SlideShare uma empresa Scribd logo

AJAX: How to Divert Threats

Cenzic
Cenzic

Watch this applicaiton security presentation on AJAX: How to Divert Threats presented at the 2010 SANS Conference by Cenzic CTO, Lars Ewe

Tecnologia
1 de 33
Baixar para ler offline
AJAX: How to Divert Threats Lars Ewe, CTO & VP of Engineering
Agenda  What is AJAX?  AJAX and the Same Origin Policy  AJAX Frameworks  AJAX and Web App Security  AJAX and Test Automation  Vulnerability Examples  AJAX Best Practices Q&A Cenzic Confidential 2
What is AJAX?  Asynchronous JavaScript And XML  AJAX allows for a new generation of more dynamic, more interactive, faster Web 2.0 applications  AJAX leverages existing technologies, such as Dynamic HTML (DHTML), Cascading Style Sheets (CSS), Document Object Model (DOM), JavaScript Object Notation (JSON), etc., and the (a)synchronous XMLHTTPRequest (XHR)  Not just a set of technologies, but a new Web application development approach and methodology Cenzic Confidential 3
What is AJAX? (contd.)  XHR allows for (a)synchronous server requests without the need for a full page reload  XHR “downstream” payload can be  XML, JSON, HTML/JS snippets, plain text, serialized data, basically pretty much anything…  Response often results in dynamic web page content changes through DOM modifications Cenzic Confidential 4
AJAX Code Example xhr = new XMLHttpRequest(); xhr.open("GET", “http://www.foobar.com”, true); xhr.onreadystatechange = processResponse; xhr.send(null); function processResponse () { if (xhr.readyState == 4) { if (request.status == 200) { response = xhr.responseText; ........ } } } Cenzic Confidential 5
AJAX Example #1 Cenzic Confidential 6
AJAX Example #1 Cenzic Confidential 7
AJAX Example #1 Cenzic Confidential 8
AJAX Example #2 Cenzic Confidential 9
AJAX Example #2 Cenzic Confidential 10
AJAX Example #2 Cenzic Confidential 11
AJAX Example #3 Cenzic Confidential 12
AJAX Example #3 Cenzic Confidential 13
AJAX Example #3 Cenzic Confidential 14
AJAX Deployment Statistics  Cenzic CTS (SaaS): ~30% of recently tested applications use AJAX  >50% AJAX developer growth year-over-year – Evans Data, 2007  ~3.5 million AJAX developers worldwide – Evans Data, 2007  60% of new application projects will use Rich Internet Application (RIA) technologies such as AJAX within the next three years – Gartner, 2007 Cenzic Confidential 15
AJAX and the Same Origin Policy  Same origin policy is a key browser security mechanism  To prevent any cross-domain data leakage, etc.  With JavaScript it doesn’t allow JavaScript from origin A to access content / data from origin B  Origin refers to the domain name, port, and protocol  In the case of XHR, the same origin policy does not allow for any cross-domain XHR requests  Developers often don’t like this at all! Cenzic Confidential 16
Common Cross Domain Workarounds Cross-domain access is often still implemented by various means, such as Open / Application proxies Flash & Java Applets (depending on crossdomain.xml config)  E.g. FlashXMLHttpRequest by Julien Couvreur RESTful web service with JavaScript callback and JSON response  E.g. JSONscriptRequest by Jason Levitt Cenzic Confidential 17
AJAX Frameworks  AJAX frameworks often categorized as either “Client” or “Proxy/Server” framework  “Proxy/Server” frameworks often result in unintended method / functionality exposure  Beware of any kind of “Debugging mode” (e.g. Direct Web Remoting (DWR) debug = true)  Remember: Attackers can easily “fingerprint” AJAX frameworks  Beware of JavaScript Hijacking  Don't use HTTP GET for “upstream”  Prefix “downstream” JavaScript with while(1); Cenzic Confidential 18
19
AJAX and Web App Security  AJAX potentially increases the attack surface  More “hidden” calls mean more potential security holes  AJAX developers sometimes pay less attention to security, due to it’s “hidden” nature  Basically the old mistake of security by obscurity  AJAX developers sometimes tend to rely on client side validation  An approach that is just as flawed with or without AJAX Cenzic Confidential 20
AJAX and Web App Security (contd.)  Mash-up calls / functionality are often less secure by design  3rd party APIs (e.g. feeds, blogs, search APIs, etc.) are often designed with ease of use, not security in mind  Mash-ups often lack clear security boundaries (who validates, who filters, who encodes / decodes, etc.)  Mash-ups often result in untrusted cross- domain access workarounds  AJAX sometimes promotes dynamic code (JavaScript) execution of untrusted response data Cenzic Confidential 21
The Bottom Line… AJAX adds to the problem of well-known Web application vulnerabilities. Cenzic Confidential 22
AJAX / Web 2.0 and Test Automation  Spidering is more complex than just processing ANCHOR HREF’s; various events need to be simulated (e.g. mouseover, keydown, keyup, onclick, onfocus, onblur, etc.)  Timer events and dynamic DOM changes need to be observed  Use of non-standard data formats for both requests and responses make injection and detection hard to automate  Page changes after XHR requests can sometimes be delayed  In short, you need to have browser like behavior (JavaScript engine, DOM & event management, etc.) 23
Common Web App Vulnerabilities SQL Injection  What is it?: Database contents are compromised or disclosed by the use of specially crafted input that manipulates SQL Query Logic.  Root Cause: Failure to properly scrub, reject, or escape domain- specific SQL characters from an input vector.  Impact: Data confidentiality, integrity, and availability with the ability to read, modify, delete, or even drop database tables.  Solution: Use parameterized SQL statements. Define accepted character-sets for input vectors, and enforce these white lists rigorously. Force input to conform to specific patterns when other special characters are needed: dd-mm-yyyy. Validate data length of all inputs. Cenzic Confidential 24
Common Web App Vulnerabilities Cross-Site Scripting (XSS)  What is it?: The Web Application is used to store, transport, and deliver malicious active content to an unsuspecting user.  Root Cause: Failure to proactively reject or scrub malicious characters from input vectors.  Impact: Persistent XSS is stored and executed at a later time, by a user. Allows cookie theft, credential theft, data confidentiality, integrity, and availability risks. Browser Hijacking and Unauthorized Access to Web Application is possible using existing exploits.  Solution: A global as well as Form and Field specific policy for handling untrusted content. Use white lists and regular expressions to ensure input data conforms to the required character set, size, and syntax. Cenzic Confidential 25
Common Web App Vulnerabilities Cross-Site Request Forgery (CSRF)  What is it?: Basic Web Application session management behavior is exploited to make legitimate user requests without the user’s knowledge or consent.  Root Cause: Basic session id management that is vulnerable to exploitation (e.g. cookie-based).  Impact: Attackers can make legitimate Web requests from the victim’s browser without the victim’s knowledge or consent, allowing legitimate transactions in the user’s name. This can results in a broad variety of possible exploits.  Solution: Enhance session management by using non-predictable “nonce” or other unique one-time tokens in addition to common session identifiers, as well as the validation of HTTP Referrer headers. Cenzic Confidential 26
JavaScript Hijacking  What is it?: An attack vector specific to JavaScript messages. Confidential data contained in JavaScript messages is being accessed by the attacker despite the browser’s some origin policy.  Root Cause: The <script> tag circumvents the browser’s same origin policy. In some cases the attacker can set up an environment that lets him or her observe the execution of certain aspects of the JavaScript message. Examples: Override/implement native Object constructors (e.g. Array) or callback function. This can result in access to the data loaded by the <script> tag.  Impact: Data confidentiality, integrity, and availability with the ability to access any confidential data transferred by JavaScript.  Solution: Implement CSRF defense mechanisms; prevent the direct execution of the JavaScript message. Wrap your JavaScript with non- executable pre- and suffixes that get stripped off prior to execution of the sanitized JavaScript. Example: Prefix your JavaScript with while(1); Cenzic Confidential 27
JavaScript Hijacking Examples Example #1: Override Array Constructor Attacker code (override Array constructor) <script> function Array(){ /* Put hack to access Array elements here */ } </script> AJAX Call <script src="http://put_AJAX_call_here" type="text/javascript"></script> Example AJAX response ["foo1","bar1"],["foo2","bar2"] Cenzic Confidential 28
JavaScript Hijacking Examples Example #2: Implement Callback Attacker code (implement callback) <script> function callback(foo){ /* Put hack to access callback data here */ } </script> AJAX Call <script src="http://put_AJAX_call_here" type="text/javascript"></script> Example AJAX response callback(["foo","bar"]); Cenzic Confidential 29
Preventing JavaScript Hijacking A simple code example var object; var xhr = new XMLHttpRequest(); xhr.open("GET", "/object.json",true); xhr.onreadystatechange = function () { if (xhr.readyState == 4) { var txt = xhr.responseText; if (txt.substr(0,9) == "while(1);") { txt = txt.substring(10); Object = eval("(" + txt + ")"); } } }; xhr.send(null); Remember, the attacker cannot sanitize the JavaScript, since they are relying on the <script> tag Also see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf Cenzic Confidential 30
AJAX Best Practices Pretty much all the usual Web app security best practices apply:  Analyze and know your security boundaries and attack surfaces  Beware of reliance on client-side security measures  Always implement strong server side input & parameter validation (black & whitelisting)  Test against a robust set of evasion rules  Remember: The client can never be trusted!  Assume the worst case scenario for all 3rd party interactions  3rd parties can inherently not be trusted! Cenzic Confidential 31
AJAX Best Practices (contd.)  Be extremely careful when circumventing same origin policy  Avoid / Limit the use of dynamic code / eval()  Beware of JavaScript Hijacking (prefix JavaScript with while(1);)  Implement anti-CSRF defenses  Escape special characters before sending them to the browser (e.g. < to &lt;)  Leverage HTTPS for sensitive data, use HTTPOnly & Secure cookie flags  Use parameterized SQL for any DB queries  Also see owasp.org and OWASP dev guide Cenzic Confidential Cenzic Confidential 32
Questions? Lars Ewe, CTO www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)

Recomendados

Ajax Security Dangers
Ajax Security DangersAjax Security Dangers
Ajax Security Dangersdrkimsky
 
AJAX Security - LAC2016
AJAX Security - LAC2016AJAX Security - LAC2016
AJAX Security - LAC2016Julia Logan a.k.a. IrishWonder
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - securitydzhengo44
 
Ajax Security
Ajax SecurityAjax Security
Ajax SecurityRoberto Suggi Liverani
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking IntroAditya Kamat
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 

Recomendados

Ajax Security Dangers
Ajax Security DangersAjax Security Dangers
Ajax Security Dangersdrkimsky
 
AJAX Security - LAC2016
AJAX Security - LAC2016AJAX Security - LAC2016
AJAX Security - LAC2016Julia Logan a.k.a. IrishWonder
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - securitydzhengo44
 
Ajax Security
Ajax SecurityAjax Security
Ajax SecurityRoberto Suggi Liverani
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking IntroAditya Kamat
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web SecuritySharePointRadi
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Antiviruxss
AntiviruxssAntiviruxss
AntiviruxssMarcusgcm
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404sRonan Dunne, CEH, SSCP
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 

Mais conteúdo relacionado

Mais procurados

Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 

Mais procurados (20)

Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
Antiviruxss
AntiviruxssAntiviruxss
Antiviruxss
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404s
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 

Semelhante a AJAX: How to Divert Threats

Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsWWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsVagner Santana
 
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...IBM Rational software
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeFastly
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernQuek Lilian
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website أحلام انصارى
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)ColdFusionConference
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilitiesAngelinaJasper
 

Semelhante a AJAX: How to Divert Threats (20)

Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsWWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
 
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
 
1158 subverting ajax
1158 subverting ajax1158 subverting ajax
1158 subverting ajax
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Web Security
Web SecurityWeb Security
Web Security
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok Chern
 
Day8
Day8Day8
Day8
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website
 
WebSec_MSR.ppt
WebSec_MSR.pptWebSec_MSR.ppt
WebSec_MSR.ppt
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
 

Mais de Cenzic

Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityCenzic
 
How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingCenzic
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Ians cenzic webinar
Ians cenzic webinarIans cenzic webinar
Ians cenzic webinarCenzic
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Cenzic
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web ApplicationsHARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web ApplicationsCenzic
 

Mais de Cenzic (8)

Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application Security
 
How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security Testing
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Ians cenzic webinar
Ians cenzic webinarIans cenzic webinar
Ians cenzic webinar
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web ApplicationsHARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Último (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

AJAX: How to Divert Threats

  • 1. AJAX: How to Divert Threats Lars Ewe, CTO & VP of Engineering
  • 2. Agenda  What is AJAX?  AJAX and the Same Origin Policy  AJAX Frameworks  AJAX and Web App Security  AJAX and Test Automation  Vulnerability Examples  AJAX Best Practices Q&A Cenzic Confidential 2
  • 3. What is AJAX?  Asynchronous JavaScript And XML  AJAX allows for a new generation of more dynamic, more interactive, faster Web 2.0 applications  AJAX leverages existing technologies, such as Dynamic HTML (DHTML), Cascading Style Sheets (CSS), Document Object Model (DOM), JavaScript Object Notation (JSON), etc., and the (a)synchronous XMLHTTPRequest (XHR)  Not just a set of technologies, but a new Web application development approach and methodology Cenzic Confidential 3
  • 4. What is AJAX? (contd.)  XHR allows for (a)synchronous server requests without the need for a full page reload  XHR “downstream” payload can be  XML, JSON, HTML/JS snippets, plain text, serialized data, basically pretty much anything…  Response often results in dynamic web page content changes through DOM modifications Cenzic Confidential 4
  • 5. AJAX Code Example xhr = new XMLHttpRequest(); xhr.open("GET", “http://www.foobar.com”, true); xhr.onreadystatechange = processResponse; xhr.send(null); function processResponse () { if (xhr.readyState == 4) { if (request.status == 200) { response = xhr.responseText; ........ } } } Cenzic Confidential 5
  • 6. AJAX Example #1 Cenzic Confidential 6
  • 7. AJAX Example #1 Cenzic Confidential 7
  • 8. AJAX Example #1 Cenzic Confidential 8
  • 9. AJAX Example #2 Cenzic Confidential 9
  • 10. AJAX Example #2 Cenzic Confidential 10
  • 11. AJAX Example #2 Cenzic Confidential 11
  • 12. AJAX Example #3 Cenzic Confidential 12
  • 13. AJAX Example #3 Cenzic Confidential 13
  • 14. AJAX Example #3 Cenzic Confidential 14
  • 15. AJAX Deployment Statistics  Cenzic CTS (SaaS): ~30% of recently tested applications use AJAX  >50% AJAX developer growth year-over-year – Evans Data, 2007  ~3.5 million AJAX developers worldwide – Evans Data, 2007  60% of new application projects will use Rich Internet Application (RIA) technologies such as AJAX within the next three years – Gartner, 2007 Cenzic Confidential 15
  • 16. AJAX and the Same Origin Policy  Same origin policy is a key browser security mechanism  To prevent any cross-domain data leakage, etc.  With JavaScript it doesn’t allow JavaScript from origin A to access content / data from origin B  Origin refers to the domain name, port, and protocol  In the case of XHR, the same origin policy does not allow for any cross-domain XHR requests  Developers often don’t like this at all! Cenzic Confidential 16
  • 17. Common Cross Domain Workarounds Cross-domain access is often still implemented by various means, such as Open / Application proxies Flash & Java Applets (depending on crossdomain.xml config)  E.g. FlashXMLHttpRequest by Julien Couvreur RESTful web service with JavaScript callback and JSON response  E.g. JSONscriptRequest by Jason Levitt Cenzic Confidential 17
  • 18. AJAX Frameworks  AJAX frameworks often categorized as either “Client” or “Proxy/Server” framework  “Proxy/Server” frameworks often result in unintended method / functionality exposure  Beware of any kind of “Debugging mode” (e.g. Direct Web Remoting (DWR) debug = true)  Remember: Attackers can easily “fingerprint” AJAX frameworks  Beware of JavaScript Hijacking  Don't use HTTP GET for “upstream”  Prefix “downstream” JavaScript with while(1); Cenzic Confidential 18
  • 19. 19
  • 20. AJAX and Web App Security  AJAX potentially increases the attack surface  More “hidden” calls mean more potential security holes  AJAX developers sometimes pay less attention to security, due to it’s “hidden” nature  Basically the old mistake of security by obscurity  AJAX developers sometimes tend to rely on client side validation  An approach that is just as flawed with or without AJAX Cenzic Confidential 20
  • 21. AJAX and Web App Security (contd.)  Mash-up calls / functionality are often less secure by design  3rd party APIs (e.g. feeds, blogs, search APIs, etc.) are often designed with ease of use, not security in mind  Mash-ups often lack clear security boundaries (who validates, who filters, who encodes / decodes, etc.)  Mash-ups often result in untrusted cross- domain access workarounds  AJAX sometimes promotes dynamic code (JavaScript) execution of untrusted response data Cenzic Confidential 21
  • 22. The Bottom Line… AJAX adds to the problem of well-known Web application vulnerabilities. Cenzic Confidential 22
  • 23. AJAX / Web 2.0 and Test Automation  Spidering is more complex than just processing ANCHOR HREF’s; various events need to be simulated (e.g. mouseover, keydown, keyup, onclick, onfocus, onblur, etc.)  Timer events and dynamic DOM changes need to be observed  Use of non-standard data formats for both requests and responses make injection and detection hard to automate  Page changes after XHR requests can sometimes be delayed  In short, you need to have browser like behavior (JavaScript engine, DOM & event management, etc.) 23
  • 24. Common Web App Vulnerabilities SQL Injection  What is it?: Database contents are compromised or disclosed by the use of specially crafted input that manipulates SQL Query Logic.  Root Cause: Failure to properly scrub, reject, or escape domain- specific SQL characters from an input vector.  Impact: Data confidentiality, integrity, and availability with the ability to read, modify, delete, or even drop database tables.  Solution: Use parameterized SQL statements. Define accepted character-sets for input vectors, and enforce these white lists rigorously. Force input to conform to specific patterns when other special characters are needed: dd-mm-yyyy. Validate data length of all inputs. Cenzic Confidential 24
  • 25. Common Web App Vulnerabilities Cross-Site Scripting (XSS)  What is it?: The Web Application is used to store, transport, and deliver malicious active content to an unsuspecting user.  Root Cause: Failure to proactively reject or scrub malicious characters from input vectors.  Impact: Persistent XSS is stored and executed at a later time, by a user. Allows cookie theft, credential theft, data confidentiality, integrity, and availability risks. Browser Hijacking and Unauthorized Access to Web Application is possible using existing exploits.  Solution: A global as well as Form and Field specific policy for handling untrusted content. Use white lists and regular expressions to ensure input data conforms to the required character set, size, and syntax. Cenzic Confidential 25
  • 26. Common Web App Vulnerabilities Cross-Site Request Forgery (CSRF)  What is it?: Basic Web Application session management behavior is exploited to make legitimate user requests without the user’s knowledge or consent.  Root Cause: Basic session id management that is vulnerable to exploitation (e.g. cookie-based).  Impact: Attackers can make legitimate Web requests from the victim’s browser without the victim’s knowledge or consent, allowing legitimate transactions in the user’s name. This can results in a broad variety of possible exploits.  Solution: Enhance session management by using non-predictable “nonce” or other unique one-time tokens in addition to common session identifiers, as well as the validation of HTTP Referrer headers. Cenzic Confidential 26
  • 27. JavaScript Hijacking  What is it?: An attack vector specific to JavaScript messages. Confidential data contained in JavaScript messages is being accessed by the attacker despite the browser’s some origin policy.  Root Cause: The <script> tag circumvents the browser’s same origin policy. In some cases the attacker can set up an environment that lets him or her observe the execution of certain aspects of the JavaScript message. Examples: Override/implement native Object constructors (e.g. Array) or callback function. This can result in access to the data loaded by the <script> tag.  Impact: Data confidentiality, integrity, and availability with the ability to access any confidential data transferred by JavaScript.  Solution: Implement CSRF defense mechanisms; prevent the direct execution of the JavaScript message. Wrap your JavaScript with non- executable pre- and suffixes that get stripped off prior to execution of the sanitized JavaScript. Example: Prefix your JavaScript with while(1); Cenzic Confidential 27
  • 28. JavaScript Hijacking Examples Example #1: Override Array Constructor Attacker code (override Array constructor) <script> function Array(){ /* Put hack to access Array elements here */ } </script> AJAX Call <script src="http://put_AJAX_call_here" type="text/javascript"></script> Example AJAX response ["foo1","bar1"],["foo2","bar2"] Cenzic Confidential 28
  • 29. JavaScript Hijacking Examples Example #2: Implement Callback Attacker code (implement callback) <script> function callback(foo){ /* Put hack to access callback data here */ } </script> AJAX Call <script src="http://put_AJAX_call_here" type="text/javascript"></script> Example AJAX response callback(["foo","bar"]); Cenzic Confidential 29
  • 30. Preventing JavaScript Hijacking A simple code example var object; var xhr = new XMLHttpRequest(); xhr.open("GET", "/object.json",true); xhr.onreadystatechange = function () { if (xhr.readyState == 4) { var txt = xhr.responseText; if (txt.substr(0,9) == "while(1);") { txt = txt.substring(10); Object = eval("(" + txt + ")"); } } }; xhr.send(null); Remember, the attacker cannot sanitize the JavaScript, since they are relying on the <script> tag Also see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf Cenzic Confidential 30
  • 31. AJAX Best Practices Pretty much all the usual Web app security best practices apply:  Analyze and know your security boundaries and attack surfaces  Beware of reliance on client-side security measures  Always implement strong server side input & parameter validation (black & whitelisting)  Test against a robust set of evasion rules  Remember: The client can never be trusted!  Assume the worst case scenario for all 3rd party interactions  3rd parties can inherently not be trusted! Cenzic Confidential 31
  • 32. AJAX Best Practices (contd.)  Be extremely careful when circumventing same origin policy  Avoid / Limit the use of dynamic code / eval()  Beware of JavaScript Hijacking (prefix JavaScript with while(1);)  Implement anti-CSRF defenses  Escape special characters before sending them to the browser (e.g. < to &lt;)  Leverage HTTPS for sensitive data, use HTTPOnly & Secure cookie flags  Use parameterized SQL for any DB queries  Also see owasp.org and OWASP dev guide Cenzic Confidential Cenzic Confidential 32
  • 33. Questions? Lars Ewe, CTO www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)