Why the cross-domain Ajax is a security concern?

by

Why are Ajax HTTP Requests not allowed to cross domain boundaries.

Because AJAX requests are (a) submitted with user credentials, and (b) allow the caller to read the returned data.

It is a combination of these factors that can result in a vulnerability. There are proposals to add a form of cross-domain AJAX that omits user credentials.

you could simply add an img, script, or iframe element to the document

None of those methods allow the caller to read the returned data.

(Except scripts where either it’s deliberately set up to allow that, for permitted cross-domain scripting – or where someone’s made a terrible cock-up.)

Your can do XSS attacks without using this at all. Posting to third party site

That’s not an XSS attack. That’s a cross-site request forgery attack (XSRF). There are known ways to solve XSRF attacks, such as including one-time or cryptographic tokens to verify that the submission came deliberately from the user and was not launched from attacker code.

If you allowed cross-domain AJAX you would lose this safeguard. The attacking code could request a page from the banking site, read any authorisation tokens on it, and submit them in a second AJAX request to perform the transfer. And that would be a cross-site scripting attack.

More Related Contents:

  1. What security risks exist when setting Access-Control-Allow-Origin to accept all domains?
  2. Cross-site AJAX requests
  3. How to block external http requests? (securing AJAX calls)
  4. Who can explain this ajax code for me [closed]
  5. UIForm with prependId=”false” breaks
  6. What are the best practices for avoiding xss attacks in a PHP site [closed]
  7. jQuery: Performing synchronous AJAX requests
  8. POST JSON fails with 415 Unsupported media type, Spring 3 mvc
  9. Keep p:dialog open when a validation error occurs after submit
  10. jQuery $.ajax(), $.post sending “OPTIONS” as REQUEST_METHOD in Firefox
  11. Getting “net::ERR_BLOCKED_BY_CLIENT” error on some AJAX calls
  12. Does an HTTP Status code of 0 have any meaning?
  13. CORS issue while making an Ajax request for oauth2 access token
  14. Will HTML Encoding prevent all kinds of XSS attacks?
  15. How to enable cross-domain request on the server?
  16. What values can I pass to the event attribute of the f:ajax tag?
  17. How to set request header to the ajax object for jqGrid
  18. CodeIgniter – why use xss_clean
  19. Add additional parameter to JSF Ajax event listener
  20. how does jquery’s promise method really work?
  21. How to integrate Ajax with Symfony2 [closed]
  22. Minimum Working Example for ajax POST in Laravel 5.3
  23. Does Vue.JS work with AJAX http calls?
  24. How do you configure HttpOnly cookies in tomcat / java webapps?
  25. Stop the browser “throbber of doom” while loading comet/server push iframe
  26. jQuery AJAX ‘multipart/form-data’ Not Sending Data?
  27. List of events
  28. Why does Google prepend while(1); to their JSON responses?
  29. ‘JSON’ is undefined error in IE only
  30. ICEfaces libary in classpath prevents Save As dialog from popping up on file download

Leave a Comment