AJAX - Silent Transaction Attacks

Any system that silently processes transactions using a single submission is dangerous to the client.

ex.

If a normal web application allows a simple URL submission, a preset session attack will allow the attacker to complete a transaction without the user's authorization.

• In AJAX it gets worse: the transaction is silent; it happens with no user feedback on the page, so an injected attack script may be able to steal money from the client without authorization

Solution

• Inspect element on the 'Confirm' button

• As we can see, this calls the processData JavaScript function

• If we open the link to this code in the script tag we see…

• There are two functions processData and submitData

• processData performs validation on user input and updates the user on the status of the transaction

• However, submitData performs the actual submission of the data

• Go back to the HTML source code and replace the processData function call with the submitData function call

• You can now perform silent transactions against the user

• For any transaction you perform, the processData function will never get called, thus they will never get notified

• • Instead it will go straight to submission

  • No validation will be performed either