Data serialization – Browsers can invoke an Ajax call and perform data serialization. It can fetch JS array, Objects, Feeds, XML files, HTML blocks and JSON. If any of these serialization blocks can be intercepted and manipulated, the browser can be forced to execute malicious scripts. Data serialization with untrusted information can be a lethal combination for end-user security.

Dynamic script construction & execution – Ajax opens up a backend channel and fetches information from the server and passes it to the DOM. In order to achieve this one of the requirements is the dynamic execution of JavaScripts to update the state of the DOM or the browser’s page memory. This is achieved by calling customized functions or the eval() function. The consequence of not validating content or of making an insecure call can range from a session compromise to the execution of malicious content.

Web 2.0 applications can become vulnerable with one or more lapses mentioned above. If developers have not taken enough precautions in putting in place security controls, then security issues can be opened up on both the server as well as browser ends. Here is a list and brief overview of ten possible security holes.


(1) Malformed JS Object serialization

JavaScript supports Object-Oriented Programming (OOP) techniques. It has many different built-in objects and allows the creation of user objects as well. A new object can be created using new object() or simple inline code as shown next:

message = {

from : "john@example.com",

to : "jerry@victim.com",

subject : "I am fine",

body : "Long message here",

showsubject : function(){document.write(this.subject)}

};

Here is a simple message object that has different fields required for email. This object can be serialized using Ajax and consumed by JavaScript code. The programmer can either assign it to the variable and process it or make eval(). If an attacker sends a malicious “subject” line embedded with script then it makes the reader a victim of cross-site scripting attacks. A JS object can have both data and methods. Improper usage of JS object serialization can open up a security hole that can be exploited by crafty packet injection code.

(2) JSON pair injection

JavaScript Object Notation (JSON) is a simple and effective lightweight data exchange format and one that can contain object, array, hash table, vector and list data structures. JSON is supported by JavaScript, Python, C, C++, C# and Perl languages. Serialization of JSON is a very effective exchange mechanism in Web 2.0 applications. Developers choose JSON over Ajax very frequently and fetch and pass required information to the DOM. Here is a simple JSON object “bookmarks” object with different name-value pair.

{"bookmarks":[{"Link":"www.example.com","Desc":"Interesting link"}]}

It is possible to inject a malicious script in either Link or Desc. If it gets injected into the DOM and executes, it falls into the XSS category. This is another way of serializing malicious content to the end-user.