Click here to Skip to main content
11,641,081 members (64,896 online)
Click here to Skip to main content

Security threats in AJAX

, 24 Jul 2007 CPOL 21.3K 25
Rate this:
Please Sign up or sign in to vote.
This article describes the loopholes in AJAX

What is AJAX?

AJAX, an acronym for Asynchronous JavaScript and XML, is a web development technique for creating interactive web applications. The intent is to make web pages feel more responsive by exchanging small amounts of data with the server behind the scenes, so that the entire web page does not have to be reloaded each time the user makes a change. This is meant to increase the web page's interactivity, speed, and usability.

Why we go for AJAX?

People have many reasons to go for AJAX. In the previous years, people got bored by the synchronous methods and those methods made people wait for the server response. After that, AJAX was introduced to overcome the synchronous calling methods. We need to know about the synchronous and asynchronous calling methods.

"Synchronous call" is like if you are clicking a button and the request has been sent to the server and waiting for the response during which you cannot access any part of the user interface. "Asynchronous call" gives the opportunity to raise another request by accessing other parts of the user interface.

The advantages of AJAX are:

  1. Better performance than traditional web applications
  2. Better bandwidth usage
  3. Easy interaction with DOM objects
  4. No need for page refresh
  5. A single screen can handle multiple tasks so there is no need for multiple pages

Loopholes in AJAX

The web is a place for hackers to get sensitive data. So it is better to design a website to avoid chances for hacking. In AJAX, we have some problems with regard to this. They are:

Injection Attacks

Injection means sending the data or sending the scripts into the main code.
Injection can happen in the following cases and the methods given below:

  • PHP toolkits: possibility for code injection
  • JSON injection: it is possible to inject a code during decode
  • DOM injection - client side attacks are now much easier
  • XML injection - both client and server side
  • Code injection - both client and server side

Problem with JSON

JSON is a lightweight data-interchange format. It is particularly useful because it can be 'decoded' easily by web page JavaScript into object form. AJAX-based web pages use XmlHttpRequest to receive data from a server in response to a user action. While the returned data is normally in XML format, it can also be returned in JSON string format and processed more easily in JavaScript. Many applications may store information in XML format. However they may want to send data to a client using JSON.

JSON pair injection

JavaScript Object Notation (JSON) is a simple and effective lightweight data exchange format and one that can contain object, array, hash table, vector and list data structures. JSON is supported by JavaScript, Python, C, C++, C# and Perl languages. Serialization of JSON is a very effective exchange mechanism in Web 2.0 applications. Developers choose JSON over AJAX very frequently and fetch and pass required information to the DOM. Here is a simple JSON object "favourites" object with different name-value pair.

{"favourites":[{"URL":"www.codeproject.com","Visits":"1200",
                    "Shortcut Key":"Control+w"}]}

It is possible to inject a malicious script in either URL or Shortcut Key. If it gets injected into the DOM and executes, it falls into the XSS category. This is another way of serializing malicious content to the end-user.

JavaSript Array poisoning

JavaScript array is another very popular object for serialization. It is easy to port across platforms and is effective in a cross-language framework. Poisoning a JavaScript array spoils the DOM context. A JavaScript array can be exploited with simple cross-site scripting in the browser. Here is a sample JavaScript array:

new Array("DesktopPC", "DELL", "Used", "400$", "It is a used one")

This array is passed by an auction site for a used desktop computer. If this array object is not properly sanitized on the server-side, a user can inject a script in the last field. This injection can compromise the browser and can be exploited by an attack agent.

Cross-domain access and Callback

AJAX cannot access cross-domains from the browser. One of the browser security features that exists in all flavors of browsers is the blocking of cross-domain access. There are several Web services that provide a callback mechanism for object serialization. Developers can use this callback mechanism to integrate Web services in the browser itself. The callback function name can be passed back so that as soon as the callback object stream is retrieved by the browser, it gets executed by the specific function name originally passed from the browser.

This callback puts an extra burden on developers to have in-browser validation. If the incoming object stream is not validated by the browser, then developers are putting the end client's fate at the mercy of cross-domain targets. Intentionally or unintentionally, this cross domain service can inject malicious content into the browser. This cross domain call runs in the current DOM context and so makes the current session vulnerable as well. This entire cross-domain mechanism needs to be looked at very closely before implementation into an application.

Conclusion

This article has gone through some of the security threats with AJAX programming. Note that there are some more threats with AJAX. This article does not intend to tell the readers to avoid AJAX programming, but aims to recommend some methods to secure the web.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

sathesh pandian
Technical Lead
India India
have been working in web technologies for the last 8 years.

You may also be interested in...

Comments and Discussions

 
-- There are no messages in this forum --
| Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.150731.1 | Last Updated 24 Jul 2007
Article Copyright 2007 by sathesh pandian
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid