The story is, a myspace user named samy wanted to be popular. He wanted to make his page do things that others couldn’t and in the process devised a cross system scripting (XSS) attack that managed to add his profile to more then a million other users of the system. To do this he used a combination of AJAX and JavaScript.

It is not the intention to make samy even more famous but he has exposed a serious weakness in the AJAX security model. All samy did was figure out how to upload some JavaScript into his profile and this was despite myspace’s best efforts to limit this type of activity.

With respect to security, the web is already a hostile environment. Will a move to use AJAX and JavaScript further enlarge the security holes that already exist? Could myspace have done more to prevent this type of attack and still afford their users the flexibility to manage their pages as they do now?

Editors Note: It is not clear that samy is a real person. The .la domain belongs to the Lao People’s Democratic Republic and the instructions in the posting use "we" and not "I" suggesting more then one person was involved.

Ajax is not secure, not maitaniable, etc. It does not add anything new.
Just a fad, no worries.

Maybe try Flash... or JDNC for real RiA / Web 2.0.

.V

http://roomity.com has latest tech news - RiA, non-Ajax.

If you are going to allow users to post their own html content which you later render in other peoples browers, then you are open to this kind of exploit, wheither you think it is a fad or not.

I think it would be good if some of our browser vendors helped us out here and allowed us to disable javascript on portions of the page. Something like:

<DIV SECURITY="scripting=no,images=yes" >
</DIV>

Something like:<DIV SECURITY="scripting=no,images=yes" ></DIV>

In the server, never-ever blindly trust what is submitted. In the same sense, I would not trust my browser security with some tag which would be created from the server. Would you trust a server to simply disable the Applet sandbox security with a simple tag? At least today you need to sign the applet and the user is warned.

If you need to trust data submitted to your system, verify it on the server. If you need to trust data retrieved on the client side, protect yourself with appropriate browser settings.

I would not trust my browser security with some tag which would be created from the server. ... If you need to trust data submitted to your system, verify it on the server. If you need to trust data retrieved on the client side, protect yourself with appropriate browser settings.

I quite agree that the server must protect itself, but in the situation above it is also protecting the other users. If your page relies on Javascript and also renders content from untrusted sources like a web mail application, then it is not an option to tell your users to adjust their browser settings.

Anyway, it's a bit of a mute point given Preston's post.

I wonder if there is a way to use javascript to strip the javascript from DOM objects? :-)

And then all Samy would have to do was start his post with a closing </DIV> tag and end it with a new <DIV SECURITY=...> tag and viola, his code is outside of these tags.

Good point. You got me there.

Preston said... And then all Samy would have to do was start his post with a closing </DIV> tag and end it with a new <DIV SECURITY=...> tag and viola, his code is outside of these tags.

OK, so use <object type="text/html" security=...> tag instead. But of course, there's a lot of legacy out there in browsers, making any after-distribution security improvements questionable anyway.

<div SECURITY="">
   paste content here
</div>

if the pasted content is valid XHTML, it cannot start with a close tag.

<div SECURITY="">&nbsp;&nbsp;&nbsp;paste content here</div>if the pasted content is valid XHTML, it cannot start with a close tag.

Sorry, but I think you did not understand Preston's point.
I'll try to clarify it (I hope). Let's say the web site overlap the content specified by the user with <DIV security="..."></DIV>.

So you got
<DIV security="...">
Samy's Content
</DIV>

And now Sammy decides to post this content
</DIV>
Javascript
<DIV security="...">

You end up with :
<DIV security="...">
</DIV>

Javascript

<DIV security="...">
</DIV>

And the script will run without any problem. I hope I was clear enough.

<div SECURITY="">&amp;nbsp;&amp;nbsp;&amp;nbsp;paste content here</div>if the pasted content is valid XHTML, it cannot start with a close tag.

Sorry, but I think you did not understand Preston's point.I'll try to clarify it (I hope). Let's say the web site overlap the content specified by the user with <DIV security="..."></DIV>.So you got<DIV security="...">Samy's Content</DIV>And now Sammy decides to post this content</DIV>Javascript<DIV security="...">You end up with :<DIV security="..."></DIV>Javascript<DIV security="..."></DIV>And the script will run without any problem. I hope I was clear enough.

Whoops, I just found I had red your post too fast. You were speaking only about the posted content. Sorry my mistake.

And then all Samy would have to do was start his post with a closing </DIV> tag and end it with a new <DIV SECURITY=...> tag and viola, his code is outside of these tags.

What if we were able to disble javascript within a frame?

Can't you just invent your own markup for your site users to use and only translate those entities to HTML when rendering the page?
That way any illegal script would just be rendered in plain text.

Like [b] would become <b> etc

Can't you just invent your own markup for your site users to use and only translate those entities to HTML when rendering the page?That way any illegal script would just be rendered in plain text.Like [b] would become <b> etc

phpBB has a custom markup called BBCode that sounds like what you're looking for:

http://www.phpbb.com/phpBB/faq.php?mode=bbcode#0

Don't know if it would work because PHPBB is notorious for XSS attacks. (Unfortunately I know about this first hand)

Why Flash and JDNC will never take over the world:
http://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm

How about just:

HTML/JavaScript are open, global standards, and the renderer/VM are already installed on every client system in the world.

That is the whole point of moving rich applications to the browser. Internet, extranet, and even most intranet applications simply cannot install software on the client. A minority of clients have a recent flash player. Even fewer have a JVM. But everyone has a web browser.

Go AJAX. :)

Jeff Dill
www.smartclient.com

A minority of clients have a recent flash player. Even fewer have a JVM.

Far from true. I think you will find from several independant third party analysis that extreemly recent flash players have a penetration well over 90%.

Dave Wolf
Cynergy Systems
Cynergy Systems

I think you will find from several independant third party analysis that extreemly recent flash players have a penetration well over 90%.

Do you have any references?

I would be surprised to see a solid independent study that puts flash 7 penetration above 60% on business desktops. Considering the typical desktop upgrade cycle, disabled ActiveX environments, and ad blocking, the chances of having a recent enabled version of flash are not so great.

Jeff

I think you will find from several independant third party analysis that extreemly recent flash players have a penetration well over 90%.

Do you have any references?

http://www.macromedia.com/software/player_census/flashplayer/version_penetration.html

.V

Do you have any references?I would be surprised to see a solid independent study that puts flash 7 penetration above 60% on business desktops.

There are tons of them. And its *way* above 60%. Especially when you're only wanting a comparison with player 7 which is old.

http://www.macromedia.com/software/player_census/flashplayer/version_penetration.html

Do note although this link is from MACR the statistics come from a third party and their methodology is listed there. Note that this report shows penetration at over 97% for player 7 and that was well last year.

http://www.streamingmedia.com/article.asp?id=8757&page=3&c=31

http://www.swissclue.com/flash.html

And so on.

Its *well* over 60% and realistically closer to 97%. I did once see a specific reference to corporate desktops and its now also well over 90% there. Also note the new builds of Windows include the player out of the box.

I'd call it ubiqutous.

Hmmm...

Yes, but I have a feeling that this is a bit of a red herring. Quite a few people have flash installed on their PCs, and it does not seem to be very difficult to download and install flash if needed.

However, the point that Dr. Fielding was trying to put across is that HTML and hyperlinks have some really neat properties, which have been all important for making the web so ubiqutous and usefull as it is today. Unfortunatelly, Flash and many other rich internet applications do not share these features with HTML/hyperlinks, and will therefore never take over the world in the same way that HTML did.

I strongly recomend reading Dr. Fielding's paper ("Architectural Styles and the Design of Network-based Software Architectures"), as it provides some really valuable insights into why the www has exploded the way that is has.

Some of the principles oulined in his paper has been embraced and made more commonly known as "Representational State Transfer", or REST

Seriously, I would love to see a real study -- not the numbers generated by Macromedia marketing.

Experience points to flash 7 penetration much closer to 50% on current business PCs.

Jeff

I dont know about everyones needs, but since Flash 5 it is possible to XML in the back for "duplex" server communication. And got a ok support for ActionScript. Version 6 got a lot more media feature. What i'm trying to say is that not every app need version 8 functions to be mindblowing.. ;) Very many ppl have those versions i think.

But then again who have turend on their support for ActivX obj.? I dont not. i have to do the anoying thing to answer yes/no for every ActiveX (yeah i know it's my setting).

If i have an HTML/JavaScript page in front of me, i know i can manipulate every byte of a page if i want to. (Soooo easy to do!)

I vote with all the other guys telling that u have to do EVERY security check on the server, no matter what! Strip for script etc. If u add security in the view/html/javascript it can only be to save request's.

-Erik

Two questions for u.

1-Can u elaborate a little bit why do u feel that AJAX is not safe ?

2-I tried testing roomity.com.

I was stock in the upload of the application.
After 2mn seeing a dialog box displaying
"Broadband interface + Mailbox safety
checking for latest version" ,I cancelled the upload !
I have just tested my connection using the free service
at http://bandwidthplace.com/speedtest/
It's about 4.2 megabits per second

let me know..

Rgds-Claude Hussenet
http://claudehussenet.com

I cancelled the upload !

If you have java 1.4 download is 2meg for UI.
If you have Java 5.0 downlaod is 400k (becuase of pkzip).

It's a normal webstart application.


Unlike ClikOnce (ms) and Flex(Adobe) and NetworkLauncher (Sun/Google), most admins will tell you to disable javascript.

.V

roomity.com

Ajax is not secure, not maitaniable, etc. It does not add anything new.Just a fad, no worries.Maybe try Flash... or JDNC for real RiA / Web 2.0..Vhttp://roomity.com has latest tech news - RiA, non-Ajax.

You're truly dumb.

Ajax is not secure, not maitaniable, etc. It does not add anything new.Just a fad, no worries.Maybe try Flash... or JDNC for real RiA / Web 2.0..Vhttp://roomity.com has latest tech news - RiA, non-Ajax.

Hi Vic,

As you know, I'm a big fan of Java Web Start for Web 2.0 applications. Can you point me to any data that shows the current trend for adoption of JWS as a deplopment choice?

Ed

I'm a big fan of Java Web Start for Web 2.0 applications. Can you point me to any data that shows the current trend for adoption of JWS as a deplopment choice?

Mostly anecdotal, ex
http://blogs.zdnet.com/BTL/index.php?p=1987

I do know a huge company doing a 8 digit invesment.
(conatct me ofline at cekvenich at gmail.com if youd' like)

.V

The "J" in AJAX is for Javascript. That's like saying he used a combination of HTML and Hyper-Text, or TCP/IP and Protocol..

Same thing goes for every community site where one can upload javascript ... the moral is: check very very exactly what you allow your users to post (hello jroller!)

javascript is crazy (i like it though), I could not think of a way to avoid the mentioned problem. Maybe removing "eval" statements would also help. It is a funny story.

It's not AJAX specifically that allowed this, you could use the same scripting attacks with inlined HTML content on any site that accepts it. AJAX just allowed him to do it 'faster' :-)

I highly doubt that the fact that "the .la domain belongs to the Lao People’s Democratic Republic" is relevant -- the domain name is a South Park reference, and the actual country it is for is as relevant as it is to del.icio.us or burri.to.

FYI, there is a decent description of the exploit here:

http://namb.la/popular/tech.html

It is important to note that samy did not exploit an "AJAX" application. He exposed an XSS hole in myspace, and he used XMLHttpRequest to make it easier.

So there is nothing new here. Forums, wikis, and other systems that take untrusted user input have always patched XSS holes. And hackers have had XMLHttpRequest in their toolboxes for 5+ years.

But it is comforting to see this level of scrutiny and analysis. Any new security considerations around AJAX will be very well understood.

Jeff Dill
www.smartclient.com

News at 11: TCP/IP and life in general are not secure. Death is the only certainty in life. In fact, we could securily say that insecurity is far from impossible -- it is inevitable.

We can try to mitigate the impact, but ultimately, nothing can be secured unless we learn how to secure our bodies and minds.

All this blaming of insecurity on this or that technology is nonsense. It's AJAX! Nah... it's the browser. Nah, it's the server. Nah, it's the wire. Nah, it's the blood. Nah, it's our expectations... Take away any of these elements and the "security break" that Samy performed cannot happen. People will NEVER find a comfortable way to secure assets. Having an asset is having an insecurity. Only a very obstinate person does not see this.

As soon as you acquire an asset, right away your mind is beset with worries of protecting it and securing it. If it truly was an asset, it should then secure itself and even secure its owner, as opposed to cause its hapless owner to get early gray hair and ulcers trying to secure it.

If you allow HTML to be submitted to your service, you HAVE to go the full mile:
Use a HTML parser, normalize the HTML, throw out tags <script>, javascript: etc. etc.

If you don't do this, don't expect the browser to save you.