MGBrown.com

Ajax Security

As far as I can tell there is nothing terribly insecure about Ajax itself but as with most internet technologies, in the wrong hands it can be very insecure indeed.

A while ago I was doing some maintenance on an ASP application for a large multinational company. I was looking at a page that allowed the selection of a user from a long list of names. Around 1500 names in fact.

After some digging around I discovered that this page was using Microsoft's Remote Scripting to populate the list of names ten at a time. Every time you scrolled down the list ten more names were loaded. As a result the page loaded very quickly considering the size of the list.

It was only when I started looking at the JavaScript for this that I realised the true horror of the implementation. You see what the original developer had done was create a server script that took a database user name, password and SQL string, ran this against their SQL Server and returned the results. Basically they had created a hole through their fire wall that allowed you to run any SQL query.

This would have not been so bad if the database user they were using had highly restricted rights on the database and they had used HTTPS. As it turned out the account they were using was the system administrator (SA) account and the request was pain old HTTP. So any one with the skill to select View/Source on their browser had all the information required to run any SQL command they liked including xp_cmdshell!

Now I reckon that no hacker ever ran xp_cmdshell. The reason I say this is that the database would have had a hacker far to interested to want to get any further. You see, the application in question was being used to process the firms credit card payments. At the end of each month the credit card company would send all the transactions made on the firms cards in data file. This file was then loaded into the application and the staff would approve or reject the transactions they had made. So just by accessing this database a hacker could get a list of credit card numbers and be able to approve any transactions they made using them. After I pointed this out to the management, they decided to unplug the system while it was completely rewritten.

Comments

Re: Ajax Security

Great find I'm glade you told them about it! It could have been bad news. That is a major venerability in a system like that. I think it was the right thing to do!

Comment from james kingsted - domain inform at Monday, 16 April 2007 11:16PM (GMT+00)

Sorry, this post is no longer accepting comments.