Happy national cyber security awareness month!
Today I'll be exploring AJAX - an introduction to it, the vulnerabilities of using it, and then BONUS: a great hacker moment in history.
Okay lets get into it!
What is an AJAX?
A super-powered combination of existing technologies that give dynamic and uninterrupted web experiences. We can 'upvote' a show without reloading the WHOLE DAMN PAGE and interrupting our Netflix binge.
We still use the acronym AJAX as a generic term to describe technologies working together to quickly save or retrieve small amounts of info from the server.
Now that we know what AJAX is, lets talk about its vulnerabilities.
SPOILER ALERT! There are a lot.
I won't be going into each type of attack in this post, but more of WHY its possible.
As we learned, AJAX has a lot of stuff going on inside it. What it doesn't have is built in security. When AJAX we being developed in the early 2000's, the priority was getting it to work.
One of the biggest vulnerabilities, as obvious as it may be, is that an since AJAX is just a bunch of tools it has no native encoding mechanisms. Function calls are sent in plain text to the server.
Increased Attack Surface
Attack Surface is all the ways attackers can try to enter data to or extract data from an environment. All the dynamic communication across the client and server, each data request is a way in to inject malicious content.
Keeping the attack surface as small as possible is good security practice.
Asynchronous web is cool and all, but is it worth it if your data is traversing the wire in plain text and every request is a potential attack surface?
Well, there is something I've been holding back from you.
Its called HTTPS. This is HTTP with Security. It is your same syntax for HTTP requests and responses but with encrypted data flow between client and sever, making your communication safer and more secure.
What can we do as individuls?
Using secure HTTPS/SSL channels is the easiest way to prevent attacks from happening. Use modern web browsers and be sure you install updates regularly!
In 2018, Google started labeling sites lacking SSL Certificates (the certificate which once installed on the website results in an HTTPS secure URL) as “not secure”. Most browers have followed suite. Visit an HTTP site in Chrome and you'll probably see a warning like this:
HTTPS Everywhere is a handy browser extension developed by the Electronic Frontier Foundation and is available for Mozilla Firefox, Google Chrome, Chromium, and Android. It uses clever technology to rewrite HTTP requests in HTTPS for hundreds of frequently visited websites.
What can we do as app builders and webmasters?
A lot! There are a lot of ways (even easy ways) to mitigate the security vulnerabilities of using AJAX. It’s not terribly expensive or difficult to convert your site to HTTPS. It won't slow down your site or make it use more server CPU. Some web hosting companies even offer a SSL certificate for free as an incentive to host with them.
Even if you’re not dealing with credit card information, using HTTPS will make your visitors accounts safer and can increase your search ranking.
HTTPS is the norm! Get on board.
Great Hacker Moment in History
October 4th 2005.
Samy Kamkar was 19 years old when he released a cross-site scripting worm on what was at the time, the largest and most popular online social network - MySpace.
In less than a day, Samy's virus made him the 'friend' to more than a million people. It also added "but most of all, samy is my hero" to all his new 'friends' profiles.
The top-10 trafficked website was forced to shutdown to stop the onslaught.
While more experimental then malicious, Samy's worm gave the world a wake up call to the potential destruction of unsecured data requests.
Happy Hacktober everyone!
For more information on AJAX, HTTPS, and the Samy Worm check out these resources: