Facebook, among many others, was suffering recently from different kind of insecurities clickjacking, likejacking, or whatever you like to call it. Most of these bugs emerged after introducing new Ajax features to existing applications. An interesting example is the case of the recent iphone web interface bug (touch.facebook.com) that Matt Austing detailed on his blog :
The problem is this is not restricted to relative or local URLs. The attacker could load a remote url because of this HTML5 “feature”. Before HTML5 this would have caused an error and never loaded the content. The request is done client side, so server side param filtering (or WAF) will not help.
Facebook fixed the bug one day after it was reported, but can you imagine how many other websites are not aware of the number of insecurities that might be introduced with every new feature ?
The most annoying part is hash based urls – that I don’t recommend – because everything is done in the client side and even server-side filtering in this case will not help. That # is the fav part of the game, it allow hackers to work silently from their browser. You will not notice anything written after it, and make it even harder to notice that you are under attack.
HTTP access control or Cross-Origin Resource Sharing is introduced in HTML5 to allow making cross-domain ajax requests in browsers. The feature is currently available in Firefox 3.5, Safari 4, and Google Chrome 2. IE8 supports CORS with the XDomainRequest function instead of the existing XMLHttpRequest.
As you may notice the fix for the case of Facebook is very easy to implement, and it’s the case of most similar issues, however will you be able to identify it in your code ? have you already faced security issues with your new HTML5 and Ajax feature ?