1 / 38

Ajax Security

Ajax Security. Andrew van der Stock vanderaj@owasp.org. AJAX and Security. Ajax Limited guidance New chapter in Guide. Image from Hellenic Art. Compliance. http://www.imageafter.com/image.php?image=b19objects_signs090.jpg&size=full&download=no. Accessibility.

thom
Download Presentation

Ajax Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ajax Security • Andrew van der Stock • vanderaj@owasp.org

  2. AJAX and Security • Ajax • Limited guidance • New chapter in Guide Image from Hellenic Art

  3. Compliance http://www.imageafter.com/image.php?image=b19objects_signs090.jpg&size=full&download=no

  4. Accessibility • Accessibility is mandatory by law • Except for “justifiable hardship” • Corporations and governments • No choice - do it! • Personal web sites • No one will come after you... but...

  5. Accessibility • Does it validate with W3C WAI validator? • Accessibility aides (zoom, readers, etc) • Back button issues

  6. Privacy • Ajax has client side state • Local storage • Caching • Mash ups

  7. Privacy ... not • Javascript is clear text • often cached regardless of browser settings • Not private in any way

  8. Privacy ... not • DOM can be manipulated by hostile code • Not private in any way

  9. Privacy ... not • Dojo.Storage uses Flash • “Solution” for client-side persistent storage • Not private in any way • Often used for cross-domain postings... ARGH

  10. Mash ups • Who owns the data? • Who gets the data? • How are they going to handle it?

  11. An example of a mash up

  12. Credit Rating Mashup

  13. Credit Rating Mashup

  14. Credit Rating Mashup

  15. Contentious issues

  16. Contentious issues

  17. Access Control http://www.sxc.hu/browse.phtml?f=download&id=527569

  18. Authentication • Don’t let any old caller in • What’s acceptable to be used without authentication? • Authenticating a new XMLHttpRequest session

  19. Ask... Look ma! No cookies!

  20. and ye shall receive Yeah Baby! Come to papa!

  21. Authorization Would you let Bart call your admin function?

  22. Authorization • Use the same authorization method • Default deny; all actions should be denied unless allowed • Error responses for no authorization

  23. Sessions and State Management http://www.sxc.hu/browse.phtml?f=download&id=526216

  24. Session Fixation • Use toolkits which send session tokens • Use proper session management to maintain the session • All of the session attacks in the session chapter are still valid

  25. Cross-domain XML Http Requests • By security design, no browser supports this • Many designs want to do this • or already do this (Google Maps, etc) • How to do it safely? • Only with federated security

  26. State management • In the good olde days, state was on the server • With Ajax, a lot more state is on the client • Think “hidden fields” but so much worse

  27. Sending state • You can safely send state to the client for display purposes • ... as long as it does not contain DOM injections • Only send state back if you do not have it on the server • Validate all state before use

  28. Exposing internal state • Just because it’s faster doesn’t mean it’s wiser • Keep sensitive state on the server, always • Don’t obfuscate JavaScript - it’s hard enough now

  29. Ajax Attack Prevention

  30. Injection Attacks • PHP toolkits: look for code injection attacks • JSON injection: be careful how you decode! • DOM injection - client side attacks now much easier • XML injection - both client and server side • Code injection - both client and server side

  31. Data validation • Data obtained via the XMLHttpRequest path must be validated • Perform validation after authorization checks • Validate using same paths as existing code • If you (de-)serialize, be aware of XML injection

  32. Ajax Attack Prevention http://www.sxc.hu/browse.phtml?f=download&id=527569

  33. Reconstructing Ajax API • Many Ajax apps have been “decoded” • e.g. libgmail, GMail Agent API, gmail.py, etc • Spawned GMailFS, Win32 Gmail clients, etc • Do not assume your app is special - it will be decoded! GMail Agent API in action

  34. GET Ajax Session

  35. Pseudo API Injection • Most PHP AJAX tool kits allow remote code injection by allowing client-side server code invocation • eg: AJason, JPSpan and CPAINT

  36. Psuedo API • Guess what I can do? • Create proxy façades

  37. Error Handling • Error handling is often neglected • Do not use Javascriptalert() • Parentless window syndrome

  38. Questions • Andrew van der Stock • vanderaj@owasp.org • Andrew’s OWASP EU talks sponsored by

More Related