logging in or signing up OWASP AppSecEU2006 AJAX Security BAWare Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 121 Category: Product Traini.. License: All Rights Reserved Like it (0) Dislike it (0) Added: August 30, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Ajax Security: Ajax Security Andrew van der Stock vanderaj@owasp.org AJAX and Security: AJAX and Security Ajax Limited guidance New chapter in Guide Image from Hellenic Art Compliance: Compliance http://www.imageafter.com/image.php?image=b19objects_signs090.jpgandamp;size=fullandamp;download=no Accessibility: Accessibility Accessibility is mandatory by law Except for 'justifiable hardship' Corporations and governments No choice - do it! Personal web sites No one will come after you... but... Accessibility: Accessibility Does it validate with W3C WAI validator? Accessibility aides (zoom, readers, etc) Back button issues Privacy: Privacy Ajax has client side state Local storage Caching Mash ups Privacy ... not: Privacy ... not Javascript is clear text often cached regardless of browser settings Not private in any way Privacy ... not: Privacy ... not DOM can be manipulated by hostile code Not private in any way Privacy ... not: Privacy ... not Dojo.Storage uses Flash 'Solution' for client-side persistent storage Not private in any way Often used for cross-domain postings... ARGH Mash ups: Mash ups Who owns the data? Who gets the data? How are they going to handle it? An example of a mash up: An example of a mash up Credit Rating Mashup: Credit Rating Mashup Credit Rating Mashup: Credit Rating Mashup Credit Rating Mashup: Credit Rating Mashup Contentious issues: Contentious issues Contentious issues: Contentious issues Access Control: Access Control http://www.sxc.hu/browse.phtml?f=downloadandamp;id=527569 Authentication: Authentication Don’t let any old caller in What’s acceptable to be used without authentication? Authenticating a new XMLHttpRequest session Ask...: Ask... Look ma! No cookies! and ye shall receive: and ye shall receive Yeah Baby! Come to papa! Authorization: Authorization Would you let Bart call your admin function? Authorization: Authorization Use the same authorization method Default deny; all actions should be denied unless allowed Error responses for no authorization Sessions and State Management: Sessions and State Management http://www.sxc.hu/browse.phtml?f=downloadandamp;id=526216 Session Fixation: Session Fixation Use toolkits which send session tokens Use proper session management to maintain the session All of the session attacks in the session chapter are still valid Cross-domain XML Http Requests: Cross-domain XML Http Requests By security design, no browser supports this Many designs want to do this or already do this (Google Maps, etc) How to do it safely? Only with federated security State management: State management In the good olde days, state was on the server With Ajax, a lot more state is on the client Think 'hidden fields' but so much worse Sending state: Sending state You can safely send state to the client for display purposes ... as long as it does not contain DOM injections Only send state back if you do not have it on the server Validate all state before use Exposing internal state: Exposing internal state Just because it’s faster doesn’t mean it’s wiser Keep sensitive state on the server, always Don’t obfuscate JavaScript - it’s hard enough now Ajax Attack Prevention: Ajax Attack Prevention Injection Attacks: Injection Attacks PHP toolkits: look for code injection attacks JSON injection: be careful how you decode! DOM injection - client side attacks now much easier XML injection - both client and server side Code injection - both client and server side Data validation: Data validation Data obtained via the XMLHttpRequest path must be validated Perform validation after authorization checks Validate using same paths as existing code If you (de-)serialize, be aware of XML injection Ajax Attack Prevention: Ajax Attack Prevention http://www.sxc.hu/browse.phtml?f=downloadandamp;id=527569 Reconstructing Ajax API: Reconstructing Ajax API Many Ajax apps have been 'decoded' e.g. libgmail, GMail Agent API, gmail.py, etc Spawned GMailFS, Win32 Gmail clients, etc Do not assume your app is special - it will be decoded! GMail Agent API in action GET Ajax Session: GET Ajax Session Pseudo API Injection: Pseudo API Injection Most PHP AJAX tool kits allow remote code injection by allowing client-side server code invocation eg: AJason, JPSpan and CPAINT Psuedo API: Psuedo API Guess what I can do? Create proxy façades Error Handling: Error Handling Error handling is often neglected Do not use Javascript alert() Parentless window syndrome Questions: Questions Andrew van der Stock vanderaj@owasp.org Andrew’s OWASP EU talks sponsored by You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
OWASP AppSecEU2006 AJAX Security BAWare Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 121 Category: Product Traini.. License: All Rights Reserved Like it (0) Dislike it (0) Added: August 30, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Ajax Security: Ajax Security Andrew van der Stock vanderaj@owasp.org AJAX and Security: AJAX and Security Ajax Limited guidance New chapter in Guide Image from Hellenic Art Compliance: Compliance http://www.imageafter.com/image.php?image=b19objects_signs090.jpgandamp;size=fullandamp;download=no Accessibility: Accessibility Accessibility is mandatory by law Except for 'justifiable hardship' Corporations and governments No choice - do it! Personal web sites No one will come after you... but... Accessibility: Accessibility Does it validate with W3C WAI validator? Accessibility aides (zoom, readers, etc) Back button issues Privacy: Privacy Ajax has client side state Local storage Caching Mash ups Privacy ... not: Privacy ... not Javascript is clear text often cached regardless of browser settings Not private in any way Privacy ... not: Privacy ... not DOM can be manipulated by hostile code Not private in any way Privacy ... not: Privacy ... not Dojo.Storage uses Flash 'Solution' for client-side persistent storage Not private in any way Often used for cross-domain postings... ARGH Mash ups: Mash ups Who owns the data? Who gets the data? How are they going to handle it? An example of a mash up: An example of a mash up Credit Rating Mashup: Credit Rating Mashup Credit Rating Mashup: Credit Rating Mashup Credit Rating Mashup: Credit Rating Mashup Contentious issues: Contentious issues Contentious issues: Contentious issues Access Control: Access Control http://www.sxc.hu/browse.phtml?f=downloadandamp;id=527569 Authentication: Authentication Don’t let any old caller in What’s acceptable to be used without authentication? Authenticating a new XMLHttpRequest session Ask...: Ask... Look ma! No cookies! and ye shall receive: and ye shall receive Yeah Baby! Come to papa! Authorization: Authorization Would you let Bart call your admin function? Authorization: Authorization Use the same authorization method Default deny; all actions should be denied unless allowed Error responses for no authorization Sessions and State Management: Sessions and State Management http://www.sxc.hu/browse.phtml?f=downloadandamp;id=526216 Session Fixation: Session Fixation Use toolkits which send session tokens Use proper session management to maintain the session All of the session attacks in the session chapter are still valid Cross-domain XML Http Requests: Cross-domain XML Http Requests By security design, no browser supports this Many designs want to do this or already do this (Google Maps, etc) How to do it safely? Only with federated security State management: State management In the good olde days, state was on the server With Ajax, a lot more state is on the client Think 'hidden fields' but so much worse Sending state: Sending state You can safely send state to the client for display purposes ... as long as it does not contain DOM injections Only send state back if you do not have it on the server Validate all state before use Exposing internal state: Exposing internal state Just because it’s faster doesn’t mean it’s wiser Keep sensitive state on the server, always Don’t obfuscate JavaScript - it’s hard enough now Ajax Attack Prevention: Ajax Attack Prevention Injection Attacks: Injection Attacks PHP toolkits: look for code injection attacks JSON injection: be careful how you decode! DOM injection - client side attacks now much easier XML injection - both client and server side Code injection - both client and server side Data validation: Data validation Data obtained via the XMLHttpRequest path must be validated Perform validation after authorization checks Validate using same paths as existing code If you (de-)serialize, be aware of XML injection Ajax Attack Prevention: Ajax Attack Prevention http://www.sxc.hu/browse.phtml?f=downloadandamp;id=527569 Reconstructing Ajax API: Reconstructing Ajax API Many Ajax apps have been 'decoded' e.g. libgmail, GMail Agent API, gmail.py, etc Spawned GMailFS, Win32 Gmail clients, etc Do not assume your app is special - it will be decoded! GMail Agent API in action GET Ajax Session: GET Ajax Session Pseudo API Injection: Pseudo API Injection Most PHP AJAX tool kits allow remote code injection by allowing client-side server code invocation eg: AJason, JPSpan and CPAINT Psuedo API: Psuedo API Guess what I can do? Create proxy façades Error Handling: Error Handling Error handling is often neglected Do not use Javascript alert() Parentless window syndrome Questions: Questions Andrew van der Stock vanderaj@owasp.org Andrew’s OWASP EU talks sponsored by