Slashdot Mirror

← Back to Stories (view on slashdot.org)

AJAX May Be Considered Harmful

Posted by Zonk on from the web-20-needs-vitamins dept.

87C751 writes "Security lists are abuzz about a presentation from the 23C3 conference, which details a fundamental design flaw in Javascript. The technique, called Prototype Hijacking, allows an attacker to redefine any feature of Javascript. The paper is called 'Subverting AJAX' (pdf), and outlines a possible Web Worm that lives in the very fabric of Web 2.0 and could kill the Web as we know it."

7 of 308 comments (clear)

  1. Summary completely overhyped by levell · · Score: 5, Informative

    Having skim read the article, it outlines how *if* you can execute malicious javascript for a website you can subvert the AJAX communication so that you can have man in the middle attacks etc.

    However once an attacker can execute malicious javascript in the scope of the target website you're toast whether you are using AJAX or not.

    I'll make a bold prediction and say that is not going to "kill the Web as we know it" contrary to what the /. article says.

    --
    Struggling to find a day everyone can make? WhenShallWe.com
  2. Re:Greasemonkey? by JackHoffman · · Score: 4, Informative

    No, Greasemonkey exposed security sensitive functions to websites. They were meant to be used by Greasemonkey scripts but websites had access too.

    This is about the way Javascript implements object oriented programming: In Javascript you don't define classes from which objects are instantiated. In a nutshell, you create prototype objects and new objects are copies of the prototypes. The "attack" is to change existing prototypes. For example, you can add a new function to the String prototype or replace an existing function with your own implementation. Every String object then gets the new function. There is one problem with this: Cross site checks don't apply. A script from one site can't simply communicate with another site, but it can modify the prototypes that the scripts from the other site use and subvert the communication of the other script with its host.

  3. Re:notabug by coma_bug · · Score: 5, Informative

    I'm wondering what kind of agenda the author has in writing this, actually.

    page 3
    This technique has been found by S. Di Paola and is called Prototype
    Hijacking    . It represents the state of the art in hijacking
    techniques applied to the Javascript language.

    page 6
    This new kind of attack has been called AICS and has been thought by S.
    Di Paola and G. Fedon and developed by S. Di Paola.

    page 8
    Stefano Di Paola. Senior Security Engineer of proved experience, works
    since many years as an IT consultant for private and public companies.
    He teaches Database Programming and Information Security at the
    University of Florence. Since 1997 is a well known security expert; he
    found many of the most dangerous vulnerabilities in recent releases of
    MySQL and PHP. From 2004 his researches focused mainly on Web security.
    Actually he is part of OWASP (Open Web Application Security Project)
    team and he's the focal point of Ajax security for the Italian Chapter.

    He is the creator of http://www.wisec.it/

    Giorgio Fedon. Currently employed as senior security consultant and
    penetration tester at Emaze Networks S.p.a, delivers code auditing,
    Forensic and Log analysis, Malware Analysis and complex Penetration
    Testing services to some of the most important Companies, Banks and
    Public Agencies in Italy. He participated as speaker in many national
    and international events talking mainly about web security and malware
    obfuscation techniques. During his past job he was employed at IBM
    System & Technology Group in Dublin (Ireland).

    Actually he is part of Owasp (Open Web Application Security Project)
    Italian Chapter.

  4. Re:notabug by stonecypher · · Score: 4, Informative

    This paper is absolutely ridiculous, and its author is scaremongering

    Try reading the paper before lambasting it. The stuff you saw in the slashdot article isn't in the paper. The author of the paper says things like "innovative new attack" and "next generation of server side injection." The stuff about end of the web as we know it is from the slashdot poster. The paper is quite insightful, and the author is almost blase about the whole thing. It's quite clear that he simply believes he's unearthed a new form of attack, and he's in fact quite correct.

    Please get off of your soapbox. You're wrong.

    --
    StoneCypher is Full of BS
  5. Have you ever tried to deploy an AJAX application? by Anonymous Coward · · Score: 5, Informative

    I haven't read it either, but from experience, I'd imagine it hold up very well.

    AJAX applications just aren't solid or stable, for the most part. We tried to integrate a number of them into our network here, and frankly each attempt went terribly. I'd like to think it was just one application vendor or AJAX toolkit that was problematic, but that wasn't the case.

    We found a number of common problems with every AJAX application we tried. Just for the record, the applications included three CMS systems, a Web-based email system, two groupware systems, and three Web forums.

    The first major problem with one of resource usage, on both the client-side and the server-side. Client-side, many AJAX applications consume far too much CPU time. From our investigation, it was due to the use of poor JavaScript algorithms that'd consume 100% of the CPU in some cases, for minutes on end. The applications "worked", in that they'd provide the correct result. It'd just take them far too long to get it done.

    On the server-side, they'd again result in excessive CPU and RAM consumption. For one of the Webmail systems, we could only handle a fifth (yes, 20%) of what our old Perl-based system could. And that was on a quad-core Opteron system with 8 GB of RAM! The Perl-based system was on a couple of 200 MHz Pentium systems, each with 128 MB of RAM. Even after assistance from the AJAX-based Webmail system's vendor, we were only able to handle roughly 90% of the number of transactions of our older system.

    The second major problem is that of usability. Many of the AJAX apps we tried didn't play well with browser tabs, for instance. Some even fucked around with text input areas, resulting in copy-and-pasting no longer working. One application even prevented the text within a text field from being highlighted! We thought these problems may be browser-specific incompatibilities, be we ran into this same problem with Firefox, Safari, Opera, and even IE6! After talking with the vendor, they admitted these were known problems, and no solutions were presently available.

    The third major problem is a lack of quality. Many AJAX applications are poorly coded and poorly designed. I think the main reason for that is because it's such an unstructured technology. Even competent software developers run into problems that cannot be solved easily, and thus must resort to hackish techniques to overcome these inherent problems.

    The fourth major problem was that the users hated the systems. Of the few systems we managed to roll out successfully, the users absolutely hated them. Their complaints were a combination of the above three factors. The AJAX applications would not do what the user wanted. The AJAX applications did not conform to common practices (eg. copy-and-paste, textbox text selection, etc.). The AJAX applications ran far too slowly, even on fast client machines. The AJAX applications just plain didn't work!

    All of our AJAX trials were abysmal failures. That's why we're sticking with the existing Perl- and Java-based systems that we currently use. They perform far better on much fewer resources, actually do what the users want, avoid violating the most common of conventions, and they do what they're supposed to. I'm sorry to say it, but AJAX might just be the worst technology I have ever had to deal with.

  6. Seriously, can we mod the OP Flamebait? by Trails · · Score: 4, Informative

    As well as the dingbat mod who let this crap summary get on /. unedited?

    I hate all this crap about "ZOMG, once I can inject javascript into a page, something else makes it totally insecure!!!"

    Once someone can inject javascript onto a page, you're toast. The article itself is valid, and isn't complaining about ajax so much as prototyping (despite the title of the paper).

  7. Re:Have you ever tried to deploy an AJAX applicati by 75th+Trombone · · Score: 4, Informative

    You've stated quite an amount of vagueness there, sir, not to mention this confounding statement:

    All of our AJAX trials were abysmal failures. That's why we're sticking with the existing Perl- and Java-based systems that we currently use.

    Very interesting, seeing has how AJAX has nothing to do with your server-side technology whatsoever. Or how about this:

    The AJAX applications did not conform to common practices (eg. copy-and-paste, textbox text selection, etc.

    Again very interesting, seeing as how AJAX itself has nothing to do with the way users interact with form elements.

    It sounds to me like either 1) you're BSing, which is my actual guess, or 2) your and your team have no idea how to actually code Javascript/AJAX/whatever, and you picked crappy packages off the internet and expected them to Just Work out of the box the same as your custom built solution.

    Your problems have had nothing to do AJAX; rather, they have had to do with either your lack of knowledge or your life as a Slashdot troll.

    --
    The United States of America: We do what we must because we can.