AJAX and it's security issues

 Acronym for Asynchronous JavaScript and XML.

 Group of technologies like JS, CSS, HTML, DOM,XML.
 Send and receive the data asynchronously without reloading the page
 Sends only important information.

Where it is used?
 Gmail, Face book, Twitter,Googlemaps.
Difference between classic web Application and
AJAX web Application?
Classic web application:
 Synchronous interaction with the
server.
 Synchronous request blocks the
client(browser) until the operation
completes.
 JavaScript engine of browser is
blocked .

Fig: Synchronous interaction with server.

AJAX web based application:
 Asynchronous interaction with the server.
 Asynchronous request doesn't
block the client(browser).
 JavaScript engine of browser is
not blocked.

Fig: Asynchronous interaction with server

 Full page is refreshed at request
time.
User/browser is blocked until
request completes.

Fig: Synchronous Interaction with server

Full page is not refreshed at requested

time.
User gets response from ajax engine.
Ajax engine allows the user to interact
with the application without constant
interaction with the server. Fig: Asynchronous interaction with server
AJAX technologies:
 Ajax is not a technology, it is a group of technologies.
 Ajax technologies include
a. HTML/XHTML and CSS: Displaying content and styles.
b. DOM: Dynamic display and interacting with data.
c. XML/JSON: Carrying data to and from server.
d. XMLHttprequest: Asynchronous communication between server and
client.
e. JavaScript: Bring all the above technologies together. Mainly used for
client side validation.
How AJAX works:
 At the beginning of session – loads Ajax engine, web page.
 Ajax communicates with server using XMLHttpRequest object.
 Manipulates DOM – to display results.

Fig: How AJAX works using XMLHttpRequest object

Problems with traditional web applications:
 Web page is refreshed only when response is received each time.
 Affects the performance due to long pauses.
Ajax web applications advantage over traditional web
applications:
 The response time reduced.
 Exchange small amounts of data.
 The web page is not refreshed with each response.
 Improves response time.
AJAX security issues:
1)Increased Attack Surface:
o Traditional web applications execute completely on the server.
o AJAX applications extend across the client and server.
2) Information Leakage:
o JavaScript in ajax engine gets the user commands.
o Makes the JS function calls in the clear text to the server.
o Information about the data can easily accessible.
3) Cross Site Scripting:
a) Ajax Amplifies XSS:
o Malicious request can be made without refreshing the page.
o In traditional Web applications - information theft -passive screen
scraping.
o Attacker can access resources, not available to passive screen scraping.
b) Injecting and Propagating XSS:

 Traditional web applications- Injecting and propagating XSS - done

manually.
 With Ajax applications, XSS can propagate like a virus.
 Ajax requests -XSS payload-autonomously inject itself into pages.
 Can easily reinject the same host with more XSS.
Example: MySpace.com attack(first public use of Ajax and XSS)
 MySpace.com member –profile- a self-propagating worm( samy worm).
 Profile view- automatically viewer added the to Samy's “friends” list.
 worm code was also copied into the victim's profile.
 3)AJAX Bridging:
 Ajax applications can only connect back to the Web site from which they come.
 For ex:- JavaScript with Ajax downloaded from yahoo.com cannot make
connections to google.com.
 Ajax Bridge was introduced to contact third party sites.
 Ajax bridge -“Web service to Web service” connection.
Example: (Suppose an Ajax-enabled online book store called spibooks.com wants
to access some of the Web services that majorbooks.com provides)

JavaScript Code
spibooks majorboo
.com ks.com
Made agreement with few restrictions
Spibo Major
oks.co Agreement is made books.
m com

SQL Injection
DOS Attack
XSS attack

ATTACKER