Black Hat 2007 Premature AJAX-ulation

Billy Hoffman 和 Bryan Sullivan 在黑帽大会上展示了 AJAX 技术中存在的安全隐患。他们通过构建 hackervacations.com 展示了信任客户端进行数据验证、使用单一 JavaScript 文件以及依赖客户端进行最终数据格式化的风险。这些做法可能使网站暴露于多种攻击之下。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

Billy Hoffman and Bryan Sullivan from SPI Dynamics gave one of the more entertaining talks today. The title is an allusion to peoples willingness to apply new technology before they fully understand it. Instead of laughing at silly web 2.0 developers they decided to build their own AJAXified website by consulting the resources that any programmer would: AJAX books, blogs, and forums. What they ended up with was hackervactations.com... a security hole riddled gem built on good intentions.

For their presentation they demonstrated how easily you could hammer on the site using something like Firebug. Any piece of code on the client side can't be trusted. You can throw in a break point anywhere and manipulate any variable. So if something like the ticket price is stored locally, you can modify it before it gets debited. We learned long ago not to do this in HTML forms, but it's the same problem all over again disguised by new technology.

Another common practice is dumping all of the functions into one common.js file. Find something like an admin function and you can call that from anywhere. You could also create a race condition. Say one function adds an item and updates the cart total; the other debits your account and ships the order. If you call the two functions with a slight offset you could interleave their actions: add an item to your cart, debit the 0 total from your account, update it with actual total, and ship the item.

Their last example involved trusting the client to do final data formatting. Using two GET requests they were able to dump the entire database. In a JSON object they could add as many SQL queries as they want without having to worry about matching the number of arguments like you would in standard injection.

There were a couple final thoughts: These problems stem from putting too much trust in the client. That doesn't bode well for offline technologies like Google Gears where everything has to be on the client or Silverlight which makes it difficult to know whether your code is going to the client or the server. Lastly, if you're worried about premature AJAX-ulation, abstinence may be the best solution.

转自: http://www.hackaday.com/2007/08/02/black-hat-2007-premature-ajax-ulation/

中文参考文档: http://tech.techweb.com.cn/redirect.php?tid=197737&goto=lastpost

 

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值