Ajax Security
-
Upload
sampetruda -
Category
Documents
-
view
360 -
download
2
description
Transcript of Ajax Security
Copyright © 2006 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASPAppSecEurope
http://www.owasp.org/
May 2006
Ajax Security
Andrew van der [email protected]
OWASP AppSec Europe 2006
AJAX and Security
Ajax
Limited guidance New chapter in Guide
Image from Hellenic ArtImage from Hellenic Art
OWASP AppSec Europe 2006Compliance
http://www.imageafter.com/image.php?image=b19objects_signs090.jpg&size=full&download=no
http://www.imageafter.com/image.php?image=b19objects_signs090.jpg&size=full&download=no
OWASP AppSec Europe 2006
Accessibility
Accessibility is mandatory by lawExcept for “justifiable
hardship”
Corporations and governmentsNo choice - do it!
Personal web sitesNo one will come
after you... but...
OWASP AppSec Europe 2006
Accessibility
Does it validate with W3C WAI validator? Accessibility aides (zoom, readers, etc) Back button issues
OWASP AppSec Europe 2006
Privacy
Ajax has client side state
Local storage Caching Mash ups
OWASP AppSec Europe 2006
Privacy ... not
Javascript is clear textoften cached regardless of browser settingsNot private in any way
OWASP AppSec Europe 2006
Privacy ... not
DOM can be manipulated by hostile codeNot private in any way
OWASP AppSec Europe 2006
Privacy ... not
Dojo.Storage uses Flash“Solution” for client-side persistent storageNot private in any way
Often used for cross-domain postings... ARGH
OWASP AppSec Europe 2006
Mash ups
Who owns the data? Who gets the data? How are they going to handle it?
OWASP AppSec Europe 2006
An example of a mash up
OWASP AppSec Europe 2006
Credit Rating Mashup
OWASP AppSec Europe 2006
Credit Rating Mashup
OWASP AppSec Europe 2006
Credit Rating Mashup
OWASP AppSec Europe 2006
Contentious issues
OWASP AppSec Europe 2006
Contentious issues
OWASP AppSec Europe 2006Access Control
http://www.sxc.hu/browse.phtml?f=download&id=527569http://www.sxc.hu/browse.phtml?f=download&id=527569
OWASP AppSec Europe 2006
Authentication
Don’t let any old caller in
What’s acceptable to be used without authentication?
Authenticating a new XMLHttpRequest session
OWASP AppSec Europe 2006
Ask...
Look ma! No
cookies!Look ma! No
cookies!
OWASP AppSec Europe 2006
and ye shall receive
Yeah
Baby!Yeah
Baby!
Come to
papa!Come to
papa!
OWASP AppSec Europe 2006
Authorization
Would you let Bart call your admin function?
OWASP AppSec Europe 2006
Authorization
Use the same authorization method
Default deny; all actions should be denied unless allowed
Error responses for no authorization
OWASP AppSec Europe 2006Sessions and State Management
http://www.sxc.hu/browse.phtml?f=download&id=526216http://www.sxc.hu/browse.phtml?f=download&id=526216
OWASP AppSec Europe 2006
Session Fixation
Use toolkits which send session tokens
Use proper session management to maintain the session
All of the session attacks in the session chapter are still valid
OWASP AppSec Europe 2006
Cross-domain XML Http Requests
By security design, no browser supports this
Many designs want to do thisor already do this (Google Maps, etc)
How to do it safely?Only with federated security
OWASP AppSec Europe 2006
State management
In the good olde days, state was on the server
With Ajax, a lot more state is on the client Think “hidden fields” but so much worse
OWASP AppSec Europe 2006
Sending state
You can safely send state to the client for display purposes
... as long as it does not contain DOM injections
Only send state back if you do not have it on the server
Validate all state before use
OWASP AppSec Europe 2006
Exposing internal state
Just because it’s faster doesn’t mean it’s wiser
Keep sensitive state on the server, always Don’t obfuscate JavaScript - it’s hard enough
now
OWASP AppSec Europe 2006Ajax Attack Prevention
OWASP AppSec Europe 2006
Injection Attacks
PHP toolkits: look for code injection attacks JSON injection: be careful how you decode! DOM injection - client side attacks now
much easier XML injection - both client and server side Code injection - both client and server side
OWASP AppSec Europe 2006
Data validation
Data obtained via the XMLHttpRequest path must be validated
Perform validation after authorization checks Validate using same paths as existing code If you (de-)serialize, be aware of XML
injection
OWASP AppSec Europe 2006Ajax Attack Prevention
http://www.sxc.hu/browse.phtml?f=download&id=527569http://www.sxc.hu/browse.phtml?f=download&id=527569
OWASP AppSec Europe 2006
Reconstructing Ajax API
Many Ajax apps have been “decoded”
e.g. libgmail, GMail Agent API, gmail.py, etc
Spawned GMailFS, Win32 Gmail clients, etc
Do not assume your app is special - it will be decoded!
GMail Agent API in action
OWASP AppSec Europe 2006
GET Ajax Session
OWASP AppSec Europe 2006
Pseudo API Injection
Most PHP AJAX tool kits allow remote code injection by allowing client-side server code invocation
eg: AJason, JPSpan and CPAINT
OWASP AppSec Europe 2006
Psuedo API
Guess what I can do?
Create proxy façades
OWASP AppSec Europe 2006
Error Handling
Error handling is often neglected
Do not use Javascriptalert()
Parentless window syndrome
Copyright © 2006 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASPAppSecEurope
http://www.owasp.org/
May 2006
Questions
Andrew van der [email protected]
Andrew’s OWASP EU talks sponsored by