Exploitation Realm in AJAX Based Load Tab Modules.
Cutting Edge Research Layout.
zeroknock [at] secniche.org
For Education Purposes Only!
Analysis of Ajax Based Load Tab Modules.
This analysis compose of the active module checking derived from AJAX based applications.This vulnerability
or bad programming practise makes the web application vulnerable to XSS scripting and other Javascript
injections. The issue have been encountered when I was undertaking the security and weaknesses of AJAX
applications. The stress of this analysis is to explain the infection vector and how the vector is
intensified.In this very generic LaodTab Modules are analysed which are used very often in onr or other way.
A brief overview.
Accessing Web Server Realm:
The XMLHttpRequest object provides two properties that provide access to the server response.The first property,
responseText, simply provides the response as a string. The second property,responseXML, provides the response as
an XML object. Retrieving the response as simple text is fine for simple use cases, such as when the response is
displayed in an alert box or the response is a simple one-word phrase indicating success or failure.The overall
concept we know.Lets start directly with analysis.
First of all I would like to present the designed Load Tab
module.Lets have a look.
function loadTab(tabID,contentID,divIDPrefix) {
if(divIDPrefix!=null) divID = divIDPrefix + "_tabDiv";
else divID = "tabDiv";
// Tab Classes
document.getElementById(tabRegistered[divIDPrefix]).className = 'light_tab';
document.getElementById(tabRegistered[divIDPrefix] + '_A').className = '';
tabRegistered[divIDPrefix] = divIDPrefix + "_" + tabID;
document.getElementById(divIDPrefix + "_" + tabID).className = 'dark_tab';
document.getElementById(divIDPrefix + "_" + tabID + '_A').className = 'white';
// Loading
document.getElementById(divID).innerHTML = "";
divRegistered = divID;
if (window.XMLHttpRequest) {
loadTabResponse = new XMLHttpRequest();
}
if (window.ActiveXObject) {
loadTabResponse = new ActiveXObject('Microsoft.XMLHTTP');
}
loadTabResponse.onreadystatechange = loadTab_processChange;
loadTabResponse.open('GET',"[URL]?ajaxRequest=true[]loadTab="+tabID+ "[]id="+contentID);
loadTabResponse.send(null);
}
function loadTab_processChange() {
if (loadTabResponse.readyState == 4) document.getElementById(divRegistered).innerHTML = loadTabResponse.responseText;
}
The [] Corresponds to ampersand symbol in above code.
The basic points:
1. There ae exactly three parameters needed by the application to load module.
2. The loadTab module will be treated as Javascript:loadTab() module in web application.
3. This module dynamically add a tabular elements in the web application.
4. The tabID : What kind of tab you want to add.
5. The contentID is another definite argument needed.
6. The divIDPrefix sets the used div Id in div tags.
Our analysis will be based on AJAX fused with PHP applications.With rise of Web2.0 there are lot of
significant changes have been undertaken place.This is quite good for the future of web applications.
The PHP automatically checks the URL encode and URL decode by default.To rebrush the things lets have
a look at the functions:
The URLDecode Layout:
<?php
$a = explode('[]', $QUERY_STRING);
$i = 0;
while ($i < count($a)) {
$b = split('=', $a[$i]);
echo 'Value for parameter ', htmlspecialchars(urldecode($b[0])),
' is ', htmlspecialchars(urldecode($b[1])), "<br />\n";
$i++;
}
?>
The [] Corresponds to ampersand symbol in above code.
The above defined code is the standard code for URLdecode function.Now just have a look into
the URLEncode Function.
<?php
$query_string = 'foo=' . urlencode($foo) . '[]bar=' . urlencode($bar);
echo '<a href="mycgi?' . htmlentities($query_string) . '">';
?>
The [] Corresponds to ampersand symbol in above code.
The above modules clear the picture of URL encoding and decoding.
Jolt:
This always understood that Encding/Decoding Dashed the Injection Occurence.WRONG!
This is one of the part of this analysis.Lets start the things
The very basic point is to enumerate the web pages via google search engines to find the
target of your own choice and something that you are waiting for to have application checks.
I found modular vulnerability in some of the AJAX based web modules.This relates entirely
to the Load Tab module infection.The most of the flaws which you find is programmatic errors.
This even after the Encoding/Decoding scheme imlementation of URL , the XSS vector gets
traversed in the web application.Lets see:
http://[Website URL]/profile.php?id= is the URL that I am using for testing.
At first I will inject some infection parameters.
1. ''<>
Encoded as: id=''%3C%3E
2.''<a href="http://www.google.com">>GOOGLE</a>
Encoded as:id=''%3Ca%20href=http://www.google.com%3EGOOGLE%3C/a%3E
The output that I got:
1. I was amazed because of the fact that a single injection is diversified over whole of the PHP web
application and links are injected at every new object on the web page.
2. Secondly the encoding of the URL dont have much effect because even after the change in URL the
injection works.
3. The injection vector is divergent in its penetration approach.
Then I decide to have a look at the injected code:
This really sets a new realm because the web application is directly throwing the module name on
injection that make sit very clear where the actual infection vector lies.More precisely the
overlapping of injection vector over the encoding vector is a new factual growth.As the rule say
the URL encoding rendered its action to null but thats not happening here.Lets see why it occurs.
function loadTab(tabID,contentID,divIDPrefix) {
if(divIDPrefix!=null) divID = divIDPrefix + "_tabDiv";
else divID = "tabDiv";
// Tab Classes
document.getElementById(tabRegistered[divIDPrefix]).className = 'light_tab';
document.getElementById(tabRegistered[divIDPrefix] + '_A').className = '';
tabRegistered[divIDPrefix] = divIDPrefix + "_" + tabID;
document.getElementById(divIDPrefix + "_" + tabID).className = 'dark_tab';
document.getElementById(divIDPrefix + "_" + tabID + '_A').className = 'white';
// Loading
document.getElementById(divID).innerHTML = "";
divRegistered = divID;
Why Dimodular Approach of Security Is Required ?
If you look carefully than only null check is performed in divIDPrefix and not bad parameter check
which makes it vulnerable to attacks.I have noticed many modules like that and the vulnerability
do exist with this type of parameters.That is one specific cause.More deeper approach comprise of
PHP Encoding checks.The check is performed in PHP top notch code.The Javascript is written separately.
The possible cause of the second failure is the interpretting of URL's.For better protection the
check should be performed in the Javascript to over divID.This requires the need of dimodular
security approach.
The Analysis is All done!