AJAX Hacking







Risk Rating:


Asynchronous JavaScript and XML (AJAX) is basically JavaScript on steroids. It plays an important part in most Web 2.0 applications, allowing a much more streamlined and smooth interaction with the user due to its ability to make asynchronous requests to the web application without requiring a page refresh. This is achieved by using the XMLHttpRequest (XHR) object. Being based on JavaScript, AJAX runs on the client side within the user's web browser, which tends to cause developers to integrate security into these client-side scripts. This places the security controls within the attacker's control, which almost always means these controls can be bypassed.

AJAX introduces complexity into the development and testing of web applications. Due to its asynchronous nature, the concept of a single page no longer exists within Web 2.0 applications since any number of web requests could be running in the background to generate, and regenerate, the content of an ever-changing page. This also means that the old style of crawling a web application to enumerate the pages and access points (or parameters) within these pages doesn't necessarily work sufficiently anymore. The tester needs to remember that the pages that were originally crawled may later consist of completely different content, parameters, and links. This places a massive emphasis on "state," which often can only be differentiated by a human eye, rather than an automated web application scanner. Many web application testing tools do not take this into account, causing the testing to be incomplete if the tester relies solely on the tool's output, which unfortunately is quite common, even among professional testing organizations.

So what is a penetration tester to do? Luckily, a number of Firefox add-ons have been developed that allow the analysis and manipulation of basically everything that runs within a web browser, allowing Firefox to be turned into a web application testing tool. Some of these add-ons include Firebug, JavaScript Debugger (also known as Venkman), Tamper Data, Live HTTP Headers, Chickenfoot, Web Developer Toolbar, and Hackbar.

Firebug has an option to show XMLHttpRequests as you are browsing web pages, allowing you to enumerate XHR calls, as shown in Figure 13-10.

£>* Inspect dear Al HTML CSS K XHR Images Flash Lonsole HI ML LbS bcript DUM Net - typpahpadJripniRphp facabooLcom 2KB 328ms

Params HpaiW« Rpfponw Response Headers

Date Tue, 2S Sep 2007 13:24:09 CUT

Server Ap ache/1.3.37.fbl

Last-Modified Tue, 25 Sep 2007 06:24:09 -0700

Keep-Alive LiaeuuL-60, H.HX-3J3 rnnriprtinn it/*»

Transfer-Encoding cnunJjed

Content Type text/heal; charset-utf 0

Content-Encodino trzip

Request Headers

Host ww. faceboofe. com

User-Agent Husilla/5.0 (Viiuduvi, U, Wi»iduws NT 5.1, wi~U3 , iv. G«cku/£0 070314 Fite tux/2 . 0. 0. 7

Accept c axt /xn.1 , applieat ion/xbi , applicat ion/iiht al+xiil /lxtml; q=0. 9 pt«xt /plainpq=0. 8 , imaga/prn^, */* ; q=0. £

Accept-Lanqua qe en-us,en;q=u.J>

Acccpt Encoding triip,<le£late

Arrppt-fhar^pt TSn-ARS«»-] ,iir.f-R;<|=n 7.*;r|=n 7

Keep-Alive 300

Connection hecp-olive

Referer http: //um. f acebook. com/s .phptref=search


Figure 13-10 Firebug reveals XMLHttpRequests within a Web 2.0 application.

Once an XHR call has been enumerated, the tester is then able to view the HTTP headers, the HTTP response, and the parameters within the AJAX call. This may reveal requests and parameters that you couldn't find with traditional web application testing techniques. Chickenfoot is a scripting add-on that allows client-side actions, such as OnClick events, to be automated allowing fast discovery of AJAX calls.

The tester may also be lucky enough to reveal client-side input validation routines that are being performed around the request, which could indicate that security has been implemented within the web browser, rather than within the server-side code. JavaScript debuggers, such as Venkman or Firebug, can be used to enumerate and browse all JavaScript routines within web pages. They also allow you to set breakpoints within these JavaScript routines so values and functions can be manipulated at runtime, as well as providing a step-through option that enables finer-grained control over the flow of the web application logic. Figure 13-10 demonstrates the enumeration of the typeahead_ friends.php program. By using Venkman, the tester is able to search for keywords, such as typeahead, in order to determine where this call may have originated, enabling the tester to set breakpoints within the JavaScript function to allow a more detailed analysis to be performed, as shown in Figure 13-11.

Firebug has a number of powerful tools, including the Inspect feature, which allows the tester to simply mouse over any section, small or large, of the currently displayed web page to reveal the corresponding HTML code, page layout, style details, size restrictions, JavaScript functions and events, as well as provides the ability to browse the DOM structure, as shown in Figure 13-12. The Edit option allows the tester to modify the underlying code easily to manipulate the application.

Figure 13-12 Firebug Inspect feature allows easy analysis of underlying code.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment