Wednesday, December 20, 2006

CSRF protection for the AJAX area of web applications

I'll be using following terms throughout the article,

  • AJAX area: Server side scripts which are mainly designed to process requests generated by client side scripts (AJAX)
  • Non AJAX area: Other server side scripts
  • Application: Sometimes the term will be used to refer to the JavaScript that gets executed.

In an AJAX application, the user loads a normal HTML page in his browser. This page includes JavaScripts that later fire AJAX requests and fetch response from the server asynchronously.

AJAX request in some sense looks just like a normal HTTP request. However, there are few extra capabilities that AJAX enjoys. The central idea used in this technique is the AJAX's capability of adding request headers in the request.

Many posts in the security community have indicated that having method names etc. in the request headers expose the internal details of the APIs that the server supports. But, the request headers can be advantageous as far as CSRF prevention is concerned.

"If EVERY INCOMING REQUEST IN THE AJAX AREA IS REQUIRED TO INCLUDE A REQUEST HEADER, CSRF CAN BE PREVENTED."

This is considering the fact that only way to add a request header is by use of XMLHttp object (i.e. only AJAX has this capability! *, **)

Lets consider following example to understand this clearly.

The website which uses AJAX heavily, is divided into two sections AJAX, Non AJAX. NonAJAX area is prevented from CSRF using other techniques. ALL AJAX requests originating from the application, include a special request header that looks like following, X-AJAX_AREA: true (using setRequestHeader()). Every server side script in the AJAX area, serves the requests ONLY if the requests contain this special header. This way, we know for sure that whatever requests are served in this area are legitimate, and generated by the aplication itself.

Therefore CSRF risks can be minimized to a great extent.


Notes:

  1. If your site has XSS, this technique won't help.
  2. This does not prevent other injection attacks.
  3. Gmail is an example of application which uses AJAX heavily.
  4. This technique works only in the AJAX area of the application


* Written to the best of my knowledge, any criticism is highly encouraged.

** I do not know if this is possible with other technologies like flash. But hope something like this is no more possible.

Posted by Kishor at 9:18 AM

2 comments:

Jordan said...

It looks like that would still be possible via flash.

Flash 9 appears to not allow over-riding browser headers, but otherwise you could add new ones fairly easily.

2:12 PM
Kishor said...

Seems like these technologies will keep messing up with the Web.

2:53 AM

Post a Comment

Subscribe to: Post Comments (Atom)