Dave Bullock / eecue

photographer, director of engineering: crowdrise, photojournalist, hacker, nerd, geek, human


Breaking AJAX Web Applications - Black Hat 2006 Day 2

Alex Stamos

Alex Stamos and Zane Lackey gave a talk at Black Hat called "Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0". As AJAX evolves from a toy used by teenyboppers to a serious tool used by banks, hospitals and uncle same, it becomes more and more important to ensure bug free code. AJAX has changed web attacks by exposing the use of frameworks used by the applications via included .js files which expose supported calls. Cross site scripting becomes more complicated as you can inject script into the javascript stream. Injection attacks are also more dangerous due to front ends that are exposed in the client side code. Business logic in applications has become more complex so parameter manipulation vulnerabilities are still excellent attacks.

XSS becomes more complicated and more interesting because you can just put javascript right into a running javascript engine, which becomes harder to escape as you're no longer looking for brackets and tags.

Because your browser is running a javascript application, if an attacker sends you rogue code, in say link form in your cool AJAX email app, your browser will run the code sent in the webmail application instead of loading it in a new page and then the attacker would be sent your authentication cookie. The attacker would then have access to your web mail. The speakers used the fictitious company Webmail.com in this example, and when asked about gmail they responded that they have more lawyers than webmail.com, but it was pretty clear the attack they were talking about was possibly on gmail.

Dynamic script nodes allow attackers to embed malicious javascript in a website that would allow a cookie from any site to be pulled because browsers allow cross domain XmlHttpRequests, this is very bad!


got my home control web interface working!

thanks to inspiration from arclight... i decided to set up my X10 home control again. instead of using the more complicated 2 way system i had before i opted to use the firecracker module and the bottlerocket software package.

using ssh tunnels from my home unix box behind the firewall here to connect to my webserver and open a reverse tunnel back to the unix box in my house, and setting up keys that can only execute the scripts i wrote with bottle rocket, i created a php script that check the authorization and makes sure it's me logged in it allows you to turn on and off my office and living room lights or all of them at once.

wow that was a long run-on sentance.