Manage Learn to apply best practices and optimize your operations.

Find Ajax security flaws using tests

Ajax security problems can be found by doing manual tests. What should you look for in order to prevent an attack? Andres Andreu provides some advice in this tip excerpted from the book Professional Pen Testing for Web Applications.

This article is an excerpt from the book Professional Pen Testing for Web Applications published by Wiley Publishing.

Client-side active content constitutes Ajax, JavaScript, RSS technology and ActiveX. Each one of them needs to subjectively be addressed in your work. There are no formulas, and when you see the upcoming example you should get an idea of what the manual process is like.

Ajax technology can be coupled with cross-site scripting (XSS) attacks in order to test. You saw some of this in Chapter 4 where an XSS attack could be injected into the client side of Ajax. Once again your creativity will reign supreme; treat client-side Ajax as a standard client to some server. Some things to try out against targets using Ajax are as follows:

  • Transmit non-UTF-8 encoded data
  • XML-based attacks (if the objects are not serialized directly)
  • Alter state via the use of GET requests

You will need to analyze the Ajax usage in your target due to the fact that there really are three different methods available to return data through the XMLHTTPRequest method:

  • Clear text
  • XML
  • JavaScript variables

After all is said and done, any of these methods will require some analysis in order to effectively design an attack pattern. For instance, when Ajax utilizes XML, all of the XML data you have gathered from this book is relevant. Moreover, Chapter 8 covers XPATH and other types of attacks that are also applicable in this realm of Ajax. But if the data is being serialized natively in the JavaScript, the attack pattern would be totally different.

Start training your eyes for analyzing client-side JavaScript. Take this snippet, for example:

var mydoc = null
if (typeof window.ActiveXObject != 'undefined' ) {
   mydoc = new ActiveXObject("Microsoft.XMLHTTP");
} else {
   mydoc = new XMLHttpRequest();

Code like this is a dead giveaway that Ajax is in use. Beyond that you would watch transmissions and you should only see GET and POST requests because they are the only ones supported by the request object. As final Ajax notes, keep in mind that Ajax does support the use of HTML forms and the request object (based on the fact that it uses HTTP as the transport protocol) can be stretched to even support technologies like SOAP and WebDAV.

You just saw one example of ActiveX technology; Microsoft uses ActiveX in its support of Ajax technology. The points to look out for with ActiveX testing are the HTML object tag and potentially its related classid value. Here is an example snippet:

<object id='some_ID' classid='clsid:F395DC15-1CF0-55U0-

ActiveX technology is very intrusive and can take actions on an end-user's local Windows-based system. Your job is really to see if your target's ActiveX work (if they have any) is harmful or can be tampered with.

Pen testing tools & techniques
Learn more about attack simulation tools and techniques for Web applications in Chapter 6 of Professional Pen Testing for Web Applications, a free excerpt provided by Wiley Publishing.

RSS and Atom
You have to approach these technologies from both fronts. If your target is consuming any feeds you must test this as the client, for instance looking for specific embedded tagged data that will be processed by the aggregator in your target. In particular look out for these:

  • script
  • object
  • embed
  • iframe
  • frame
  • frameset
  • style
  • link
  • meta

As the provider of some feed your target needs to be checked for security measures that will not allow it to become the conduit of attack for some aggregators utilizing it. Or if your target is a corporation whose business depends on reputation, for instance, you need to ensure they are not victims of disinformation techniques such as RSS hijacking.

For further information, take a look at

About the author: Andres Andreu, CISSP-ISSAP, GSEC operates neuroFuzz Application Security LLC and has a strong background with the U.S. government. Andreu specializes in software, application and Web services security, working with XML security, TCP and HTTP(S) level proxying technology, and strong encryption. Other articles he's written include "Using LDAP to solve one company's problem of uncontrolled user data and passwords" and "Salted Hashes Demystified."

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.