Thursday, 29 December 2011

AJAX Injection Attack A New Way To Hack


AJAX (Asynchronous Javascript and XML) technology allows web pages to dynamically update specific content behind the scenes without the need to refresh the whole page. The ability to continually update the content of an AJAX page is done by calling an XmlHttpRequest (XHR) object with JavaScript to send HTTP requests to web servers. These requests typically send data in the form of XML or JSON (JavaScript Object Notation).

AJAX injection is a type of Cross Site Scripting Attack (XSS) that leverages the XML or JSON format of the input to the client browser. JSON is particularly popular because it is easy to parse JSON objects by simply passing them to the eval() function. Unfortunately, the use of eval() makes the application equivalently easy to exploit. Cleverly format strings containing malicious JavaScript may be stored as content on servers with weak validation or sent directly to the client browser using a spoofing or man in the middle attack. This JavaScript is then parsed and execute by the client’s browser without their knowledge. Ultimately, this attack may be used to steal session cookies, send email on behalf of the victim, or any other impact available to the XSS attack.

IMPACT-

Confidentiality: Since the code runs in the same domain as the trusted site any cookies or other confidential site data can be read by the malicious AJAX code.
JavaScript code injection: By using the XMLHttpRequest object attackers can download and install JavaScript code modules to be run on the local browser dynamically and send information from the computer without the victim’s knowledge.
Vulnerabilities
Failure to validate user input for script tags when that input can be echoed back into a web page.
Failure to encode user supplied input upon display of the data
Trusting data retrieved from a shared data store.
Countermeasures
Constrain input: Use vigorous white-list style checking on any user input that may be reflected to a user’s browser.
HTMLEncode all user input on display: Use white-list style HTMLEncoding libraries to ensure all possibly malicious characters are encoded before being echoed back to the user, regardless of whether they’re loaded as part of the original page load or through later XMLHttpRequests.

EXAMPLE-
Suppose you use an AJAX based web mail client. Because these are the days of Web 2.0, your mail client displays a list of your favorite contacts and lets you know their status. By default this status is set to “Online” or “Away,” but a custom message may also be set by each contact that is reflect in your client. In order for this to work, the web page periodically updates this status list by requesting the list of contacts from the server. The server returns this information to the client as the following JSON object:


Code:

{ "numberOnline": "3", "nameAndStatus": [ "Alice, Online", "Bob, Online", "Mallory, Away" ] }
The following code shows the client JavaScript code which is called periodically to request the above object and update the DOM.


Code:

var contactStatusList; var http_request = new XMLHttpRequest(); 
http_request.open("GET", url, true); 
http_request.onreadystatechange = function () 
{ if (http_request.readyState == 4) 
{ if (http_request.status == 200) 
{ contactStatusList = eval("(" + http_request.responseText + ")");
 } http_request = null; }};http_request.send(null);
Now suppose that Mallory’s status is set to a custom value. This may have been changed by Mallory herself or by a third party attacker. Either way, because the server providing the data to the mail client has poor validation, this status value is changed to include cleverly formatted malicious JavaScript. Suppose that instead of “Away” the value is changed to the following:

Code:

Away"});alert("COde InjectOr Was Here!");//
The first thing to notice is that the JSON object, which represents a the contact status list, is valid JavaScript. Because of this the eval() can be used to evaluate it. The above code completes the status object, inserts additional JavaScript, and comments out the rest of the line. When the code is passed as to the eval() function the additional JavaScript is run. Note that “alert(“Invectus Here!”)” can be replaced with any malicious JavaScript and it will be run in the client’s browser. Because the above code is an example, an alert message window will be displayed. In general, however, JavaScript could be downloaded and executed without the user’s knowledge.



1 comments:

sonu said...

Hack Your lover Facebook account ,online password Hacking.. hakfbpd.blogspot.com
Enjoy!





Post a Comment

Related Posts Plugin for WordPress, Blogger...