Your SlideShare is downloading. ×
Ajax Security
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Ajax Security


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Ajax was the son of Telamon, king of Salamis. After Achilles , he was the mightiest of the Greek heroes in the Trojan War . Ajax was a huge man, head and shoulders larger than the other Greeks, enormously strong but somewhat slow of speech. In the Iliad, he is often called the "wall" or "bulwark" ( herkos ) of the Greeks. When Achilles had withdrawn from the fighting at Troy, it was Ajax who went forth to meet Hector in single combat; by the time darkness fell the fight was still a stalemate, but Ajax had wounded Hector without sustaining injury himself. After Achilles' death, Ajax competed with Odysseus for the ownership of Achilles' armor. Both men delivered speeches explaining their own merits, but Odysseus was by far the more eloquent and won the prize. Ajax was driven mad by his disappointment. According to one account, he vowed vengeance on the Greeks and began slaughtering cattle, mistaking them for his former comrades-in-arms. He finally committed suicide. from Hellenic Art
  • Transcript

    • 1. Ajax Security
      • Andrew van der Stock
      • [email_address]
    • 2. AJAX and Security
      • Ajax
      • Limited guidance
      • New chapter in Guide
      Image from Hellenic Art
    • 3. Compliance
    • 4. Accessibility
      • Accessibility is mandatory by law
        • Except for “justifiable hardship”
      • Corporations and governments
        • No choice - do it!
      • Personal web sites
        • No one will come after you... but...
    • 5. Accessibility
      • Does it validate with W3C WAI validator?
      • Accessibility aides (zoom, readers, etc)
      • Back button issues
    • 6. Privacy
      • Ajax has client side state
      • Local storage
      • Caching
      • Mash ups
    • 7. Privacy ... not
      • Javascript is clear text
        • often cached regardless of browser settings
        • Not private in any way
    • 8. Privacy ... not
      • DOM can be manipulated by hostile code
        • Not private in any way
    • 9. Privacy ... not
      • Dojo.Storage uses Flash
        • “Solution” for client-side persistent storage
        • Not private in any way
        • Often used for cross-domain postings... ARGH
    • 10. Mash ups
      • Who owns the data?
      • Who gets the data?
      • How are they going to handle it?
    • 11. An example of a mash up
    • 12. Credit Rating Mashup
    • 13. Credit Rating Mashup
    • 14. Credit Rating Mashup
    • 15. Contentious issues
    • 16. Contentious issues
    • 17. Access Control
    • 18. Authentication
      • Don’t let any old caller in
      • What’s acceptable to be used without authentication?
      • Authenticating a new XMLHttpRequest session
    • 19. Ask... Look ma! No cookies!
    • 20. and ye shall receive Yeah Baby! Come to papa!
    • 21. Authorization Would you let Bart call your admin function?
    • 22. Authorization
      • Use the same authorization method
      • Default deny; all actions should be denied unless allowed
      • Error responses for no authorization
    • 23. Sessions and State Management
    • 24. Session Fixation
      • Use toolkits which send session tokens
      • Use proper session management to maintain the session
      • All of the session attacks in the session chapter are still valid
    • 25. Cross-domain XML Http Requests
      • By security design, no browser supports this
      • Many designs want to do this
        • or already do this (Google Maps, etc)
      • How to do it safely?
        • Only with federated security
    • 26. State management
      • In the good olde days, state was on the server
      • With Ajax, a lot more state is on the client
      • Think “hidden fields” but so much worse
    • 27. Sending state
      • You can safely send state to the client for display purposes
      • ... as long as it does not contain DOM injections
      • Only send state back if you do not have it on the server
      • Validate all state before use
    • 28. Exposing internal state
      • Just because it’s faster doesn’t mean it’s wiser
      • Keep sensitive state on the server, always
      • Don’t obfuscate JavaScript - it’s hard enough now
    • 29. Ajax Attack Prevention
    • 30. Injection Attacks
      • PHP toolkits: look for code injection attacks
      • JSON injection: be careful how you decode!
      • DOM injection - client side attacks now much easier
      • XML injection - both client and server side
      • Code injection - both client and server side
    • 31. Data validation
      • Data obtained via the XMLHttpRequest path must be validated
      • Perform validation after authorization checks
      • Validate using same paths as existing code
      • If you (de-)serialize, be aware of XML injection
    • 32. Ajax Attack Prevention
    • 33. Reconstructing Ajax API
      • Many Ajax apps have been “decoded”
      • e.g. libgmail, GMail Agent API,, etc
      • Spawned GMailFS, Win32 Gmail clients, etc
      • Do not assume your app is special - it will be decoded!
      GMail Agent API in action
    • 34. GET Ajax Session
    • 35. Pseudo API Injection
      • Most PHP AJAX tool kits allow remote code injection by allowing client-side server code invocation
      • eg: AJason, JPSpan and CPAINT
    • 36. Psuedo API
      • Guess what I can do?
      • Create proxy façades
    • 37. Error Handling
      • Error handling is often neglected
      • Do not use Javascript alert()
      • Parentless window syndrome
    • 38. Questions
      • Andrew van der Stock
      • [email_address]
      • Andrew’s OWASP EU talks sponsored by