mac OS X designed specifically for creating materials to be posted on the Web.
- NEC Debuts 4 Education Projectors
NEC this week debuted four new projectors targeted toward education applications, along with a new MultiSync LCD display. The new NP-series projectors are entry-level models started at $899 but are designed to provide high light output, support for closed captioning, and built-in networking capabilities.
- Security Researchers Uncover Spring Framework Vulnerability
Software frameworks are enjoying enormous popularity these days among a range of developers. It's popularity well earned; frameworks provide powerful tools for building more flexible and less error-prone applications. They generally enhance developer productivity with out-of-the-box functionality. And they can free developers to focus on features instead of common coding tasks.
- 3PAR Server Arrays Integrate Fat-to-Thin Processing
Utility storage provider 3PAR has announced the release of the 3PAR InServ T400 and T800 Storage Servers. The new hardware is built on the company's third-generation InSpire architecture, featuring the 3PAR Gen3 ASIC with integrated fat-to-thin processing.
