Hacking Web 2.0 Applications with Firefox
- By Matt Stephens
- October 19, 2006
I foresee many readers sputtering into their morning coffee when I make the following statement, but here goes: One of the great benefits of AJAX is that a large proportion of the application logic is moved onto the client. Round-tripping between the server and the browser client are reduced; and the client can perform “sanity-checking” validation tasks without even touching the server.
So why the coffee sputtering? The security concerns raised by this “great trend” are many. If the same validation checks aren’t repeated on the server, then it becomes possible to “hack” the client (it’s only a web page after all, albeit a very clever web page) to send any old data back to the server, where the aberrant data will be accepted into the system without so much as a raised eyebrow.
In fact, all sorts of network data can be hacked: query parameters that are going to be applied to a database query are subject to an SQL injection attack (note that SQL injection attacks affect “boring” Web 1.0 webapps just as much as their shiny 2.0 successors). Web pages that import JavaScript libraries may be exposing more application logic to the browser than they need to: so the wily user could discover all sorts of snippets of information about the application, just by browsing the JavaScript files that have been so kindly handed to them.
Already, worms such as Yamanner, Samy and Spaceflash are exploiting “client-side” AJAX frameworks. Basically, if anything ventures outside your server, it can be rewritten, snooped, hacked and so on.
As I mentioned a few days ago, an excellent AJAX debugging tool is the Firebug plug-in for Firefox. This article on SecurityFocus.com illustrates step-by-step how to debug web applications from a security standpoint, using Firebug, and to automate simulated web browsing using another Firefox plugin, chickenfoot.
By being aware of the potential security threats looming over Web 2.0 apps, you can create dynamic/asynchronous web pages that are as “bulletproof” as it’s possible to be given the inherent insecurity of web-based applications.