Cac ung dung AJAX co de lai lo hong cho hacker tan cong?

Bai nay se gioi thieu tong quan ve cac cong nghe AJAX, lay vi du cu the voi JavaScript va dan chung mot so lop lo hong chu yeu dang ngay cang thu hut moi quan tam cua cac nha phat trien, chu so huu Website, cung nhu cac vi khach ghe tham. Giai phap duoc dua ra la kiem tra ung dung nen tang AJAX va JavaScript voi chuong trinh ra soat lo hong khong chi phan tich ma nguon HTML de xac dinh JavaScript nhung vao ma con co the thuc thi tat ca cac doan ma nguon. Tu dong hoa qua trinh phan tich cung la yeu to then chot nam trong qua trinh phan tich va xem xet, vi tinh tong hop cho cac ung dung Web ngay cang tang.

1. AJAX va JavaScript

1.1. Gioi thieu ve cong nghe

Cong nghe Web 2.0 va AJAX (Asynchronous JavaScript Technology and XML) ngay cang thu hut duoc su quan tam cua gioi doanh nghiep tren khap the gioi.

Mot trong nhung ly do chinh khien su pho bien cua AJAX ngay cang tang la ngon ngu kich ban dung trong JavaScript cua no. Ngon ngu nay cho phep tao cac form dong cho hoat dong kiem tra loi tich hop san, tao cac vung tinh toan tren trang Web, tuong tac voi nguoi dung thong qua canh bao va kiem chung thong tin, co the thay doi thuong xuyen chuong trinh nen va mau sac van ban hay “cac nut”, doc URL history va dua ra hanh dong dua tren danh sach do, mo va dieu khien cac cua so, cung cap van ban hoac cac phan trong van ban khac nhau theo yeu cau nguoi dung.

AJAX khong phai la mot cong nghe. Noi chinh xac hon, no la mot tap hop cac cong nghe, trong do moi cong nghe cung cap mot he thong co so nen tang cho thiet ke va phat trien ung dung Web:

<!--[if !supportLists]-->•<!--[endif]-->XHTML hay HTML va Cascading Style Sheets (CSS) cung cap cac tieu chuan the hien noi dung trang Web voi nguoi dung.

<!--[if !supportLists]-->•<!--[endif]-->Document Object Model (DOM) cung cap cau truc cho phep hien thi dong noi dung va cac tuong tac lien quan. DOM mo ra nhieu cach thuc manh cho nguoi dung khi muon truy cap va thao tac voi doi tuong nam trong mot van ban bat ky.

<!--[if !supportLists]-->•<!--[endif]-->XML va XSLT cung cap kieu dinh dang cho du lieu, de du lieu co the duoc thao tac, truyen tai hoac trao doi giua may chu (server) va may khach (client).

<!--[if !supportLists]-->•<!--[endif]-->XML HTTP Request: Diem bat cap lon nhat trong xay dung ung dung Web la moi lan mot webpage duoc tai ve trinh duyet cua nguoi dung, ket noi server lien quan se bi cat. Hon nua, duong dan ben trong trang con doi hoi phai thiet lap mot ket noi khac voi server va tai ve toan bo trang cho du nguoi dung chi muon mo rong mot duong link don gian. XML HTTP Request cho phep truy van du lieu khong dong bo va dam bao cac trang web khong bi load tro lai khi thay doi trong yeu cau nguoi dung o muc nho nhat.

<!--[if !supportLists]-->•<!--[endif]-->JavaScript (JS): la ngon ngu kich ban hop nhat cac doi tuong de hoat dong voi nhau mot cach hieu qua, do do giu vai tro dang ke trong ung dung web.

Chinh boi cac thanh phan nay ma khi noi den AJAX nguoi ta thuong nghi den kha nang tuong tac cao, toc do nhanh va de dung. Cong nghe trong AJAX phong phu hon nhieu va rat than thien cho nguoi dung, vi cac ung dung Web duoc thiet ke tuong tu ung dung de ban “truyen thong” nhu Google Docs and Spreadsheets, Google Maps hay Yahoo! Mail.

Khoi dau mot phien hoat dong, thay vi tai ve trang Web yeu cau, co che AJAX viet trong JS se duoc load. Hoat dong giong nhu “nguoi trung gian”, co che nay nam giua nguoi dung va Web Server. No cung dong vai tro nhu mot giao dien goi nho va nhu mot phuong tien truyen thong cho trinh duyet tren may khach va may chu.

Diem khac nhau chinh la tinh nang mang lai noi bat rat de nhan thay. Khi gui mot yeu cau (request) toi Web Server, mot thong bao cac thanh phan rieng cua trang dang duoc update doc lap (khong dong bo) va can phai cho den khi toan bo trang hoat dong, yeu cau moi duoc dap ung (dong bo).

Truoc day, neu muon doc e-mail ban phai trai qua mot loat cu kich chuot va gui, truy van mot loat cac khung tao nen giao dien hien thi nhieu e-mail nguoi dung khac nhau. Dieu nay thuc su lam giam dang ke toc do truy cap va su dung ung dung Web. Voi truyen tai khong dong bo, ung dung AJAX hoan toan loai bo duoc thao tac “chay-dung-dung-chay” rat kho chiu von ton tai tu nhien trong tuong tac tren Web. Yeu cau gui toi server bay gio hoan toan ro rang va de hieu voi nguoi dung.

Mot diem dang chu y khac la toc do tai cac thanh phan khac nhau cua website theo yeu cau tuong doi nhanh hon. Viec nay giup giam bot mot luong dang ke bang thong can thiet cho tung yeu cau vi trang web khong con can tai lai toan bo noi dung.

Ngoai ra ban con co the them hoac xoa ban ghi, xem xet web form, tim nap truy van tim kiem va chinh sua cay thu muc. Tat ca se giup ung dung Web hoat dong hieu qua hon, khong doi hoi phai co toan bo ma nguon HTML cua trang Web.

1.2. Cac loai lo hong

1.2.1. Lop lo hong AJAX

Mac du AJAX duoc danh gia la bo tap hop cong nghe manh nhat, nhung cung khong the tranh khoi cac lo hong bao mat va nguy co anh huong xau cho cac ung dung AJAX.

Theo Pete Lindstrom, giam doc chien luoc bao mat cua Hurwitz Group noi, ngay nay ung dung web la yeu to de lai nhieu lo hong nhat trong ha tang co so cong nghe thong tin. Con so cac to chuc (ca loi nhuan va phi loi nhuan) le thuoc vao ung dung nen tang Internet ngay cang tang chung to suc manh va anh huong cua AJAX ngay cang lon. Nhom cac cong nghe nay tro nen tong hop hon, cho phep thuc hien theo chieu sau voi nhieu tinh nang tien dung. Nhung neu cac to chuc khong co bien phap bao ve ung dung web cua minh, nguy co bao mat luon rinh rap va kha nang nguy hiem chi co tang ma khong co giam la dieu khong tranh khoi.

Tuong tac trong ung dung web ngay cang tang, tuc la ngon ngu XML, van ban, luu luong mang HTML chung cung ngay cang phong phu. Dieu nay thuong dan den so ho tro thanh lo hong von khong co truoc do. Hoac neu khong co du chuong trinh bao ve mat server, ban se tao ke ho, cho phep nguoi dung chua qua tham dinh kha nang thao tac voi cau hinh dac quyen cua ho.

Co mot quan niem sai lam pho bien cho rang ung dung AJAX an toan hon vi mac du nguoi dung khong the truy cap vao kich ban (script) lop server khi khong co giao dien nguoi dung duoc hoan tra lai. Thuc te, cac ung dung web dua tren nen tang XML HTTP Request lam mo di script lop server, khien nhung nguoi phat trien va so huu website co cam nhan sai lam ve bao mat: tuong an toan ma khong an toan. Do yeu cau XML HTTP thuc hien chuc nang thong qua cung kieu giao thuc nhu tat ca moi thanh phan con lai tren web (HTTP), chuc nang phat bieu ky thuat nen cac ung dung Web nen tang AJAX co cung kieu lo hong va cung co the bi pha theo phuong thuc nhu cac ung dung “binh thuong” khac.

Hau qua la lo hong trong quan ly phien ngay cang tang cung voi muc nguy hiem lon hon khien hacker thau tom duoc quyen truy cap cua nhieu duong dan URL an can thiet cho cac yeu cau AJAX duoc thuc hien.

Mot diem yeu khac o AJAX la chuong trinh cong thuc hoa yeu cau server. Co che hoat dong cua AJAX la su dung JavaScript (JS) de dong goi lenh nguoi dung va chuyen chung thanh loi goi ham. Cac loi goi ham nay duoc gui toi server duoi dang van ban thuan tuy va co the de dang de lo ra cac truong bang co so du lieu nhu ten san pham, ma so ID nguoi dung hay tham chi ca ten bien quan trong, kieu du lieu hop le hay gioi han pham vi kieu du lieu hay bat ky tham so nao khac co the bi hacker loi dung va thao tac.

Voi thong tin nay, hacker co the de dang su dung cac ham AJAX ma khong can den giao dien, bang cach mo ta thu cong yeu cau HTTP truc tiep toi server. Trong truong hop hacker su dung cross-site scripting, cac kich ban doc hai co the khien AJAX cung cap them nhieu tinh nang hoat dong voi vai tro nhu mot nguoi dung thuc thu, do do lua dao nguoi dung voi muc dich cuoi cung la dinh huong lai duong dan phien hoat dong (nhu trong phishing) hoac giam sat luu luong mang.

1.2.2. Lop lo hong JavaScript

Mac du nhieu website phan phoi thanh phan tuong tac qua JavaScript, nhung viec su dung rong rai cong nghe nay cung dem lai nhieu moi lo bao mat nguy hiem can canh giac.

Truoc day, hau het moi van de bao mat deu xuat phat tu cac sau (worm) va dich nham den cac he thong thu dien tu hoac khai thac diem yeu thong qua Cross Site Scripting (XSS). Cac sau tu sinh san nay dua ma nguon doc hai vao website voi muc dich du do cho trinh duyet Web hoac khach hang doc e-mail roi phan tich hoac thuc thi chung de lay lan vao he thong va thao tac, tham chi don gian hon chi la truy van du lieu nguoi dung.

Khi trinh duyet Web va cac tinh nang ky thuat cua chung tiep tuc duoc phat trien, ma doc hai cung duoc cai tien khong ngung. Cac hinh thuc cu duoc gia cong, sua chua tang cuong trong khi nhieu moi ban tam bao mat moi lien quan den JavaScript va AJAX lien tuc xuat hien. Ky thuat nang cao nay xuat hien vao cung thoi diem dien ra buoc chuyen dang ke trong muc dich lau dai cua hacker: tu pha hoai de khoe danh (nhu deface website) sang muc tieu kinh te (trom du lieu doanh nghiep, ma so the tinh dung, …) voi sieu loi nhuan thu duoc tu thi truong den.

Cac sau XSS ngay cang thong minh voi kha nang pha hoai ngay cang cao nhu thuc hien cac cuoc tan cong tu choi dich vu (DoS) tren mang dien rong, phat tan thu rac ma tan cong e-mail, khai thac du doi lo hong trinh duyet. Gan day nguoi ta phat hien ra rang, loai sau nay con co the su dung JavaScript de anh xa mang gia dinh hay mang doanh nghiep va ngay lap tuc khien thiet bi tren mang (may in, router, thiet bi luu tru) lo ra lo hong de tan cong.

Ket qua sau cac cuoc tan cong tinh vi nay thuong la hacker dinh vi duoc vi tri tai nguyen quy gia tren mang de nhung ma doc hai JavaScript vao ben trong trang Web noi bo hoac mot ung dung AJAX bat ky duoc dung cong cong de thu du lieu.

Van de la cho den gio, hau het cac cong cu chuyen dung de quet ung dung Web deu gap phai van de nghiem trong trong kiem tra cac trang nhung JavaScript. Vi du, JS lop client doi hoi phai co can thiep thu cong lon (chu khong duoc cau hinh tu dong) moi hoat dong on dinh.

2. Co che JavaScript cua Acunetix WNS

Acunetix WVS v4.0 duoc trang bi them thanh phan Acunetix Client Script Analyzer (bo phan tich kich ban client Acunetix) voi co che phan tich cu phap ma nguon JavaScript hoan toan tu dong, dap ung duoc yeu cau thong thuong khi “luon” va theo cac lien ket JS mot cach thu cong.

De thuc thi ra soat lo hong, Acunetix WVS se tai tao hoat dong can thiep thu cong cua chuong trinh kiem tra xam nhap (theo nguyen tac hacking). Truoc tien la “luon” qua website va cac ung dung Web de xac dinh cau truc thu muc cua no.

Bat ky trinh duyet Web tieu chuan nao cung co co che JavaScript thong dich va thuc thi cac doan JS nhung trong trang HTML. Acunetix WVS cung hoat dong theo phuong thuc tuong tu, nhu mot co che JS.

Khi mot van ban tai ve trinh duyet Web, cac the HTML duoc phan tich cu phap de hoan lai kha nang truc quan cho cac doi tuong khac nhau cua trang nguoi dung yeu cau. Cung thoi gian do, bat ky JavaScript nao dang duoc thuc thi cung cho phep kich hoat su kien va hoat dong ben trong trang hien thi cho nguoi dung. Mot so su kien va hoat dong doi hoi su can thiep cua nguoi dung, nhung nhieu su kien khac thi khong (vi du: an script, hoac thuc thi script ma khong co su can thiep cua nguoi dung).

Tuong tu, Acunetix WVS cung se tai trang phan tich cu phap ma nguon HTML nam ben trong va thuc thi tat ca su kien, hoat dong tim thay tren trang bi xam nhap. Acunetix WVS se tai tao lai hau het tat ca giao dien Internet Explorer cua Microsoft su dung co che JavaScript va cung cung cap hau het chuc nang tu dong tuong tu co trong trinh duyet Web.

Nang cao chinh o Acunetix WVS la thuc thi that su cac script khi hau het chuong trinh quet ung dung Web ngung phan tich cu phap JS tren trang Web. Thuc thi nay tro nen rat quan trong do no cho phep kiem tra chuyen sau hon cac ung dung Web AJAX va JavaScript. Acunetix WVS co the con nhieu khiem khuyen khac nam sau ben trong loi cua trang Web.

CSA se xac dinh vi tri chinh xac cua tat ca cac script khac nhau chua noi dung ben trong va cac tham chieu thich hop toi doi tuong, su kien hay hoat dong. CSA cung thuc thi tat ca script tim thay tren cac trang, tu nhung trang duoc kich hoat qua can thiep cua nguoi dung (nhu OnClick, OnChange) hay kich hoat tu he thong (nhu OnLoad, OnUnload). Acunetix CSA cung se thuc thi cac script an trong qua trinh phan tich HTMLdo chung co tac dong len chinh qua trinh phan tich. (Cac script nay thuc su xac dinh cau truc cua trang).

HTML
|
+- HEAD
|
+- BODY
|
+- P
|
+- A
|
+- IMG

Sau khi phan tich trang, CSA se kich hoat tat ca cac su kien con lai duoc ghi nhan trong qua trinh thuc thi kich ban. Qua trinh kich hoat dien ra theo thu tu duong dan Web logic. Vi du, mot nguoi dung khong the an nut gi cho den khi trang duoc tai ve xong. Do do, ‘OnClick’ se luon theo sau ‘OnLoad’.

De xac dinh chinh xac ung dung Web AJAX nao chua lo hong, Acunetix WVS se khoi chay chuong trinh tan cong thong qua phan tich ma nguon (nhu da giai thich o tren), thuc te giong nhu mot hacker. Hacker thuc thu tat nhien se khong dung lai o muc don gian chi la quan sat ma nguon. Ho se thuc thi thuc su ma doc hai, tham chi thuc hien cac chinh sua doi ‘can thiet’ de gay nen tinh huong thuan loi cho ho. Hieu qua cua chuong trinh ra soat Acunetix dua tren ky thuat giong hacker dung de thao tac cau truc AJAX nham thuc hien cac kieu Cross-site Scripting (XSS), hay SQL injection, giam sat luu luong, chan phien...

Cac ung dung Web nen tang AJAX se duoc tra lai vao mot trinh duyet Web theo kieu modul. Phan tu don va su kien tren web page co the duoc tai ve va lam moi mot cach rieng re. Do do, cac ung dung nay co the chen them va thao tac voi du lieu nhieu hon. Mot chuong trinh kiem tra xuyen suot voi Acunetix WVS giup giam dang ke nhieu nguy hiem tong hop, vi CSA se phan tich va thuc thi tat ca script. Cac nha phat trien duoc cung cap thong tin chinh xac hon ve lo hong va co the tien den can thuc hien thay doi va sua chua can thiet.

Neu khong co qua trinh thong dich va thuc thi chinh xac JavaScript trong ung dung AJAX, chuong trinh ra soat lo hong chi co the kiem tra gioi han ung dung Web theo cach thuc mo rong chu khong thuc hien duoc tren tung thanh phan rieng biet.

3. Tom tat va ket luan

Qua trinh phat trien nhanh chong cua cong nghe Web dang co xu huong tang cuong tinh hieu qua, nhanh ma thuan tien va tang cuong ca tinh tuong tac. Tuy nhien, chinh qua trinh nay cung lam tang nguy co bao mat cho doanh nghiep va cac nha phat trien Web phai doi mat voi no hang ngay.

Voi cac cong cong cong 80 (HTTP) va 443 (HTTPS) luon mo de cho phep noi dung dong phan phoi va trao doi, website luon o trong tinh trang co the mat du lieu va bi deface (lam bien dang noi dung trang Web) bat cu luc nao. Nhung neu kiem tra thuong xuyen, deu dan thong qua chuong trinh quet ung dung Web dang tin cay, nguy co nay giam di dang ke. Khi tinh tong hop cua cong nghe tang len, kem theo do cac khuyem khuyen tren website cung tro nen nghiem trong hon va lo hong thi nhieu hon.

Nhung cai tien cua cac ung dung AJAX khien nhieu van de bao mat quan trong dang xem xet cung tang. len theo voi nguy co ngay cang lon. Qua trinh thuc thi script va thong tin trao doi tren yeu cau server/client tang dem lai co hoi lon hon cho hacker de an trom du lieu. Hoat dong cua chung khien nhieu to chuc mat hang nghin do la thu nhap, giam sut niem tin cua khach hang, de doa lon den danh tieng va tin nhiem cua to chuc.

Giai phap tot nhat nham dem lai hieu qua cao trong cong tac bao mat o day la su dung chuong trinh quet ra soat lo hong, tu dong “chui qua” website de xac dinh khiem khuyet. Tuy nhien, neu khong co co che phan tich cu phap va thuc thi JavaScript, hoat dong cua chuong trinh quet se thieu chinh xac va mang lai cam nhan sai ve an toan bao mat cho chu so huu website.

Acunetix Client Script Analyzer voi thanh phan chinh la Acunetix WVS, co the xac dinh duoc kieu doi tuong van ban, su kien va hoat dong cua website va thuc thi tat ca kich ban nhung tren website do. Day la phuong thuc ra soat web duy nhat nang cao dang ke chat luong quet lo hong o cac chuong trinh scanner.

 Theo Security