Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0 presented at BlackhatUSA 2006

by Alex Stamos, Zane Lackey,

Summary : The Internet industry is currently riding a new wave of investor and consumer excitement, much of which is built upon the promise of Web 2.0 technologies giving us faster, more exciting, and more useful web applications. One of the fundamentals of Web 2.0 is known as Asynchronous JavaScript and XML (AJAX), which is an amalgam of techniques developers can use to give their applications the level of interactivity of client-side software with the platform-independence of JavaScript.
Unfortunately, there is a dark side to this new technology that has not been properly explored. The tighter integration of client and server code, as well as the invention of much richer downstream protocols that are parsed by the web browser has created new attacks as well as made classic web application attacks more difficult to prevent.
We will discuss XSS, Cross-Site Request Forgery (XSRF), parameter tampering and object serialization attacks in AJAX applications, and will publicly release an AJAX-based XSRF attack framework. We will also be releasing a security analysis of several popular AJAX frameworks, including Microsoft Atlas, JSON-RPC and SAJAX. The talk will include live demos against vulnerable web applications, and will be appropriate for attendees with a basic understanding of HTML and JavaScript.