OWASP AppSec 2004 Presentation
-
Upload
sampetruda -
Category
Documents
-
view
699 -
download
0
Transcript of OWASP AppSec 2004 Presentation
![Page 1: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/1.jpg)
Copyright © 2006 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASPAppSecEurope
http://www.owasp.org/
May 2006
Ajax Security
Andrew van der [email protected]
![Page 2: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/2.jpg)
OWASP AppSec Europe 2006
AJAX and Security
Ajax
Limited guidanceNew chapter in Guide
![Page 3: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/3.jpg)
OWASP AppSec Europe 2006Compliance
![Page 4: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/4.jpg)
OWASP AppSec Europe 2006
Accessibility
Accessibility is mandatory by lawExcept for “justifiable
hardship”
Corporations and governmentsNo choice - do it!
Personal web sitesNo one will come after
you... but...
![Page 5: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/5.jpg)
OWASP AppSec Europe 2006
Accessibility
Ask real users to test!
Accessibility aides W3C WAI validatorBasic tools
![Page 6: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/6.jpg)
OWASP AppSec Europe 2006
Back Button
The most used buttonAjax toolkits often
destroy or hide it
Support the Back Button!
![Page 7: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/7.jpg)
OWASP AppSec Europe 2006
”“You have no privacy. Get over it.
Scott McNealy
Privacy
![Page 8: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/8.jpg)
OWASP AppSec Europe 2006
“”
Nothing that we have authorized conflicts with any law regarding privacy or any provision of the constitution.
John Ashcroft
Privacy
![Page 9: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/9.jpg)
OWASP AppSec Europe 2006
Privacy
“”
Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds.
John Perry Barlow
![Page 10: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/10.jpg)
OWASP AppSec Europe 2006
Privacy
Ajax has client side state
Local storageCachingMash ups
![Page 11: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/11.jpg)
OWASP AppSec Europe 2006
Privacy ... not
Javascript is clear textoften cached regardless of browser settingsNot private in any way
![Page 12: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/12.jpg)
OWASP AppSec Europe 2006
Privacy ... not
DOM can be manipulated by hostile codeNot private in any way
![Page 13: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/13.jpg)
OWASP AppSec Europe 2006
Privacy ... not
Dojo.Storage uses Flash“Solution” for client-side persistent storageNot private in any way
Often used for cross-domain postings... ARGH
![Page 14: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/14.jpg)
OWASP AppSec Europe 2006
Mash ups
Who owns the data?Who gets the data?How are they going to handle it?
![Page 15: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/15.jpg)
OWASP AppSec Europe 2006
An example of a mash up
![Page 16: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/16.jpg)
OWASP AppSec Europe 2006
Credit Rating Mashup
![Page 17: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/17.jpg)
OWASP AppSec Europe 2006
Credit Rating Mashup
![Page 18: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/18.jpg)
OWASP AppSec Europe 2006
Credit Rating Mashup
![Page 19: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/19.jpg)
OWASP AppSec Europe 2006
Contentious issues
![Page 20: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/20.jpg)
OWASP AppSec Europe 2006
Contentious issues
![Page 21: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/21.jpg)
OWASP AppSec Europe 2006Access Control
![Page 22: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/22.jpg)
OWASP AppSec Europe 2006
Authentication
Don’t let any old caller in
What’s okay without authentication?
Authenticate new XMLHttpRequest sessions
![Page 23: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/23.jpg)
OWASP AppSec Europe 2006
Ask...
Look ma! No
cookies!
![Page 24: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/24.jpg)
OWASP AppSec Europe 2006
and ye shall receive
Yeah
Baby!
Come
to papa!
![Page 25: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/25.jpg)
OWASP AppSec Europe 2006
Authorization
Would you let Bart call your admin function?
![Page 26: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/26.jpg)
OWASP AppSec Europe 2006
Authorization
Use same authorization methods
Default deny; all actions should be denied unless allowed
Error responses for no authorization
![Page 27: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/27.jpg)
OWASP AppSec Europe 2006Sessions and State Management
![Page 28: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/28.jpg)
OWASP AppSec Europe 2006
Session Fixation
Use toolkits which send session tokens
Use proper session management to maintain the session
OWASP Guide - Session Management chapter
![Page 29: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/29.jpg)
OWASP AppSec Europe 2006
Cross-domain XML Http Requests
By security design, no browser supports this
Many designs want to do thisor already do this (Google Maps, etc)
How to do it safely?Only with federated security
![Page 30: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/30.jpg)
OWASP AppSec Europe 2006
State management
In the good olde days, state was on the serverWith Ajax, a lot more state is on the clientThink “hidden fields” but so much worse
![Page 31: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/31.jpg)
OWASP AppSec Europe 2006
Sending state
Validate all state before use
Sending state to the client for display
DOM injectionsHTML injections
Only send changed state back
![Page 32: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/32.jpg)
OWASP AppSec Europe 2006
Exposing internal state
Just because it’s faster doesn’t mean it’s wiserKeep sensitive state on the server, alwaysDon’t obfuscate JavaScript - it’s hard enough now
![Page 33: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/33.jpg)
OWASP AppSec Europe 2006Ajax Attack Prevention
![Page 34: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/34.jpg)
OWASP AppSec Europe 2006
Injection Attacks
PHP toolkits: look for code injection attacksJSON injection: be careful how you decode!DOM injection - client side attacks now much
easierXML injection - both client and server sideCode injection - both client and server side
![Page 35: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/35.jpg)
OWASP AppSec Europe 2006
Data validation
Data from XMLHttpRequest must be validated
Perform validation after authorization checksValidate using same paths as existing code
If you (de-)serialize, be aware of XML injection
![Page 36: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/36.jpg)
OWASP AppSec Europe 2006
Ajax APIs
![Page 37: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/37.jpg)
OWASP AppSec Europe 2006
Reconstructing Ajax API
Many Ajax apps have been “decoded”
e.g. libgmail, GMail Agent API, gmail.py, etc
Spawned GMailFS, Win32 Gmail clients, etc
Do not assume your app is special - it will be decoded!
GMail Agent API in action
![Page 38: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/38.jpg)
OWASP AppSec Europe 2006
GET APIs
![Page 39: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/39.jpg)
OWASP AppSec Europe 2006
Pseudo API Injection
Almost all Ajax toolkits use GET by defaultForce them to use POST
Most PHP AJAX tool kits allow remote code injection by allowing client-side server code invocation
eg: AJason, JPSpan and CPAINT (1.x)
![Page 40: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/40.jpg)
OWASP AppSec Europe 2006
Psuedo API
Guess what I can do?
Create proxy façades
![Page 41: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/41.jpg)
OWASP AppSec Europe 2006
Event Management
![Page 42: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/42.jpg)
OWASP AppSec Europe 2006
Error Handling
Error handling is often neglected
Do not use Javascript alert()
Parentless window syndrome
![Page 43: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/43.jpg)
OWASP AppSec Europe 2006
Auditing
Client-side auditing is a joke
Auditing must be:comprehensiveunavoidabletamper resistant
![Page 44: OWASP AppSec 2004 Presentation](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a4c77d8b42ad56a8b48a3/html5/thumbnails/44.jpg)
Copyright © 2006 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASPAppSecEurope
http://www.owasp.org/
May 2006
Questions
Andrew van der [email protected]
Images:
John Perry Barlow image used with permission
Stock*Exchange
Image After
Andrew’s OWASP EU talks sponsored by