Friday, August 04, 2006

Could AJAX Security Vulnerabilities Mean Good News for Flex?

Recent news coming out of the Black Hat conference has it that security specialists SPI Dynamics and WhiteHat have found a way to profile networks from behind the firewall using client-side JavaScript. Additionally, RSS and Atom feeds can be used as the delivery mechanism, which opens up myriad possibilities for cross-site exploits. In many cases, JavaScript delivered through an RSS or Atom feed will execute on the client-side. You can get more detailed information on the vulnerabilities here:
http://news.com.com/JavaScript+opens+doors+to+browser-based+attacks/2100-7349_3-6099891.html?tag=nl

and here:

http://news.com.com/Blog+feeds+may+carry+security+risk/2100-1002_3-6102171.html?tag=nl

What interests me the most about these newly exposed vulnerabilities is the potential Flex has to step in as a safer alternative. Although Adobe has thus far been reluctant to market Flex against AJAX (instead, promoting a somewhat Frankensteinian blend of the two), one could imagine that vulnerabilities in AJAX could yield increased market share for Flex apps.

One criticism of the Flash Platform I have heard is that it's considered unsafe by many firewall administrators. The conventional wisdom among security professionals can sometimes be skewed by not understanding the format. Who would take the time to configure the Flash Player security settings across all machines on their network when they can simply block SWF at the firewall level? If they understood that the Flash Platform is safer than another technology they already commonly allow across the firewall, the decision would be made in a different context.

Unfortunately, even if Adobe did wish to make the case that Flex is safer than AJAX, they couldn't (or they would be foolish to try). Because the Flash Player has an ExternalInterface API (which uses JavaScript for serialization/deserialization), it could be used as a delivery mechanism (possibly even a more effective one than RSS) for the very exploits that are being exposed in AJAX.

I don't know if there's an answer for this. I wouldn't want to part with ExternalInterface, despite its problems. My gut feel is that the AJAX vulnerabilities will amount to no big deal. After all, the same principles apply to these 'new' issues as apply to others: don't go poking about the shady back alleys of the web, scrub all data that comes into your system, etc. But I'm interested to see how all this will play out, and I'm interested to hear other people's thoughts on the subject. So, please comment!!!

Was this post helpful to you? If so, please consider making a small donation to keep this blog going.

3 Comments:

Anonymous Anonymous said...

First of all, this technique did not use Ajax, just images and an iframe. Very "DHTML-ish". Second, the way I understand it, the hack is based on browsers letting resources from outside the network access resources inside the network. Fix that and the security issue disappears.

Flash might not run into this risk because of the more stricter cross domain settings, although it would still be possible to target intranet servers where the cross domain is wrongly configured. And in that case, Flash has more low-level connection support than JavaScript...

2:56 PM  
Blogger tom said...

Good points, Mark - I think AJAX as an acronym is getting diluted to mean "any web app that uses JavaScript heavily", which is of course completely wrong. The way I understood the hack, it would be most likely delivered via cross-site scripting (iframe, RSS feed, etc) but no special access is required for the JavaScript to do its thing. If it can execute in the browser, it can create image objects and determine through trial-and-error what the characteristics of your network are. At that point it could do a variety of different things with the data, including send it somewhere via XML over HTTP. Maybe that's why CNet called it an AJAX vulnerability.

My concern regarding Flash is mainly due to the ExternalInterface API. As you say, Flash has stricter cross-domain restrictions. However, I'm not sure off the top of my head whether a cross-domain restricted swf can execute ExternalInterface calls. Will have to dig a little deeper. :)

5:44 PM  
Anonymous Anonymous said...

威創牙醫診所除了提供優質的植牙技術外還提供假牙|矯正|牙周病治療,是值得您信賴的牙醫診所

獅王紋身工作室提供專業的無痛刺青技術,獅王紋身在世界TATTOO大賽中,獲獎無數,獅王紋身給您最時尚的作品。

陳駿逸皮膚科診所提供了治療痘痘的服務,皮膚雷射權威,包括雷射脈衝光除斑等,讓您回復青春蘋果臉。

ck皮件處理棧提供專業洗包包|洗鞋子|各式皮件修理保養疑難雜症都有服務,清洗包包專門店讓您的包包、鞋子、永遠保持最新的況態唷。

杏儒中醫診所提供了糖尿病的治療。

seo大師e王國幫您的網站輕鬆在您的行業裡站上第一頁,e王國的關鍵字行銷是您的好幫手,包括關鍵字自然排序、都能讓您獲得完美的效果,以目前的網路行銷不外乎是關鍵字自然排序為主、而關鍵字行銷seo又是e王國的強項讓e王國幫您征服網海。

5:04 AM  

Post a Comment

<< Home