hilton giesenow software architect consequent software development [email protected]
TRANSCRIPT
![Page 1: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/1.jpg)
Hilton GiesenowSoftware ArchitectConseQuent Software Development
![Page 2: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/2.jpg)
Improving end-user perception and usability
New functionality
Improving network/bandwidth usage
Improving approach to scripting
![Page 3: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/3.jpg)
(at least from a security perspective)Be prepared! AJAX has some security issues...
![Page 4: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/4.jpg)
AJAX
![Page 5: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/5.jpg)
AJAX is more difficult to secure!More complex
C#, HTML, CSS, Javascript, JSON, Web Services, ...
More complexityAPI is more open & more fine-grained
Larger attack surface (at various levels)More transparent
![Page 6: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/6.jpg)
![Page 7: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/7.jpg)
Uses XmlHttpRequest (XHR)
object
Sends ANY http methodSimple: GET, POST, HEADWebDav: COPY, DELETE
Fetch any kind of resourceXML, HTML, plain text, JSONImages, Flash, Media, SilverlightScript...
Limited to source domain“Same Origin Policy”
function loadXMLDoc(url){ req = new XMLHttpRequest(); req.onreadystatechange =
processResult; req.open(“GET”, url, true); req.send(null);}
function processResult(){ if (req.readyState == 4) { if (req.status == 200) { // process response } else { // handle error } }}
![Page 8: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/8.jpg)
Attacks involve sending malformed commands
html tags submittedMalformed imageSQL InjectionViewProduct.aspx?id=-1Unsecured pages...
These tend to be ‘edge’ cases
![Page 9: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/9.jpg)
Attacker is now ‘inside’ your application!
Increased knowledgeFunction names, parameters, return types, etc.Entire API is visible
![Page 10: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/10.jpg)
![Page 11: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/11.jpg)
![Page 12: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/12.jpg)
![Page 13: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/13.jpg)
Larger attack surface“what we do” vs. “how we do it”
DoSGoogle Suggest
Application Logic
![Page 14: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/14.jpg)
What can we do?Reduce transparency
ObfuscateUncomment(These also reduce file size )
Validate correctly and effectivelyReduce Granularity
![Page 15: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/15.jpg)
ExposedBusiness
Rules
ExposedBusiness
Rules
![Page 16: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/16.jpg)
![Page 17: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/17.jpg)
Exposed API – Web Service exploits!WSDL exploits
So just disable the WSDL?
XML /JSON Hijacking
More options for parameter manipulationNever trust the client
Never assume the client is a browserCareful what logic gets pushed to clientNever trust *any* client input
![Page 18: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/18.jpg)
‘100
%’ S
ecur
e
![Page 19: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/19.jpg)
‘100
%’ S
ecur
e
![Page 20: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/20.jpg)
![Page 21: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/21.jpg)
Be careful of your partners and what you exposeLikewise in the other direction
Mashups
![Page 22: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/22.jpg)
SQL Injection
Actual code from a live ASP.NET AJAX Site
![Page 23: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/23.jpg)
SQL InjectionPrototype Attacks
Javascript is a “prototype” languageOverwrite what XmlHttpRequest itself does!
Cross-Site Scripting and Request Hijacking
![Page 24: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/24.jpg)
http://blah.com/page1.asp?name=Hilton
<html>...<h1>Welcome back, Hilton</h1>...
</html>
<html>...<h1>Welcome back, Hilton</h1>...
</html>
http://blah.com/page1.asp?name=<script>bad!</script><html>
...<h1>Welcome back, <script>bad!</script></h1>...
</html>
<html>...<h1>Welcome back, <script>bad!</script></h1>...
</html>
![Page 25: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/25.jpg)
Pre-AJAXInjection:
Inject script into HTML textInject script into fields written into tag attributesCSS Injection
Blind requests, cannot see response
With AJAXInjection: JSONSelf propagation!
![Page 26: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/26.jpg)
New to AJAXNothing to do with your site’s AJAX / non-AJAXInjecting script (like XSS)Injecting script that invokes XmlHttpRequestAJAX requests look & function like normal requests
Browser can’t tell the differenceHTTP/HTTPS, Cookies, etc.
![Page 27: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/27.jpg)
VictimVictim
Online Bankingsite
Online Bankingsite
Logs in
Cookie
Malicious / Infected website
Malicious / Infected website
Browse
xmlHttpRequestxmlHttpRequest Bank Transfer (authenticated)
![Page 28: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/28.jpg)
Very similar conceptuallyXSS is more about harvesting infoXSRF is more about doing things under the user’s account
![Page 29: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/29.jpg)
October 2005 – 5th largest domain on the Internet infectedXSS exploit allowed <script> to be injected into user’s profilePropagated via infected pagePayload: Used AJAX to redirect users and add ‘Samy’ to their friends listAdded ‘Samy is my hero’ to profile
![Page 30: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/30.jpg)
Sample:<DIV id=“myCode” expr=“alert(‘HelloWorld’);” style=“background(‘javascript:eval(document.myCode.expr))>
See http://namb.lab/popular/tech.html for all the details (from Samy himself)
![Page 31: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/31.jpg)
GmailNetFlixYahooMany others...
![Page 32: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/32.jpg)
Lots of Hype (“Bubble 2.0”)But lots of value, too (did you come to the earlier session?)
AJAX can dramatically improve your site’s user experience
But how do we secure it?
MySpace - $400mYouTube - $XmWritely.com -> GoogleDel.icio.us - $50m (Yahoo)Facebook No to $700m
My site is for sale...
![Page 33: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/33.jpg)
HTTP GET disabled by default
Avoids XSS via <script src=""> includes
![Page 34: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/34.jpg)
Content-Type headers
ASP.NET *always requires* the Content-Type header set to application/json
![Page 35: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/35.jpg)
UpdatePanel vs. Web & Page Servicesmore bytes, but more security!
![Page 36: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/36.jpg)
AJAX is as ‘clean’ as you make it“AJAX” security = “software” security
Never trust user input!Validation – data types, ranges, canonicalization, black AND white listUser != browser
Reduce the attack surfaceMinimize exposed logicMinimize exposed endpoints
![Page 37: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/37.jpg)
Microsoft ASP.NET AJAX Security Videoshttp://msdn2.microsoft.com/en-us/security/aa570424.aspx
ASP.NET AJAX sitehttp://ajax.asp.net/
Team Blogshttp://blogs.msdn.com/
SPIDynamicshttp://www.spidynamics.com/
Open Web Application Security Projecthttp://www.owasp.org/
![Page 38: Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com](https://reader035.vdocuments.site/reader035/viewer/2022062301/56649ed25503460f94be1f01/html5/thumbnails/38.jpg)
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED
OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.