Why it's so hard to find XSS entry points

Last week at RSA we had a great P2P session on Web 2.0 and more specifically AJAX and the potential security risks involved in deploying applications based on the fledgling technology. Then there were those who stopped by the F5 booth to listen to me ramble on some more about AJAX, security, and performance. Some even appeared interested. Like the guy who asked specifically, "What can I do to find out where our AJAX applications are vulnerable?"

I explained the reasons why, but wasn't able to point him to a good resource on the subject that really dove into how to scan AJAX for XSS vulnerabilities. None of the tools out there aside from Cenzic's Hailstorm currently address the problem, and while they aren't that expensive, they ain't cheap, either.

One of the reasons it is so difficult to secure AJAX is that there are multiple entry points through which the application can be exploited. You can't just scan the resulting HTML and JavaScript for URIs and then test them for vulnerabilities, because the URIs for AJAX calls are usually built dynamically at run-time. That's the power - and the danger - of AJAX.

Shreeraj Shah @ Net Square wrote a great article on this very subject, and did a great job of not only explaining in depth why dynamic URI construction is dangerous but how to at least perform a cursory scan to discover where the points of entry may be. While it won't secure your AJAX application, it will give your penetration testers a good place to start looking for vulnerabilities, and that's always better than running blind. Check it out - it's a great read and a good start to building a Web 2.0 Security toolkit.

Scanning AJAX for XSS Entry Points

Imbibing: Coffee