This article is an excerpt from the book Professional Pen Testing for Web Applications published by Wiley Publishing.
Client-side active content constitutes Ajax, JavaScript, RSS technology and
Requires Free Membership to View
When you register, you'll receive targeted emails designed to keep you informed of the most relevant information on Agile development, application security, testing & QA, software requirements, and more.
Hannah Smalltree, Editorial Director
ActiveX. Each one of them needs to subjectively be addressed in your work. There are no formulas, and when you see the upcoming example you should get an idea of what the manual process is like.
Ajax
Ajax technology can be coupled with cross-site scripting (XSS) attacks in order to test. You saw some of this in Chapter 4 where an XSS attack could be injected into the client side of Ajax. Once again your creativity will reign supreme; treat client-side Ajax as a standard client to some server. Some things to try out against targets using Ajax are as follows:
- Transmit non-UTF-8 encoded data
- XML-based attacks (if the objects are not serialized directly)
- Alter state via the use of GET requests
You will need to analyze the Ajax usage in your target due to the fact that there really are three different methods available to return data through the XMLHTTPRequest method:
- Clear text
- XML
- JavaScript variables
After all is said and done, any of these methods will require some analysis in order to effectively design an attack pattern. For instance, when Ajax utilizes XML, all of the XML data you have gathered from this book is relevant. Moreover, Chapter 8 covers XPATH and other types of attacks that are also applicable in this realm of Ajax. But if the data is being serialized natively in the JavaScript, the attack pattern would be totally different.
Start training your eyes for analyzing client-side JavaScript. Take this snippet, for example:
var mydoc = null
if (typeof window.ActiveXObject != 'undefined' ) {
mydoc = new ActiveXObject("Microsoft.XMLHTTP");
...
} else {
mydoc = new XMLHttpRequest();
...
}
Code like this is a dead giveaway that Ajax is in use. Beyond that you would watch transmissions and you should only see GET and POST requests because they are the only ones supported by the request object. As final Ajax notes, keep in mind that Ajax does support the use of HTML forms and the request object (based on the fact that it uses HTTP as the transport protocol) can be stretched to even support technologies like SOAP and WebDAV.
ActiveX
You just saw one example of ActiveX technology; Microsoft uses ActiveX in its support of Ajax technology. The points to look out for with ActiveX testing are the HTML object tag and potentially its related classid value. Here is an example snippet:
<head> <title>ActiveX</title> <object id='some_ID' classid='clsid:F395DC15-1CF0-55U0- CBA9-00C04GH58A0B'></object>> <script> ...
ActiveX technology is very intrusive and can take actions on an end-user's local Windows-based system. Your job is really to see if your target's ActiveX work (if they have any) is harmful or can be tampered with.
 |
||||
|
|
|||
|
||||
RSS and Atom
You have to approach these technologies from both fronts. If your target is consuming any feeds you must test this as the client, for instance looking for specific embedded tagged data that will be processed by the aggregator in your target. In particular look out for these:
- script
- object
- embed
- iframe
- frame
- frameset
- style
- link
- meta
As the provider of some feed your target needs to be checked for security measures that will not allow it to become the conduit of attack for some aggregators utilizing it. Or if your target is a corporation whose business depends on reputation, for instance, you need to ensure they are not victims of disinformation techniques such as RSS hijacking.
For further information, take a look at http://secunia.com/advisories/16942/.
-------------------------------
About the author: Andres Andreu, CISSP-ISSAP, GSEC operates neuroFuzz Application Security LLC and has a strong background with the U.S. government. Andreu specializes in software, application and Web services security, working with XML security, TCP and HTTP(S) level proxying technology, and strong encryption. Other articles he's written include "Using LDAP to solve one company's problem of uncontrolled user data and passwords" and "Salted Hashes Demystified."
This was first published in August 2006