23rd CCC Conference Abstract — The ability of modern browsers to use asynchronous requests introduces a new type of attack vectors. In particular, an attacker can inject client side code to totally subvert the communication flow between client and server. In fact, advanced features of Ajax framework build up a new transparent layer not controlled by the user. This paper will focus on security aspects of Ajax technology and on their influence upon privacy issues. Ajax is not only agroup of features for web developers: it's a new paradigm that allows leveraging the most refined client side attacks. Index Terms — Ajax Security, Universal Cross Site Scripting, Code Injection, Cache Poisoning, Prototype Hijacking, Auto Injecting Cross Domain Scripting I. INTRODUCTION Ajax[1] is an acronym for Asynchronous Javascript And XML. Ajax is not a new programming language, is an umbrella term which describes a group of features and enhancements to improve appearance and functionality of traditional web sites. Ajax relies on XMLHttpRequest[2], CSS, DOM and other technologies; the main characteristic of AJAX is its “asynchronous” nature, which makes possible to send and receive data from the server without having to refresh the page. Common Ajax implementations can be found in various languages and libraries like ActiveX, Flash and Java applet. This paper will focus on Javascript language, because is considered the formal standard in Web 2.0 application development. The large adoption of Javascript in Html code permits to create a transparent data exchange between client and server. Users then interact with standard Html objects controlled by classes and procedures interpreted by their browsers. Some examples of web applications that already use Ajax are GMail, GoogleMaps or Live.com. II. HOW AJAX...
Website: events.ccc.de | Filesize: 603kb
No of Page(s): 8
Download Subverting Ajax for Fun and Profit.pdf
No comments:
Post a Comment