This document discusses security considerations for AJAX applications. It notes that while AJAX itself is not inherently less secure, the increased complexity presents extra risks. Typical vulnerabilities include XSS and SQL injection from user input, and unauthorized access to files on the server. Popular CMS platforms like WordPress that include AJAX functionality can be targets if not updated properly. A common scenario involves credentials being displayed unencoded in URLs and then sent back to servers without authentication, allowing hacking. The document provides recommendations like proper user input validation, authentication, authorization, and use of HTTPS to help secure AJAX applications.

1. AJAX and Security
Considerations
@irishwonder LAC2016

2. Why Security Matters
• Hacking on the rise
• Hacked sites lose traffic
• downtime
• security warnings
• A site getting hacked impacts
its rankings eventually

3. What’s Different about
AJAX?
• No more or less dangerous per se
• However, extra risks due to higher complexity
• Extra considerations to keep in mind

4. AJAX Considerations
• AJAX applications will not run with Javascript
switched off
• Degrade gracefully

5. Typical Risks
• User input (XSS or SQL injection)
• User ID or credentials processing by Javascript
• Unauthorised access to files on the server

6. Typical Victims
• Standalone AJAX applications
• Popular CMS’s with AJAX enhanced functionality
• Wordpress plugins using AJAX

7. Typical Victims

8. Typical Victims

9. More Vulnerable Targets

10. Typical Scenario
• A user is authenticated in the code when the page
is loaded
• A user ID or other credentials are displayed in the
URL unencoded, picked up by Javascipt
• Unencoded and unauthenticated credentials sent
back to server
• HACKED!

11. Insecure WP Plugin
Showcase
RevSlider
• First discovered in 2014
• Affects versions below 4.2
• Affects themes using it
inurl:/wp-admin/admin-ajax.php?action=revslider_ajax_action - to find vulnerable revslider plugins
!

12. The Problem Extent

13. Security Measures
• Proper authentication and authorisation checks
• User input validation against XSS and SQL injection
• Use HTTPS if transmitting sensitive data

14. HTTPS
• Implement correctly
• Double check for consistent implementation
throughout the site
• Incorrect implementation results in additional
security risks and hurts SEO performance

15. Plugins and Themes
• Know what you use
• Update to the latest (patched) versions

16. Bonus!
• Showcase: RevSlider vulnerability story
http://securityaffairs.co/wordpress/35431/cyber-crime/
revslider-plugin-vulnerable.html
• How to update a plugin if it’s included in a theme
http://www.themepunch.com/faq/update-plugin-packaged-
theme/
• Free website malware and security scanner
https://sitecheck.sucuri.net/ (WARNING: will not catch all
security issues but may be of help)
• Test your HTTPS https://www.ssllabs.com/ssltest/index.html

17. @irishwonder BAC, Berlin October 2015
Questions?
Feel free to get in touch!
• info@irishwonder.com
• Twitter: @irishwonder
• Slideshare:
http://www.slideshare.net/irishwonder/
• LinkedIn: linkedin.com/in/irishwonder
• Blogs:
http://www.irishwonder.com/blog/ - general
SEO
http://www.irishwonder.syndk8.co.uk/ -
darker areas
#LAC2016