AJAX Exploitation used to bypass security Filters!

by Stephen O
Researchers have detected a new exploit, this time using AJAX or “Asynchronous JavaScript and XML” to meet their insidious ends.  “Ajax (Asynchronous JavaScript and XML) is a method of building interactive applications for the Web that process user requests immediately. Ajax combines several programming tools including JavaScript, dynamic HTML (DHTML), Extensible Markup Language (XML), cascading style sheets (CSS), the Document Object Model (DOM), and the Microsoft object, XMLHttpRequest. “ (SearchWinDecelopment, 2007) basically it allows websites to show people dynamic content, for example Google maps. When you move around the map, it automatically loads new areas. Unlike traditional web pages that simply load content and then disconnect from the web server until the user makes a request. AJAX remains connected to the web server and when new data is required, it requests it on the fly. Using our Google Maps example, let us say we looking over the Los Angeles area, we can scroll southward towards San Diego and the map starts loading more terrain on our digital trip south, all thanks to AJAX.

What the exploit does is fairly amazing and scary. Security filters look for malware as a whole, when they see a malicious script they can recognize it and block it. However, the exploit is called a Fragmented AJAX Exploit, because they are using a fragmented approach to sending these nasty scripts. It sends bits so small that the filter would not recognize that are malicious. The fragmented bits are harmless until dynamic content is requested and loaded. It is able to bypass through firewalls and avoid detection until it is too late. “’This attack scenario definitely has its advantages: by passing the payload in several distinct chunks, the offending packets would likely avoid interception as they pass through the firewall,’ said Bogdan Botezatu, an e-threats analyst at antivirus vendor BitDefender.” (Constantin, 2012) Some antivirus programs may be able to detect the malicious code once it is in memory, but users should not count on that to protect themselves, people using the internet should always practice safe surfing habits.

Reflection:

It is a scary world no doubt about it. Things you normally would think would be safe now contain malicious code. Something to think about next time you are using Google maps to find your local Chilis. Because now you possibly have a key logger, logging your keys when all you wanted were some baby back ribs with some cinnamon apples and home-style fries. Now your identity has been stolen and your up to your eyebrows in debt that isn’t yours, I hope those ribs were worth it…

 

Yeah, it really does bite, you cannot let your guard down, there might be malicious code in the Flash Ads, things like Google Maps that use AJAX are no longer safe, and they have found another way to harm you. All you can do is practice safe computing habits. Habits like making sure your browsers and their plug-ins are always up to date (especially Adobe Flash); make sure your Malware and Antivirus suites are up to date. Most importantly of all stay away from websites you are not familiar with, this includes URLs from any emails from people you don’t know promising amazing things, there are no Nigerian Princes who want to include you on some business venture.

sources:

Constantin, L. (2012, January 5th). Fragmented AJAX-based Web Exploitation Attacks Detected in the Wild. Retrieved Jumary 15th, 2012, from PCWORLD: http://www.pcworld.com/businesscenter/article/247332/fragmented_ajaxbased_web_exploitation_attacks_detected_in_the_wild.html

SearchWinDecelopment. (2007, October). Ajax (Asynchronous JavaScript and XML). Retrieved January 15, 2012, from SearchWinDecelopment: http://searchwindevelopment.techtarget.com/definition/Ajax

 

1 thought on “AJAX Exploitation used to bypass security Filters!”

  1. Just a couple of question, it seems as if this AJAX exploitation can be stopped by simply turning it off. Like using Noscript, which disables any javascript type parts of a webpage? Is this one way of getting around this exploit or is this something that will always be lingering around. And was there any mention of AJAX distributing a fix to this problem or will it just persist.

Comments are closed.