Subverting Ajax Stefano Di Paola, Giorgio Fedon Next generation vulnerabilities in 2.0 Web Applications The ability of modern browsers to use asynchronous requests introduces a new type of attack vectors. In particular, an attacker can inject client side code to totally subvert the communication flow between client and server. In fact, advanced features of Ajax framework build up a new transparent layer not controlled by the user. This paper will focus on security aspects of Ajax technology and on their influence upon privacy issues. Ajax is not only a group of features for web developers: it's a new paradigm that allows leveraging the most refined client side attacks. -- Ajax and the new dynamic extensions leverage new threats that lead to innovative attack scenarios against web applications. In a world where the user learned to behave properly in his interaction with the old web interfaces, many innovative technologies are emerging. Ajax and new dynamic web extensions empower web browsers and client-server communications as well as they leverage new threats and undisclosed attack scenarious. Web 2.0 is going to be the first choice in upcoming web projects and many companies are migrating to new dynamic front-ends to increment value to their institutional sites, intranet corporates and Online Banking portals. After a quick overview of simple Cross Site Scripting attacks, the speech will focus on security aspects of Web 2.0 technologies exploring unconventional and undisclosed attacking techniques. During the presentation we will show the next step in content/request hijacking and the next generation of client-side and server-side injection. Specifically, by applying advanced Javascript techniques like prototyping we'll see how to hijack functions and objects in order to have transparent attacks without breaking javascript code in Ajax web pages. Moreover, will be shown non trivial ways to attack web pages and inject code by taking advantage of other kinds of vulnerabilities in a cross domain environment. Finally, we will see how poor design choices in web browsers would bring to new kind of attacking vectors like UXSS through plugins and sandbox framework flaws. Attached files Subverting Ajax - Pdf (PDF file - 603.0 KB) http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf Links Project Site http://www.wisec.it/ -- http://events.ccc.de/congress/2006/Fahrplan/speakers/1155.en.html 23rd Chaos Communication Congress Who can you trust? Events Subverting AJAX Stefano Di Paola Speakers: Stefano Di Paola, Giorgio Fedon Day 3, Saal 3, start 17:15, duration 1:00 ID 1602, Event type Lecture, Track Hacking, Language English Software engineer, secure software developer and security researcher. Stefano has great knowledge about web security in LAMP environments. He found some of the most critical vulnerabilities in MYSQL / PHP core products and tries to be always a step further in security research on new application environments. Stefano works as a freelance security and ICT consultant for several italian companies and public administrations. Master degree in Software Engineering, Stefano Di Paola is a security and ICT consultant for several italian companies and public administrations. He teaches at the University of Florence "Web Security" and "Databases" subjects in graduate and post-graduate courses. He is also Project Manager and developer in several open and closed source projects. He is involved as professional security researcher since 1997, and published several of the major vulnerabilities in MySQL products and PHP core engine (http://www.wisec.it/vulns.php?lang=en). In the last years his research has been focused on OpenSource products paying particular attention on Web security. Links http://www.wisec.it -