Ruby on Rails, Io, Lisp, JavaScript, Dynamic Languages, Prototype-based programming and more...

Technoblog reader special: $10 off web hosting by FatCow!

Thursday, June 08, 2006

A JavaScript Based Firewall-Immobilizing Port Scanner

I finally found a totally unacceptable cross-domain Ajax security issue.

After the hotly debated Debunking Strong Misconceptions About Cross-Domain Ajax Security Issues, most current known security issues concerning cross-domain Ajax were explored and found wanting. All but one edge case of cross-domain Ajax that affects corporations with corporate secrets on intranets. I stand by most of my arguments and believe that many web developers still greatly mis-understand the fundamental principals behind Ajax.

However, I was wrong. Very very wrong. There is something you can do with cross-domain Ajax that is deeply and fundamentally insecure. Something nobody could argue against. I was chatting with my friend Dave Fayram (whom I have started doing a podcast with) when we came across a security issue that would affect every single person who has a cross-domain Ajax enabled browser, not just the corporate intranets.

If you are on a Mac, download safariexploit.html as a file onto your hard drive. Now open it up with Safari and prepared to be scared.

Using the fact that the file:/// protocol in Safari allows you to do cross-domain Ajax as much as you like, you can experiment with the potential security concerns of cross-domain Ajax. I was able to build was a JavaScript based Firewall-Immobilizing Port Scanner in 50 lines of JavaScript. Luckily Safari does not allow cross-domain Ajax from the http:// protocol so this is not something that can be taken advantage of throughout the internet (there is no need to switch away from Safari because of this).

What the port scanner is able to do is explore not only your localhost, but your surrounding network. It can look at the and ranges (as well as any other you specify). It can look at any port you want on any computer you want as long as the local machine can access it. It can even report what version SSH server and web server you are running on all of those computers. It works all in the background without your knowledge while simply viewing a page. At the end of the port scan it posts this data in a public forum that anyone can access.

Nobody can argue that this isn't a Very Bad Thing. Without a white-listing crossdomain.xml file that explicitly lists other sites that are allowed to do cross-domain Ajax communication (an idea that I whole-heartedly believe would change the landscape of the web for the better without the aforementioned otherwise insurmountable security problems), cross-domain Ajax is clearly and fundamentally a very big risk that should remain unimplemented like it stands today.

Many of you might laugh at this conclusion since I was so brazen in my previous post, but if someone would have given me an example half as clear as the one provided here as to why cross-domain Ajax brings up serious security concerns, I would have never had to write that post. The post was intended to straighten out false claims and try to beat out any true claims. As shown by this revelation, I succeeded. The truth remains that many people are and will remain to be confused as to why cross-domain Ajax is a bad idea. They don't understand that the grand majority of the concerns they might have already exist today in many alternative forms. Even those who understood the real security concerns introduced by cross-domain Ajax were not able to give me a clear and penetrating example.

I am currently developing some very interesting applications using a hack that imitates cross-domain Ajax (without any of the security concerns mentioned here). This is why I wanted to explore in detail the security issues surrounding the technology. Google was unable to shed much light because people were not having enlightening conversations, so I am very thankful to all of you who commented on the previous post. I am glad there is now a permanently recorded insightful conversation for a relatively misunderstood topic.

If anyone from IE, Firefox, or Apple is listening, please please please integrate the use of crossdomain.xml policy file and allow us developers some secure cross-domain freedom. The web is missing out on a lot of innovative applications and too many people are creating ugly hacks to get around it.

You should follow me on twitter here.

Technoblog reader special: click here to get $10 off web hosting by FatCow!


Anonymous Anonymous said...

"If you are on a Mac, download safariexploit.html as a file onto your hard drive. Now open it up with Safari and prepared to be scared."

It would be nice if you included a link to the file :-)

11:40 PM, September 18, 2006

Blogger Web app security info said...

You mean the file you open is stored on the disk? Or is it served from a http link?

4:35 AM, September 27, 2006

Anonymous Small Business Web Hosting said...

Ajax has an unprecedented number of major security flaws. Which is why I wonder why google is pusing it soo hard.

6:28 AM, October 01, 2006

Anonymous Ivan said...

having the local network scanned that way sounds scary, but again, how much exactly can outside attacker do knowing eg. that my machine has old insecure ssh server? If router is configured properly, not much..

There's a number of security issues with cross-domain ajax, but IMHO most of them are related to exploiting poorly written server-side solutions. And you can't blame a technology for people being stupid..

5:11 AM, October 02, 2006

Blogger rickdog said...

What I'd like to see is a service that allows bloggers to grab XML as a javascript string (JSON) and inject that into a script element. The client app can then load it into a DOMDocument. Then client-based apps can have some cross-domain RPC capabilities.

The service would be very simple, like:


and return an escaped string:

xmlString="<?xml version="1.0" encoding="UTF-8"?><rdf:RDF ...></rdf:RDF>";

Then I can do something like this:
<script id="myXML" src="http://convertXML2String.com?url=http://del.icio.us/rss/rickdog">
var parser = new DOMParser(); // gecko only
var doc = parser.parseFromString(xmlString, "text/xml");

12:00 AM, October 03, 2006

Anonymous Anonymous said...

Did you mean you loaded the file from your local disk? You should feel lucky that it didn't wipe out your hard drive. Didn't safari give you a warning or something?

1:12 PM, October 10, 2006

Anonymous Anonymous said...

goto http://www.gmail.com for free mail

6:03 PM, July 21, 2007

Blogger Raybeam said...

I don't really understand how this has anything to do with AJAX. You're talking about running a .html/js file from your local drive. IE has Scripting.FileSystemObject and Firefox has Components.interfaces.nsIFileInputStream / nsIFileOutputStream.
Both will allow you to wipe out your whole hard drive.

4:56 AM, July 13, 2008

Blogger lina123 Chen said...

coach outlet store online
cheap oakley sunglasses
burberry sale
coach outlet
abercrombie fitch
ray ban uk
michael kors outlet online
kids lebron shoes
lv outlet
true religion sale
louis vuitton outlet
cheap ran bans
tory burch outlet
abercrombie and fitch
hollister clothing
ghd straighteners
air max 90
fendi handbags
michael kors outlet
jordan 11 columbia
louis vuitton outlet
louis vuitton outlet
cheap jerseys
gucci belt
coach factory outlet
louis vuitton outlet
ralph lauren uk
hermes birkin
michael kors outlet online
true religion sale
louis vuitton
tod's outlet
kobe bryant shoes
pandora bracelets
michael kors outlet
michael kors outlet online
jordan 4 toro
michael kors

6:19 PM, June 25, 2015

Blogger Nesma Ali said...

شركة تنظيف منازل بعنيزة
شركة تنظيف منازل ببريدة
شركة تنظيف منازل بالمذنب
شركة تنظيف منازل بعفيف
شركة تنظيف منازل بالغاط
شركة تنظيف منازل بثادق
شركة تنظيف منازل بالدوادمى
شركة تنظيف منازل بالمزاحمية
شركة تنظيف منازل بالقويعية
شركة تنظيف منازل بوادي الدواسر
شركة تنظيف منازل بالدلم
شركة تنظيف منازل برماح
شركة تنظيف منازل بالأفلاج
شركة تنظيف منازل بحريملاء
شركة تنظيف منازل بالزلفي
شركة تنظيف منازل بضرما
شركة تنظيف منازل بشقراء
شركة تنظيف منازل بالسليل
شركة تنظيف منازل بالقصيم
شركة تنظيف منازل بحوطة بني تميم
شركة تنظيف منازل بالحريق
شركة تنظيف منازل بالمجمعة
شركة تنظيف منازل بمرات
شركة تنظيف منازل بالرس
شركة تنظيف منازل بالرس

1:26 AM, September 02, 2015

Blogger Da Shuai Guo said...

fred perry polo shirts, http://www.fredperrypoloshirts.com/
air jordan 13, http://www.airjordan13s.com/
gucci,borse gucci,gucci sito ufficiale,gucci outlet
mbt shoes, http://www.mbtshoesoutlet.us.com/
calvin klein underwear, http://www.calvinklein.in.net/
yoga pants, http://www.yogapants.us.com/
cheap nike shoes, http://www.cheap-nikeshoes.cc/
tiffany and co, http://www.tiffany-outlet.us.com/
soccer jerseys, http://www.cheapsoccerjersey.net/
indianapolis colts jerseys, http://www.indianapoliscoltsjersey.us/
nike huarache, http://www.nike-airhuarache.co.uk/
ray ban uk, http://www.raybansunglass.co.uk/
louis vuitton outlet online, http://www.louisvuittonus.us.com/
ghd uk, http://www.ghdhairstraightenerssale.co.uk/
san antonio spurs, http://www.sanantoniospursjersey.com/
true religion jeans outlet, http://www.truereligionjeansoutlets.us.com/
toms shoes, http://www.toms.us.com/
north face outlet, http://www.thenorthfaces.org.uk/
cheap jordan shoes, http://www.cheapjordanshoes.in.net/
iphone cases, http://www.iphonecase.name/
true religion jeans, http://www.truereligionjeansoutlet.com/
ray ban sunglasses, http://www.raybansunglass.us.com/
coach outlet online, http://www.coachoutletonline.in.net/
nike air foamposite one,foamposite,foamposites,foamposite release 2015,foamposite sneakers,foamposites for sale,foamposite gold
louis vuitton,borse louis vuitton,louis vuitton sito ufficiale,louis vuitton outlet

1:10 AM, September 15, 2015

Blogger Minko Chen said...

michael kors outlet
barbour jackets
tiffany and co
ed hardy clothing
miami dolphins
toms outlet store
coach handbags outlet
true religion outlet
nfl jerseys
snapbacks wholesale
true religion outlet
pittsburgh steelers
oakley sunglasses wholesale
cyber monday deals
mac cosmetics
canada goose outelt
canada goose jackets
abercrombie and fitch
michael kors outlet
michael kors factory online

9:05 PM, November 13, 2015


Post a Comment

Subscribe to Post Comments [Atom]

<< Home


If you like this blog, you might also like top photography schools.