AJAX and Web Services-Security Issues

  • Asynchronous JavaScript and XML(AJAX) is a combination of technologies that is used to create fast and dynamic pages.
  • AJAX makes use of javascript to connect and retrieve information from the server without reloading the entire web page.
  • benefits of using AJAX:

    • Increased speed
    • User friendly
    • Asynchronous calls
    • Reduced network utilization
  • The components of AJAX:

    • JavaScript
    • Dynamic HTML
    • Document Object Model(DOM)
  • Many developers use AJAX frameworks,whihch makes their task easier to design the application.JQuery,Dojo Toolkit,Google web toolkit(GWT),and Microsoft AJAX library(ASP applications) are well-known frameworks.

  • Some security issues that results due to AJAX are as follows:

    • Increase in attack surface
    • Mixture of server-side and client-site code resulting in mistakes.
    • Amplification of cross-site scripting vulnerability such as XSS.
    • Insufficient access control
  • Challenges of pentesting AJAX applications

    • During the manual testing of an application,you fire up a proxy such as Burp or ZAP,capturing the request and the response.In an AJAX application,the requests are asynchronous and the number of request-response captured is far more than a traditional application.As an ethical hacker,you need to be aware fo it as it may be difficult to manually test the applicaion using a weeb applicaion proxy.
    • In an AJAX-based applicaion,the contents of the web page changes dynamically.A request generated by clicking a specific button could be different when that button is clicked after a few additional options are selected.The response would update parts of the web page creating new form fields and additional links for the user.This creates a unique challenge for the penetration tester when scoping the applications as it is not easy to crawl and identify the size of the application.It is also possibl that the tester would miss parts of the website.
  • tools tocrawl AJAX applications:

    • AJAX crawling tool
    • Sprajax
    • AJAX Spider-OWASP ZAP
  • Analyzing client-side code-Firebug

    • Viewing the source using Ctrl+U shortcut key will reveal the underlying JavaScript that creates the XHR objects.If the web page and script is big,analyzing the application by viewing the source won`t be helpful and practical.

    • Firebug in firefox:

      • Edit the layout of HTML in real time
      • Monitor network usage of the web page
      • Can debug JavaScript using an inbuile debugger
      • Identify DOM objects quickly
      • View detailed information about the cookie set by the server
      • The shortcut key to display the firebug window is F112
    • The Chrome brwser also includes a tool similar to Firebug:the Developer tool.Use the Ctrl+Shift+I shortcut keys to open it .

  • XSS uses JavaScript to exploit and ssteal information by injecting scripts in the victim`s browser.

  • Web Services

    • There are two different ways to develop web sservices:

      • Simple object access protocol(SOAP)
      • RESTful web services(REST stand for Representational State Transfer)
  • Some of the features of RESTful web services are as follows:

    • Works really well with CRUD operations
    • Better performance and scalability
    • Can handle multiple formats
    • Smaller learning curve
    • Design philosophy similar to web applications
  • RESTful web services should be protected against the following security issues:

    • The session between the consumere and teh provider of the web service should be authenticated and maintained using a session token or an API key.The API key,username,and session token should never be passed in the URL.The session state should always be maintained on the server side and not the client side.RESTful services does not provide any security by default it is dependent on transport layer security to protext the data while it on the wire.SSl is recommended to protect the data in transit. SOAP web services use WS-security which provides message level security that is more robust than HTTPS.You should nerver pass an API key in the URL as SSL does not protexts the URL parameters and the key is logged in bookmarks and server logs.Either OAuth or HMAC authentication should be used.In HMAC authentication the API key is encrypted with a secret key which is shared between the client and the server.

    • MOst tasks of a RESTFul web servieces are done using the GET,POST,DELETE,and PUT methods.but the PUT or DELETE methods should never be allowed for a non-authenticated user.The web service should be careful when allowing multiple methods for a given URL.For a method that is not allowed against a URL,a forbidden message should be sent back.For critical tasks involving the PUT and DELETE methods,a random token should be used to mitigate a CSRF attack.Most web services use the following four verbs:

      • |HTTP verb|Use
      • |—
      • |GET|To retrieve data
      • |PUT|To insert data
      • |POST|To update data
      • |DELETE|To remoce data
    • The web service should be tested using random generated data to verify the implementation of validation filters.Input fields taking a finite number of characters should use the whitelisting-based approach.Using this approach,we can deifne what is acceptable and build a list of legitimate input accepted by the application.Any characters or untrusted data not part of the whitelist is rejected.

    • If the web services is using XML,it should be tested against common XML-based attacks such as XPath injection,XQuery injection,XML schema poisoning,and others.

    • When there is an exception,the RESTful API should respond back withappropriate error messages just like it is done in regular web pages and use the HTTP status codes to return errors to the clients.In the exception message,Here are the response codes:

      • |Response code|Meaning
      • |100s-Information|We`re all cool
      • |200s-Success|I got what you need
      • |300s-Redirection|It`s over there
      • |400s-Client error|You messed it up
      • |500s-Server error|I messed it up
    • Insecure direct object reference vulnerability:Insecure direct object reference is a major cause of concern in web services and should be on top of your to-do list when pentesting a RESTFul web service.

  • Web application should still be tested against the OWASP top 10 vulnerability