exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ajax-attack.txt

ajax-attack.txt
Posted Jan 4, 2007
Authored by Amichai Shulman, Guy Karlebach

Brief whitepaper discussing the hacking of AJAX DWR applications.

tags | paper
SHA-256 | 6c5d8ba8ddbd21a85894c20cb3d5862246ff8206bb67d1314a13e58a171b8c3e

ajax-attack.txt

Change Mirror Download
By Guy Karlebach & Amichai Shulman

Introduction
*********************************************************************************************

The introduction of AJAX into a web application improves the user experience significantly. However, the complexity of some AJAX frameworks and the limited field experience with them requires a careful examination of potential vulnerabilities.
DWR is a Java open source library, which has already been incorporated into several web sites. It is composed of two main parts:
• A Java servlet that runs on the server. This servlet processes requests that arrive from clients and sends back responses.
• Javascript code that is executed on the browser, and sends requests to the servlet.
The Javascript code for method invocation is generated by the DWR framework. The web application designer only needs to embed the returned values in his web pages.
At the time this document is written the DWR stable release is 1.1.3. Version 2.0 is under development. The two versions differ by several features, though both share the vulnerability that we discuss in the next section.



Forceful Method Invocation Attacks
*********************************************************************************************

DWR 1.1.3 provides a configuration option that forbids the invocation of class methods. This exclusion can be applied to some or all of a class’s methods, and it is configured in the dwr.xml file. DWR 2.0 adds an additional configuration option that includes JAVA code annotations. However, both methods enforce their restrictions only on the client side. Therefore, by manipulating HTTP requests through a proxy, excluded methods can be invoked. This also applies to public methods that are inherited from super classes.
As a consequence of the above vulnerability restricted operations may be unintentionally exposed to web users.
2.1 Example: The TestClass class methods
The following test was repeated in DWR releases 1.1.3 and 2.0, and with all of the possible method exclusion mechanisms for each release.
We created a class named TestClass with two methods: forbiddenTestMethod and allowedTestMethod. Both methods were defined as public (private and protected methods are not vulnerable to invocation by the client). forbiddenTestMethod was excluded using the exclusion mechanism. The result of this exclusion was that DWR did not provide the browser with Javascript code that generates requests for forbiddenTestMethod. At this point, we used the browser to generate the following legitimate request (this example is taken from the 2.0 release test):

callCount=1
httpSessionId=6F7C818937E118A82F4B8A3518951A3B
scriptSessionId=04CE97DFB0B87AA4E8D3FEF92FA5898E
page=/dwr/test/TestClass
c0-scriptName=TestClass
c0-methodName=allowedTestMethod
c0-id=2925_1165312875568

We then changed the parameter methodName to forbiddenTestMethod, and sent the request to the server. We received a HTTP 200 OK response with the output of forbiddenTestMethod.



Denial of Service Attacks
*********************************************************************************************

There are several ways to send very costly requests to a web application that uses DWR. We present here several ways by which a malicious user can manipulate DWR requests and create denial of service attack vectors.

Example: The Date class
The Java clone method is implemented as a public method by several native library classes, for example java.lang.Date. If a class that implements clone is available for client side calls, a batch call that executes clone calls can be sent to the server. This will have a steep performance cost, due to the memory space that the cloned objects occupy. We tested the following attack vector (Embedded in a HTTP request body) on the DWR stable release running on JBoss, and witnessed a sharp rise in CPU usage:

callCount=100000
c0-scriptName=JDate
c0-methodName=clone
c1-scriptName=JDate
c1-methodName=clone
c2-scriptName=JDate
c2-methodName=clone
.
.
.
C99999-scriptName=JDate
C99999-methodName=clone

Furthermore, in the DWR stable release, the following short attack vector causes the servlet to throw an OutOfMemoryError exception:

callCount=1000000
c0-scriptName=JDate
c0-methodName=clone

In the latter case, only one Date object is created, but the server attempts 1000000 clone calls, which exhaust the VM’s memory resources. Limiting the number of calls in a batch is therefore essential for preventing denial of service attacks of this sort.



Mitigation
*********************************************************************************************

We suggest several options for mitigation, all of which require writing Java code:
• Don’t expose classes that have methods which should not be invoked by the client. This approach should be applied during the application’s development.
• Instead of exposing class A and all of its methods, create and expose a class ProxyA.
• ProxyA relates to A in a has-a relationship. That is, one of the private class fields of ProxyA is an A object.
• The methods of ProxyA can be used for calling only those methods of A that may be invoked by the client. This approach can be applied to an application without changing the code of existing classes.
• Add stubs to override inherited methods which should not be exposed. For example, create a toString method that returns an empty string.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close