Friday, August 04, 2006

Could AJAX Security Vulnerabilities Mean Good News for Flex?

Recent news coming out of the Black Hat conference has it that security specialists SPI Dynamics and WhiteHat have found a way to profile networks from behind the firewall using client-side JavaScript. Additionally, RSS and Atom feeds can be used as the delivery mechanism, which opens up myriad possibilities for cross-site exploits. In many cases, JavaScript delivered through an RSS or Atom feed will execute on the client-side. You can get more detailed information on the vulnerabilities here:

and here:

What interests me the most about these newly exposed vulnerabilities is the potential Flex has to step in as a safer alternative. Although Adobe has thus far been reluctant to market Flex against AJAX (instead, promoting a somewhat Frankensteinian blend of the two), one could imagine that vulnerabilities in AJAX could yield increased market share for Flex apps.

One criticism of the Flash Platform I have heard is that it's considered unsafe by many firewall administrators. The conventional wisdom among security professionals can sometimes be skewed by not understanding the format. Who would take the time to configure the Flash Player security settings across all machines on their network when they can simply block SWF at the firewall level? If they understood that the Flash Platform is safer than another technology they already commonly allow across the firewall, the decision would be made in a different context.

Unfortunately, even if Adobe did wish to make the case that Flex is safer than AJAX, they couldn't (or they would be foolish to try). Because the Flash Player has an ExternalInterface API (which uses JavaScript for serialization/deserialization), it could be used as a delivery mechanism (possibly even a more effective one than RSS) for the very exploits that are being exposed in AJAX.

I don't know if there's an answer for this. I wouldn't want to part with ExternalInterface, despite its problems. My gut feel is that the AJAX vulnerabilities will amount to no big deal. After all, the same principles apply to these 'new' issues as apply to others: don't go poking about the shady back alleys of the web, scrub all data that comes into your system, etc. But I'm interested to see how all this will play out, and I'm interested to hear other people's thoughts on the subject. So, please comment!!!

Was this post helpful to you? If so, please consider making a small donation to keep this blog going.


Anonymous Mark Wubben said...

First of all, this technique did not use Ajax, just images and an iframe. Very "DHTML-ish". Second, the way I understand it, the hack is based on browsers letting resources from outside the network access resources inside the network. Fix that and the security issue disappears.

Flash might not run into this risk because of the more stricter cross domain settings, although it would still be possible to target intranet servers where the cross domain is wrongly configured. And in that case, Flash has more low-level connection support than JavaScript...

2:56 PM  
Blogger tom said...

Good points, Mark - I think AJAX as an acronym is getting diluted to mean "any web app that uses JavaScript heavily", which is of course completely wrong. The way I understood the hack, it would be most likely delivered via cross-site scripting (iframe, RSS feed, etc) but no special access is required for the JavaScript to do its thing. If it can execute in the browser, it can create image objects and determine through trial-and-error what the characteristics of your network are. At that point it could do a variety of different things with the data, including send it somewhere via XML over HTTP. Maybe that's why CNet called it an AJAX vulnerability.

My concern regarding Flash is mainly due to the ExternalInterface API. As you say, Flash has stricter cross-domain restrictions. However, I'm not sure off the top of my head whether a cross-domain restricted swf can execute ExternalInterface calls. Will have to dig a little deeper. :)

5:44 PM  
Anonymous Anonymous said...







5:04 AM  
Anonymous Anonymous said...

I like your blog. Thank you. They are really great . Ermunterung ++ .
Some new style Puma Speed is in fashion this year.
chaussure puma is Puma shoes in french . Many Franzose like seach “chaussure sport” by the internet when they need buy the Puma Shoes Or nike max shoes. The information age is really convenient .

By the way ,the nike max ltd is really good NIKE air shoes ,don’t forget buy the puma mens shoes and nike air max ltd by the internet when you need them . Do you know Nike Air Shoes is a best Air Shoes . another kinds of Nike shoes is better . For example , Nike Air Rift is good and Cheap Nike Shoes .the nike shox shoes is fitting to running.

Spring is coming, Do you think this season is not for Ugg Boots? maybe yes .but this season is best time that can buy the cheap ugg boots. Many sellers are selling discounted. Do not miss . Please view my fc2 blog and hair straighteners blog.
.thank you .

I like orange converse shoes ,I like to buy the cheap converse shoes by the internet shop . the puma shoes and the adidas shoes (or addidas shoes) are more on internet shop .i can buy the cheap nike shoes and cheap puma shoes online. It’s really convenient.
Many persons more like Puma basket shoes than nike air rift shoes . the Puma Cat shoes is a kind of Cheap Puma Shoes .
If you want to buy the Cheap Nike Air shoes ,you can buy them online. They are same as the Nike Air shoes authorized shop. Very high-caliber Air shoes and puma cat shoes . the cheap puma shoes as same as other.

polo shirts

ralph lauren polo shirts
chaussure puma

chaussure sport

chaussures puma

puma CAT

ed hardy clothing

ed hardy clothes

ed hardy womens

ed hardy sunglasses

ugg boots

cheap ugg boots

12:51 AM  

Post a Comment

Links to this post:

Create a Link

<< Home