A Study of Ajax Template Injection in Web Applications

  • Abstract
  • Keywords
  • References
  • PDF
  • Abstract

    Cyber-attacks are becoming increasingly frequent, causing a lot of damage. Cyber-attacks have crippled our economic infrastructure both directly and indirectly. Attackers steal our valuable data by compromising web application security loopholes. Developers can prevent cyber-attacks using latest web technologies. Since web technologies are becoming more secure, cyber attackers are getting more incursive to find out the zero day vulnerability of the targeted system to breach the security. Nowadays most damaging attacks are done using zero-day vulnerability. An Ajax template injection is such an attack: An unauthenticated attacker dumps database table credentials by intercepting server response. Owing to the damage caused by an Ajax template injection, it can be counted among the OWASP top ten web application vulnerabilities in the near future. This paper discusses the idea of an Ajax template injection and its impact on Ajax-based web applications. This paper also provides statistical data about the percentage of Ajax-based web application vulnerabilities in Bangladesh.




  • Keywords

    Cyber Security, Web Application, Vulnerability, Ajax Template Injection, Asynchronous, XHTML, XML HTTP Request, Ajax bridging.

  • References

      [1] X U. S. Qurashi and Z. Anwar, "Ajax based attacks: Exploiting Web 2.0," 2012 International Conference on Emerging Technologies, Islamabad, 2012, pp. 1–6.

      [2] T. Farah, D. Alam, M. N. B. Ali and M. A. Kabir, "Investigation of Bangladesh region based web applications: A case study of 64 based, local, and global SQLi vulnerability," 2015 IEEE International WIE Conference on Electrical and Computer Engineering (WIECON-ECE), Dhaka, 2015, pp. 177–180.

      [3] T. Farah, M. Shojol, M. Hassan and D. Alam, "Assessment of vulnerabilities of web applications of Bangladesh: A case study of XSS & CSRF," 2016 Sixth International Conference on Digital Information and Communication Technology and its Applications (DICTAP), Konya, 2016, pp. 74–78.

      [4] J. Oh, W. H. Ahn, S. Jeong, J. Lim and T. Kim, "Automated Transformation of Template-Based Web Applications into Single-Page Applications," 2013 IEEE 37th Annual Computer Software and Applications Conference, Kyoto, 2013, pp. 292–302.

      [5] B. Hoffman and B. Sullivan, Ajax Security. 1 ed

      [6] A. A. Noureddine and M. Damodaran, “Security in web 2.0 application development,” in Proceedings of the 10th International Conference on Information Integration and Web-based Applications & Services, iiWAS ’08, (New York, NY, USA), pp. 681–685, ACM, 2008

      [7] E. Kiciman and B. Livshits, “Ajaxscope: a platform for remotely monitoring the client-side behavior of web 2.0 applications,” SIGOPS Oper. Syst. Rev., vol. 41, pp. 17–30, October 2007

      [8] I. Alsmadi and I. Alazzam, "Websites' Input Validation and Input-Misuse-Based Attacks," 2016 Cybersecurity and Cyberforensics Conference (CCC), Amman, 2016, pp. 113–116.

      [9] https://www.owasp.org/index.php/Testing_for_Ajax_Vulnerabilities_(OWASP-AJ-001)

      [10] D. V. Bhatt, S. Schulze and G. P. Hancke, "Secure Internet access to gateway using secure socket layer," in IEEE Transactions on Instrumentation and Measurement, vol. 55, no. 3, pp. 793–800, June 2006.

      [11] A. Brito, L. Xavier, A. Hora and M. T. Valente, "APIDiff: Detecting API breaking changes," 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER), Campobasso, Italy, 2018, pp. 507–511.

      [12] P. Darwin and P. Kozłowski, AngularJS Web Application Development. Birmingham: Packt Publ., 2013.

      [13] “Ajax Applications and Empowering the Web User Experience,” Beginning Web Development, Silverlight, and ASP.NET AJAX, pp. 253–278.]

      [14] Hardono, I. Surjandari, A. Rachman, Y. A. B. Panjaitan and A. Rosyidah, "Development of theses categorization system search engine using PHP and MySQL," 2017 International Conference on Information Technology Systems and Innovation (ICITSI), Bandung, 2017, pp. 194–199.

      [15] P. Daly, "Review: The Ultimate VB.NET and ASP.NET Code Book," in ITNOW, vol. 46, no. 4, pp. 31–31, July 2004.

      [16] M. Hills and P. Klint, “PHP AiR: Analyzing PHP systems with Rascal,” 2014 Software Evolution Week - IEEE Conference on Software Maintenance, Reengineering, and Reverse Engineering (CSMR-WCRE), 2014.

      [17] HTML & XHTML: The Definitive Guide: The Definitive Guide

      [18] J. Yoon, W. S. Jeong, W. Jeon and W. W. Ro, "Efficient and reliable NAND flash channel for high-speed solid state drives," 2018 International Conference on Electronics, Information, and Communication (ICEIC), Honolulu, HI, USA, 2018, pp. 1–4.

      [19] B. Sayed, I. Traoré, and A. Abdelhalim, “If-transpiler: Inlining of hybrid flow-sensitive security monitor for JavaScript,” Computers & Security, vol. 75, pp. 92–117, 2018.

      [20] A. Nichie and H.-S. Koo, “A Comparison of Performance Between MSSQL Server and MongoDB for Telco Subscriber Data Management,” The Transactions of The Korean Institute of Electrical Engineers, vol. 65, no. 3, pp. 469–476, Jan. 2016.

      [21] L. A. Barroso, J. Dean and U. Holzle, "Web search for a planet: The Google cluster architecture," in IEEE Micro, vol. 23, no. 2, pp. 22–28, March-April 2003.

      [22] J. Burgess and J. Green, YouTube: online video and participatory culture. Cambridge: Polity, 2010.

      [23] N.B. Ellison, C. Steinfield, & C. Lampe,” The benefits of Facebook “friends:” Social capital and college students’ use of online social network sites,” Journal of computer-mediated communication, 12(4), 1143–1168, 2007.

      [24] H. Kwak, C. Lee, H. Park, & S. Moon, “What is Twitter, a social network or a news media,?” In Proceedings of the 19th international conference on World wide web, pp. 591–600, 2010, April , ACM.

      [25] G. Linden, B. Smith and J. York, "Amazon.com recommendations: item-to-item collaborative filtering," in IEEE Internet Computing, vol. 7, no. 1, pp. 76–80, Jan/Feb 2003.

      [26] T. Bray, J. Paoli, C.M. Sperberg-McQueen, E. Maler, & F. Yergeau, “Extensible markup language (XML),”. World Wide Web Journal, 2(4), 27–66, 1997.

      [27] D. Crockford, “The application/json Media Type for JavaScript Object Notation (JSON),” 2006.

      [28] A.R. Board, “RSS 2.0 Specification,”2007.

      [29] P. Yadav and C. D. Parekh, "A report on CSRF security challenges & prevention techniques," 2017 International Conference on Innovations in Information, Embedded and Communication Systems (ICIIECS), Coimbatore, 2017, pp. 1–4.

      [30] R. Wang, G. Xu, X. Zeng, X. Li, and Z. Feng, “TT-XSS: A novel taint tracking based dynamic detection framework for DOM Cross-Site Scripting,” Journal of Parallel and Distributed Computing, 2017.

      [31] D. Alam, T. Bhuiyan, M. A. Kabir and T. Farah, "SQLi vulnerabilty in education sector websites of Bangladesh," 2015 Second International Conference on Information Security and Cyber Forensics (InfoSec), Cape Town, 2015, pp. 152–157.

      [32] A. Begum, M. M. Hassan, T. Bhuiyan and M. H. Sharif, "RFI and SQLi based local file inclusion vulnerabilities in web applications of Bangladesh," 2016 International Workshop on Computational Intelligence (IWCI), Dhaka, 2016, pp. 21–25.

      [33] M. M. Hassan, T. Bhuyian, M. K. Sohel, M. H. Sharif, and S. Biswas, “SAISAN: An Automated Local File Inclusion Vulnerability Detection Model,” International Journal of Engineering & Technology, vol. 7, no. 2–3, p. 4, Aug. 2018.

      [34] D. Huluka and O. Popov, "Root cause analysis of session management and broken authentication vulnerabilities," World Congress on Internet Security (WorldCIS-2012), Guelph, ON, 2012, pp. 82–86.

      [35] R. Lukanta, Y. Asnar and A. I. Kistijantoro, "A vulnerability scanning tool for session management vulnerabilities," 2014 International Conference on Data and Software Engineering (ICODSE), Bandung, 2014, pp. 1–6.

      [36] M. I. Ahmed, M. M. Hassan, and T. Bhuyian, “Local File Disclosure Vulnerability: A Case Study of Public-Sector Web Applications,” Journal of Physics: Conference Series, vol. 933, p. 012011, Mar. 2018.

      [37] N. F. Awang, A. Manaf and S.F. Abidin, “Test Input Generation for Detecting SQL Injection Vulnerability in Web Application,” Inter-national Journal of Soft Computing, 11(2), pp. 103–106, 2016.




Article ID: 16337
DOI: 10.14419/ijet.v7i3.13.16337

Copyright © 2012-2015 Science Publishing Corporation Inc. All rights reserved.