January 2008 — News
Print this article | Email this articleClick here to receive your FREE subscription to T.H.E. Journal
GWT: Advanced AJAX Security
Hoffman demo'd what he was talking about in the form of a sample AJAX travel Web site, Hacker Vacations.com, "Where You Can Name Your Own Price." The site lets you find flights and place bids on seats. He built it using "expert" advice from popular books, how-to articles and forums. Nothing bad was cooked on purpose.
Hackers Love Firebug
Hoffman showed how the Web site was riddled with typical security defects. He looked at the underlying code using Firebug. "It makes my job [as a hacker] so easy," he said. This free tool lets you edit, debug, and monitor CSS, HTML and JavaScript live in any Web page.
He used Inspect for FindFlights, showing that you cannot trust that anything you put in the client will hide your code from even amateur hackers. He hit "CTL-U" to see "hidden" source, and then inserted a breakpoint in the code. Then, using Firefox, he unearthed a giant dataset table that got returned underneath the "available flights" actually displayed.
"I just got access to more flights than the app is supposed to give me access to," he explained. He then was able to manipulate the AJAX calls to hold particular seats.
Hoffman said a client-side pricing attack was done in 1997 against CD Universe, in which a hacker was able to buy CDs for one cent for three months until the scam was discovered. Hoffman did the same thing with seat pricing on his demo app, pointing out that "I can tamper with variable values while they're being used in Web 2.0."
In Web 1.0, such functionality was mapped in the server. But now it's being pushed to the perimeter. It gives attackers a blueprint of how to use your app.
Hackers Love Granular APIs
Hoffman calls it the "API Domino Effect." He uses Firebug to look for the callback function to see what's coming back from the server. In this way, he gains access to holdSeat(flightID), thence to makeOffer(price,flightID), thence to bookSeat(flightID) and finally to pay dirt: debitAccount(price).
From a security viewpoint, the APIs are too granular, with too much exposed on the client. Coders will throw everything into one file, and then reference it from parts of the Web site that are public. He showed a real-world example that let him use SQL commands to get valuable passwords, and how an exposed administrative API let him get into SetPrivateData on the server when he was supposed to only be able to access GetPublicData.
Obfuscation and Lazy Loading Won't Guard Code
Next Hoffman showed how hackers defeat logic protection through obfuscation, which encrypts code, and lazy loading, which defers object initialization until the time it's needed. He showed how easily some obfuscation can be disambiguated using a JS parser he'd written. He did concede that Firebug can't debug dynamic code, including JSON responses, remote scripting and lazy loading. It's a matter of "view source" versus "view generated source." Consequently, you need a way to monitor JavaScript environments.
