Honeypot Processors: AJAX Processor: Incidents - Malicious Script Introspection

Complexity: Medium (3.0)

Default Response: 1x = Slow Connection 2-6 seconds for 1 day and Captcha. 2x = Slow Connection 4-14 seconds for 1 day and permanent Block in 10 minutes.

Cause: WebApp Secure injects a fake JavaScript file into the websites it protects. This fake JavaScript file is designed to look as though it is intended for administrative use only, but has been mistakenly linked in with non administrative pages. The JavaScript file exposes an AJAX function that communicates with a potentially vulnerable fake service. If the user manually inspects the code of the function and attempts to exploit the service it uses directly (without calling the function itself), this incident will be triggered.

Behavior: To improve performance of a website, by minimizing the number of HTTP requests (and taking advantage of browser-side caching), web developers commonly combine most of their JavaScript code into just a few files, which are then included in the HTML of the entire site. However, in some cases, developers mistakenly include sensitive administrative functions in with common functions needed by unauthenticated users. For example, a developer might include an "addUser" function into a file that also contains a "changeImageOnHover" function. The "addUser" function can only be called from an administrative UI (behind a login), while the hover image effect would be called on a lot of different pages. Hackers often look through all of the various Javascript files being included on the pages of a website in order to find references to other services that might be vulnerable. Once a function has been identified, the hacker will attempt to find a way to exploit the service the function uses. Unlike the malicious script execution incident, here the attacker has actually dissected the fake AJAX function and attempted to directly exploit the service it uses. This is a more sophisticated attack then actually calling the Javascript function, because it requires that the user understand Javascript logic. Depending on what values they are sending to the service, this could be in an effort to perform any number of exploits, including Abuse of Functionality", "Buffer Overflow", "Denial of Service", "Format String", "Integer Overflows", "OS Commanding", and "SQL Injection."

Note: For information on the attack types mentioned here, go to The Web Application Security Consortium Web Site and search for the attack name to learn more about it.