Can an AJAX Request be hacked?

Can an AJAX Request be hacked?

I am trying to put my arms around all the work that needs to be done on four .NET Applications and have found XSS URL Vulnerabilities in Controller Actions.

I have been told by experts that "100% of the XSS exposure is on the server, and that no change could be made in javascript that could reduce the risk of an XSS attack."

I paraphrased in the quote above. Is it true?

What about an AJAX call?

If there were a way to "harden the URL" inside the AJAX call, could a hack hack that URL?

newbiewebSr. Software EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Yes, an AJAX call can absolutely be hacked, and they are frequently the weakest parts of web applications. Many developers will focus on securing the main pages of a web application with sessions and logins and such, but then set up scripts to be accessed by AJAX without those same protections or with much more lax security because they're not as in-your-face as other pages. So yes, protect your AJAX pages by all means.

It's a little late after a long day (and I'm about to sign off), but I think your quote is accurate. Generally speaking, XSS is when the server doesn't do its job of sanitizing the incoming data and ends up displaying all or part of user-provided content, which is particularly dangerous if that content is displayed to OTHER users (e.g. message boards are infamous for XSS attacks since it's all about cross-user communication through the server).

I don't quite understand what you mean about hardening a URL. It may help for you to provide some examples.
Julian HansenCommented:
What are we talking about when we say "hacked" in this context?

An AJAX call is made up of the following
A method (GET / PUT ...)
A target (URL)

Those are the main items - all of which can be spoofed from the client.

It is therefore the responsibility of the server to verify if the request is correct. Remember, bar a few minor restrictions, an AJAX call is analogous to entering a URL into a browser and calling it - I can enter whatever URL I want and whatever data I want.

With the console I can write my own AJAX routines that call the server with whatever data / headers I want - you can't do anything about that because in the console I am bypassing your control of what I am doing.

Therefore, we never trust ANYTHING that comes from the browser - if you think that every request that hits your site is an attempted hack and then coding the server to cater for that you are on the right track.

JavaScript is used primarily for validation, and DOM manipulation, it can be a link in the security chain, for instance storing a token in local storage - but it never has anything directly to do with vetting or securing a site.
newbiewebSr. Software EngineerAuthor Commented:
Thanks for the help.

What about the third type of XSS attack, DOM manipulation?

Are there best practices on the javascript side which can reduce the risk of that kind of attack?

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Julian HansenCommented:
What about the third type of XSS attack, DOM manipulation?
How is that different from what we have been discussing?

XSS: Malicious user uploads code through Web Interface to database where it is downloaded by unsuspecting user.

The only important fact is: is this possible? - if it is the methods by which an attacker can exploit that vulnerability is varied. He / she can change links or change the page itself to either look different or behave differently depending on what it is the hacker is trying to achieve.

Are there best practices on the javascript side which can reduce the risk of that kind of attack?
I am going to say it again - securing a page CANNOT reside in the client code of a web site. Not under any circumstances - the browser is an unsafe, untrusted zone - anything coming from it must be treated with suspicion anything going to it can be manipulated. End of story.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
newbiewebSr. Software EngineerAuthor Commented:
thanks. I will not ask again ;)

I will get busy digging through my C# code.

Thanks a lot
Julian HansenCommented:
thanks. I will not ask again ;)
Please continue to ask - it was not my intention for the comment to be intended like that but on re-reading I see it was a bit short - please accept my apologies I really did not mean it that way - and I would be more than happy to help with any other queries you have on this.

When it comes to security it is important to understand it completely - and if that means asking as many questions as you need - then that is what you must do.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.