The document discusses AJAX (Asynchronous JavaScript and XML), its components, uses, and associated security concerns, particularly focusing on the server of origin policy. It highlights several real-world attacks, such as the Samy worm and Nguyen webmail XSS worm, illustrating how AJAX can increase attack surfaces and vulnerabilities. The document emphasizes the importance of robust security practices for AJAX applications while providing examples of both developer and user workarounds to security restrictions.

1. OWASP – Ajax Security Roberto Suggi Liverani Security Consultant Security-Assessment.com 5 December 2007

2. Who am I? Roberto Suggi Liverani Security Consultant, CISSP Security-Assessment.com 4 + years on Information Security focusing on web and network security OWASP New Zealand leader

3. Agenda Ajax What is Ajax? Ajax Components Traditional Web Model vs Ajax Web Model Why Ajax is used? Who is using Ajax? Ajax Security Ajax and Security – Server of origin policy Real Attack examples (Samy worm, Yammaner, Nduja - Webmail XSS worm) Web worms – Comparison

4. Introduction What is Ajax? - Ajax is not synonymous of WEB 2.0 - Ajax = Asynchronous Javascript And XML - Ajax is a group of technologies combined together to create new ways of interaction. - Term coined by Jesse James Garrett of Adaptive Path (Feb 2005) Before AJAX: - DHTML - Macromedia Flash 4 - Microsoft Remote Scripting - Microsoft XMLHttpRequest object - Object element in HTML 4 - Document Object Model Level 3

5. Ajax Components (cont.) HTML/XHTML - Necessary to display the information JavaScript - Necessary to initiate the client-server communication and manipulate the DOM to update the web page Document Object Model (DOM) - Necessary to change portions of an XHTML page without reloading it. Server-side processing - There is no Ajax without a stable, responsive server waiting to send content to the engine

6. Ajax Components Cascading Style Sheet (CSS) - In an Ajax application, the styling of a user interface may be modified interactively through CSS Extensible Markup Language (XML) - Data exchange format Extensible Stylesheet Language Transformations (XSLT) - Transforms XML to XHTML XMLHttpRequest object - XMLHttpRequest object allows retrieving data from the web server as a background activity

7. Ajax Components – Simple Diagram

8. Let’s define Ajax: The browser hosts an application, not content - A “rich” client application is delivered to the browser and it is able to handle input, respond or wait for requests The server delivers data, not content - The role of the server is only to send data. The client is a “rich” client and process the data User interaction with the application can be fluid and continuous - Asynchronous data transfers allows new way of interaction like drag and drop and double clicking. Traditional web = click-and-wait This is real coding and requires discipline - High-performance and maintainable code are the main requirements for Ajax applications

9. Traditional Web Model vs Ajax Web Model

10. Classic Web Model – Usability/Time

11. Ajax Web Model – Usability/Time

12. Why Ajax is used? Speed Only the data (or parameters) required are posted Reduced network traffic - Less data exchanged between client and server Interactivity - User doesn’t click and wait. User drags and drops Functionality - Richer client with more features available Usability - Easy to use -> friendly interface and content updated “on-the-fly”

13. Who is using Ajax? And many others…

14. Let’s talk about Ajax and security… Many of the security issues that an Ajax application faces are the same as for a classical web application So let’s talk about a specific security issue which relates to Ajax applications: Server of origin policy Server of origin policy The JavaScript security model prevents scripts from different domains from interacting with one another An Ajax application can’t read or write to the local filesystem

15. Ajax and Security – Server of origin policy Examples of cross browser security policy: URLs Cross – Scripting allowed? Comments http://www.example.com:8080/script1.js No Port number doesn’t match. http://www.example.com/script2.js http://www.example.com/script1.js No Protocol type doesn’t match. https://www.example.com/script2.js http://www.example.com/script1.js No Browser will not perform domain name resolution. http://192.168.0.10/script2.js http://sub.example.com/script1.js No Subdomains treated as separate domains. http://www.example.com/script2.js http://www.example.com/hello/script1.js YES Domain name is the same. http://www.example.com/bye/script.2.js http://www.example2.com/script1.js NO Different domain names. http://www.example1.com/script2.js

16. Ajax and Security – Server of origin policy So is it possible to bypass or avoid this security control? Yes – there are multiple ways Developer workaround: Proxing remote services Make a call to the remote server from our own server rather than from the client, and then forward it on to the client Example: http://website1/proxy?url=http://website2/ User workaround: Change browser security settings IE: allow permission of executing code from a security zone to another. The user is presented with a popup security warning. Firefox: PrivilegeManager need to be configured accordingly. The value signed.applets.codebase_principal_support should be set to “true” Attacker workaround: Sending an email This technique is showed in the case study of the Nduja - the webmail XSS worm of Rosario Valotta

17. Real attacks examples Ajax seen by an attacker: Group technologies means there are more elements to attack - increased attack surface New ways of interaction means more complexity. Consequently, there are more chances developers commit mistakes like exposing internal functions of the application Application is delivered to the browser. The attacker controls the functionality of the application Ajax application is still a web application – traditional web attack techniques can be used Let’s go through three real examples of attack involving Ajax: Samy worm Jammanner worm Nduja - Webmail XSS worm

18. Ajax Security – Case Study – Samy worm Started as a joke Inserted HTML and JavaScript through MySpace’s profile editor. Automated the friend selection process. Instead of someone selecting Samy as a friend, the worm automated the procedure with JavaScript. The result of the code injection made the visitor and all visitor friends to befriend Samy when visiting Samy’s page. Samy automatically also became their “hero”.

19. Ajax – Case Study – Samy worm (cont) Impact: “In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community”

20. Screenshot showing list of Myspace profiles infected by Samy Worm

21. And today there are still Myspace accounts with Samy as a hero! 532 results with live.com

22. Ajax – Case Study – Samy worm What we learnt from Samy worm technique? Embedding JavaScript in CSS tags Used “java\nscript” to avoid Myspace’s stripping of the string “javascript”. Used JavaScript String.fromCharCode to convert quotes (‘’) to avoid restrictions Used the XML-HTTP object with the use of both HTTP GETs and POSTs from/to the victim’s profile. Worm Source Code: http://namb.la/popular/tech.html

23. Ajax – Case Study – Yamanner worm Exploits a vulnerability in the onload event handling of Yahoo! Mail and then executes a script Scans emails in the personal folders of the Yahoo! Mail account Sends a copy of itself to the email addresses gathered Redirects the Web browser from Yahoo! Mail to the following Web site: [http://]www.av3.net/index.htm Sends the list of gathered email addresses to the above URL

24. Ajax – Case Study – Yamanner worm Impact: It is unknown the number of yahoo users hit by this worm. Harvested addresses from the address book have then been submitted to a remote URL, which is likely that was used for a spam database What we learnt? Large email provider does not guarantee security – Yahoo! Mail software vulnerability was exploited in this case. XML GET to retrieve contact addresses and use of window.navigate to send data to third party site Source Code Example: http://archives.neohapsis.com/archives/incidents/2006-06/0028.html http://groovin.net/stuff/yammer.txt

25. Ajax – Case Study – Nduja - Webmail XSS worm Probably the first cross domain worm Worm developed as PoC by Rosario Valotta Tested on four webmail services in Italy: Libero.it Tiscali.it Lycos.it Excite.com Exploit XSS vulnerabilities in the webmail applications and then: Steal e-mails from the Inbox Steal email addresses from Contact List Self propagation to contacts

26. Ajax Security – Case Study – Nduja - Webmail XSS Worm Impact: the worm is able to capture emails, contact addresses from four different domains and post them to third party site. What we learnt? It is possible to create cross domain worms exploiting multiple XSS vulnerabilities at the same time in different domains. The server of origin policy is bypassed using a feature of the application targeted (email function) The malicious script checks the domain and then applies the relative XSS attack Extracts of source code: http://rosario.valotta.googlepages.com/home

27. Nduja - Webmail XSS Worm Demo

28. Web worms – Comparison So the question is: Can you think about the impact of the next cross domain web worm? Worm Target Domain(s) Cross Domain? Impact Samy worm Myspace.com No 1 million of users affected Yannamer worm Yahoo.com No Unknown number of yahoo users affected Nduja worm Tiscali.it Libero.it Lycos.it Excite.com Yes N/A – This is a PoC

29. Questions/Conclusion Thank you! [email_address]

30. References – Misc. Stefano Di Paola, Giorgio Fedon – Subverting Ajax – Whitepaper Andrew Van Der Stock – Ajax Security - Presentation Billy Hoffman – Ajax Security Dangers - Whitepaper Billy Hoffman – Analysis of Web Application Worms and Viruses - Whitepaer Alex Stamos, Zane Lackey – Attacking AJAX Web Applications - Presentation

31. References – Misc. AJAX Security - http://www.cgisecurity.com/ajax/ Ajax Security Basics - http://www.securityfocus.com/infocus/1868/2 MySpace Worm Explanation - http://namb.la/popular/tech.html Adaptive Path - http://www.adaptivepath.com/ideas/essays/archives/000385.php Nduja Connection - http://rosario.valotta.googlepages.com/home Yamanner Worm - http://www.symantec.com/security_response/writeup.jsp?docid=2006-061211-4111-99

32. References – Books Christopher Wells – Securing Ajax Applications – O’Reilly - Book V.A. – The Professional Ajax – 2 nd edition – Wrox - Book V.A. – Ajax In Action – Manning - Book

33. Table of Figures Slide 7 – From Ajax In Action, Manning Slide 9 – The Professional Ajax – 2 nd edition – Wrox Slide 10 – Adaptive web site - http://www.adaptivepath.com/ideas/essays/archives/000385.php Slide 11 – Adaptive web site - http://www.adaptivepath.com/ideas/essays/archives/000385.php Slide 19 – Rsnake web site - http://ha.ckers.org/blog/20070319/samy-worm-analysis/