WebApp Sec mailing list archives

Ajax Security discussion for the OWASP Guide

From: Andrew van der Stock <vanderaj () greebo net>
Date: Fri, 23 Sep 2005 11:45:16 +1000

Hi there,

I am writing a section on AJAX for the OWASP Guide, and since it's soshiny, I'd thought I'd run my thoughts past you folks.


1. It's Web Services Lite.

(Spoofing)

Therefore, many of the issues facing unauthenticated web servicesapply to Ajax, too. If you are using AJAX without session management,it should be unable to perform any tasks a guest cannot do.


2. Validate like crazy

(Tampering)

Just because the process is hidden from the user, doesn't mean thatthe incoming request is safe to handle without validation. Validateall inbound requests properly.


3. SSL when necessary

(Repudiation)

Ajax may not be visible to the user, but it still exposes the user toconfidentiality attacks if sensitive information is transmitted ineither direction. Use SSL to protect privacy and integrity, whilstrealizing that SSL is not "security" in and of itself.


4. POST please

(Information Disclosure)

Again, it's easy to use GET, but this remains in the browser historyand many intermediate logs.

If the Ajax request allows you to fill in information about anotheruser, make sure the caller is authorized to receive that information.For example, if you provide an Ajax request to find all posts by auser on a forum, make sure the posts are filtered to only includethose the user would normally be able to see, or if you are writing atransaction history query, make sure the query only runs againstaccounts the user has access to.


5. Simple and fast handling

(Denial of Service)

Ajax could be used as a DoS target, particularly, if the requests aredoing significant chunks of work for unauthenticated clients. Becareful about implementing long running tasks, which is a typicalscenario for Ajax (do something slow behind the user's back, to makethe page feel fast).


6. Ensure the Ajax path is properly access controlled

(Elevation of privilege)

Ajax is a relatively new technology with many immatureimplementations. Make sure that all requests are properlyauthenticated and authorized to prevent users performing tasks whichwould allow them to become higher privilege users than they alreadyare. For example, don't allow Ajax to perform administration tasksfor just anyone.


--

Thoughts?

thanks,
Andrew

Current thread:

Ajax Security discussion for the OWASP Guide Andrew van der Stock (Sep 22)
- Re: Ajax Security discussion for the OWASP Guide Serg Belokamen (Sep 22)
- <Possible follow-ups>
- RE: Ajax Security discussion for the OWASP Guide Luke Fraser (Sep 23)
- Re: Ajax Security discussion for the OWASP Guide noname (Sep 23)
  - Re: Ajax Security discussion for the OWASP Guide Andre Ludwig (Sep 23)
  - Re: Ajax Security discussion for the OWASP Guide John Manko (Sep 23)
    - Re: Ajax Security discussion for the OWASP Guide focus (Sep 24)