ajax security

38
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec Europe http://www.owasp.org / May 2006 Ajax Security Andrew van der Stock [email protected]

Upload: sampetruda

Post on 01-Nov-2014

367 views

Category:

Documents


2 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Ajax Security

Copyright © 2006 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.

The OWASP Foundation

OWASPAppSecEurope

http://www.owasp.org/

May 2006

Ajax Security

Andrew van der [email protected]

Page 2: Ajax Security

OWASP AppSec Europe 2006

AJAX and Security

Ajax

Limited guidance New chapter in Guide

Image from Hellenic ArtImage from Hellenic Art

Page 3: Ajax Security

OWASP AppSec Europe 2006Compliance

http://www.imageafter.com/image.php?image=b19objects_signs090.jpg&size=full&download=no

http://www.imageafter.com/image.php?image=b19objects_signs090.jpg&size=full&download=no

Page 4: Ajax Security

OWASP AppSec Europe 2006

Accessibility

Accessibility is mandatory by lawExcept for “justifiable

hardship”

Corporations and governmentsNo choice - do it!

Personal web sitesNo one will come

after you... but...

Page 5: Ajax Security

OWASP AppSec Europe 2006

Accessibility

Does it validate with W3C WAI validator? Accessibility aides (zoom, readers, etc) Back button issues

Page 6: Ajax Security

OWASP AppSec Europe 2006

Privacy

Ajax has client side state

Local storage Caching Mash ups

Page 7: Ajax Security

OWASP AppSec Europe 2006

Privacy ... not

Javascript is clear textoften cached regardless of browser settingsNot private in any way

Page 8: Ajax Security

OWASP AppSec Europe 2006

Privacy ... not

DOM can be manipulated by hostile codeNot private in any way

Page 9: Ajax Security

OWASP AppSec Europe 2006

Privacy ... not

Dojo.Storage uses Flash“Solution” for client-side persistent storageNot private in any way

Often used for cross-domain postings... ARGH

Page 10: Ajax Security

OWASP AppSec Europe 2006

Mash ups

Who owns the data? Who gets the data? How are they going to handle it?

Page 11: Ajax Security

OWASP AppSec Europe 2006

An example of a mash up

Page 12: Ajax Security

OWASP AppSec Europe 2006

Credit Rating Mashup

Page 13: Ajax Security

OWASP AppSec Europe 2006

Credit Rating Mashup

Page 14: Ajax Security

OWASP AppSec Europe 2006

Credit Rating Mashup

Page 15: Ajax Security

OWASP AppSec Europe 2006

Contentious issues

Page 16: Ajax Security

OWASP AppSec Europe 2006

Contentious issues

Page 17: Ajax Security

OWASP AppSec Europe 2006Access Control

http://www.sxc.hu/browse.phtml?f=download&id=527569http://www.sxc.hu/browse.phtml?f=download&id=527569

Page 18: Ajax Security

OWASP AppSec Europe 2006

Authentication

Don’t let any old caller in

What’s acceptable to be used without authentication?

Authenticating a new XMLHttpRequest session

Page 19: Ajax Security

OWASP AppSec Europe 2006

Ask...

Look ma! No

cookies!Look ma! No

cookies!

Page 20: Ajax Security

OWASP AppSec Europe 2006

and ye shall receive

Yeah

Baby!Yeah

Baby!

Come to

papa!Come to

papa!

Page 21: Ajax Security

OWASP AppSec Europe 2006

Authorization

Would you let Bart call your admin function?

Page 22: Ajax Security

OWASP AppSec Europe 2006

Authorization

Use the same authorization method

Default deny; all actions should be denied unless allowed

Error responses for no authorization

Page 23: Ajax Security

OWASP AppSec Europe 2006Sessions and State Management

http://www.sxc.hu/browse.phtml?f=download&id=526216http://www.sxc.hu/browse.phtml?f=download&id=526216

Page 24: Ajax Security

OWASP AppSec Europe 2006

Session Fixation

Use toolkits which send session tokens

Use proper session management to maintain the session

All of the session attacks in the session chapter are still valid

Page 25: Ajax Security

OWASP AppSec Europe 2006

Cross-domain XML Http Requests

By security design, no browser supports this

Many designs want to do thisor already do this (Google Maps, etc)

How to do it safely?Only with federated security

Page 26: Ajax Security

OWASP AppSec Europe 2006

State management

In the good olde days, state was on the server

With Ajax, a lot more state is on the client Think “hidden fields” but so much worse

Page 27: Ajax Security

OWASP AppSec Europe 2006

Sending state

You can safely send state to the client for display purposes

... as long as it does not contain DOM injections

Only send state back if you do not have it on the server

Validate all state before use

Page 28: Ajax Security

OWASP AppSec Europe 2006

Exposing internal state

Just because it’s faster doesn’t mean it’s wiser

Keep sensitive state on the server, always Don’t obfuscate JavaScript - it’s hard enough

now

Page 29: Ajax Security

OWASP AppSec Europe 2006Ajax Attack Prevention

Page 30: Ajax Security

OWASP AppSec Europe 2006

Injection Attacks

PHP toolkits: look for code injection attacks JSON injection: be careful how you decode! DOM injection - client side attacks now

much easier XML injection - both client and server side Code injection - both client and server side

Page 31: Ajax Security

OWASP AppSec Europe 2006

Data validation

Data obtained via the XMLHttpRequest path must be validated

Perform validation after authorization checks Validate using same paths as existing code If you (de-)serialize, be aware of XML

injection

Page 32: Ajax Security

OWASP AppSec Europe 2006Ajax Attack Prevention

http://www.sxc.hu/browse.phtml?f=download&id=527569http://www.sxc.hu/browse.phtml?f=download&id=527569

Page 33: Ajax Security

OWASP AppSec Europe 2006

Reconstructing Ajax API

Many Ajax apps have been “decoded”

e.g. libgmail, GMail Agent API, gmail.py, etc

Spawned GMailFS, Win32 Gmail clients, etc

Do not assume your app is special - it will be decoded!

GMail Agent API in action

Page 34: Ajax Security

OWASP AppSec Europe 2006

GET Ajax Session

Page 35: Ajax Security

OWASP AppSec Europe 2006

Pseudo API Injection

Most PHP AJAX tool kits allow remote code injection by allowing client-side server code invocation

eg: AJason, JPSpan and CPAINT

Page 36: Ajax Security

OWASP AppSec Europe 2006

Psuedo API

Guess what I can do?

Create proxy façades

Page 37: Ajax Security

OWASP AppSec Europe 2006

Error Handling

Error handling is often neglected

Do not use Javascriptalert()

Parentless window syndrome

Page 38: Ajax Security

Copyright © 2006 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.

The OWASP Foundation

OWASPAppSecEurope

http://www.owasp.org/

May 2006

Questions

Andrew van der [email protected]

Andrew’s OWASP EU talks sponsored by