OWASP AppSecEU2006 AJAX Security

50 %
50 %
Information about OWASP AppSecEU2006 AJAX Security

Published on August 30, 2007

Author: BAWare

Source: authorstream.com

Ajax Security:  Ajax Security Andrew van der Stock vanderaj@owasp.org AJAX and Security:  AJAX and Security Ajax Limited guidance New chapter in Guide Image from Hellenic Art Compliance:  Compliance http://www.imageafter.com/image.php?image=b19objects_signs090.jpgandamp;size=fullandamp;download=no Accessibility:  Accessibility Accessibility is mandatory by law Except for 'justifiable hardship' Corporations and governments No choice - do it! Personal web sites No one will come after you... but... Accessibility:  Accessibility Does it validate with W3C WAI validator? Accessibility aides (zoom, readers, etc) Back button issues Privacy:  Privacy Ajax has client side state Local storage Caching Mash ups Privacy ... not:  Privacy ... not Javascript is clear text often cached regardless of browser settings Not private in any way Privacy ... not:  Privacy ... not DOM can be manipulated by hostile code Not private in any way Privacy ... not:  Privacy ... not Dojo.Storage uses Flash 'Solution' for client-side persistent storage Not private in any way Often used for cross-domain postings... ARGH Mash ups:  Mash ups Who owns the data? Who gets the data? How are they going to handle it? An example of a mash up:  An example of a mash up Credit Rating Mashup:  Credit Rating Mashup Credit Rating Mashup:  Credit Rating Mashup Credit Rating Mashup:  Credit Rating Mashup Contentious issues:  Contentious issues Contentious issues:  Contentious issues Access Control:  Access Control http://www.sxc.hu/browse.phtml?f=downloadandamp;id=527569 Authentication:  Authentication Don’t let any old caller in What’s acceptable to be used without authentication? Authenticating a new XMLHttpRequest session Ask...:  Ask... Look ma! No cookies! and ye shall receive:  and ye shall receive Yeah Baby! Come to papa! Authorization:  Authorization Would you let Bart call your admin function? Authorization:  Authorization Use the same authorization method Default deny; all actions should be denied unless allowed Error responses for no authorization Sessions and State Management:  Sessions and State Management http://www.sxc.hu/browse.phtml?f=downloadandamp;id=526216 Session Fixation:  Session Fixation Use toolkits which send session tokens Use proper session management to maintain the session All of the session attacks in the session chapter are still valid Cross-domain XML Http Requests:  Cross-domain XML Http Requests By security design, no browser supports this Many designs want to do this or already do this (Google Maps, etc) How to do it safely? Only with federated security State management:  State management In the good olde days, state was on the server With Ajax, a lot more state is on the client Think 'hidden fields' but so much worse Sending state:  Sending state You can safely send state to the client for display purposes ... as long as it does not contain DOM injections Only send state back if you do not have it on the server Validate all state before use Exposing internal state:  Exposing internal state Just because it’s faster doesn’t mean it’s wiser Keep sensitive state on the server, always Don’t obfuscate JavaScript - it’s hard enough now Ajax Attack Prevention:  Ajax Attack Prevention Injection Attacks:  Injection Attacks PHP toolkits: look for code injection attacks JSON injection: be careful how you decode! DOM injection - client side attacks now much easier XML injection - both client and server side Code injection - both client and server side Data validation:  Data validation Data obtained via the XMLHttpRequest path must be validated Perform validation after authorization checks Validate using same paths as existing code If you (de-)serialize, be aware of XML injection Ajax Attack Prevention:  Ajax Attack Prevention http://www.sxc.hu/browse.phtml?f=downloadandamp;id=527569 Reconstructing Ajax API:  Reconstructing Ajax API Many Ajax apps have been 'decoded' e.g. libgmail, GMail Agent API, gmail.py, etc Spawned GMailFS, Win32 Gmail clients, etc Do not assume your app is special - it will be decoded! GMail Agent API in action GET Ajax Session:  GET Ajax Session Pseudo API Injection:  Pseudo API Injection Most PHP AJAX tool kits allow remote code injection by allowing client-side server code invocation eg: AJason, JPSpan and CPAINT Psuedo API:  Psuedo API Guess what I can do? Create proxy façades Error Handling:  Error Handling Error handling is often neglected Do not use Javascript alert() Parentless window syndrome Questions:  Questions Andrew van der Stock vanderaj@owasp.org Andrew’s OWASP EU talks sponsored by

Add a comment

Related presentations

Related pages

AJAX Security Cheat Sheet - OWASP

AJAX Security Cheat Sheet. ... Even though you only expect your AJAX client side code to call those services ... OWASP AJAX Security Project;
Read more

Ajax Security, OWASP Appsec Europe Andrew van der Stock

OWASP AppSec Europe 2006 AJAX and Security Ajax Limited guidance New chapter in Guide
Read more

Main Page - OWASP

In the Application Security space, one of those groups is the Open Web Application Security Project (or OWASP for short).
Read more

AJAX Security Cheat Sheet (OWASP) - Stack Overflow

From AJAX Security Cheat Sheet (OWASP), I have read that using innerText instead of innerHtml will prevent most XSS problems as it will automatically ...
Read more

Denim Group donates Ajax security scanner to OWASP

Sprajax, the first Ajax security scanner, is now available for download at the OWASP Web site. The Denim Group has donated its tool to the non-profit ...
Read more

Testing JSON Applications for Security Holes.ppt

Testing JSON Applications for Security Holes Securitybyte & OWASP Confidential Aviram Jenik CEO Beyond Security
Read more

Is AJAX fundamentally insecure? - security.stackexchange.com

Is AJAX fundamentally insecure? ... This illustrates the thing about AJAX security: ... Testing for AJAX Vulnerabilities (OWASP-AJ-001)
Read more

OWASP Top 10 - 2013

Welcome to the OWASP Top 10 2013! ... security controls, OWASP has produced the Application Security Verification Standard (ASVS) as a guide to
Read more

How to Secure Ajax Applications - Web application security ...

See why AJAX application security is vital, and how Acunetix Web Vulnerability Scanner can help fix any AJAX security vulnerabilities.
Read more