0
AJAX –  New Technologies New Threats  Dr. David Movshovitz IDC – School of Computer Science  [email_address] 0544233779 14...
Lecture Agenda <ul><li>Browser Technology Overview </li></ul><ul><li>What is AJAX </li></ul><ul><ul><li>The XHR Object </l...
AJAX Security is a Real Problem
Browser Technology Evolution <ul><li>Static HTML documents, one site at a time     </li></ul><ul><li>Data content from di...
What is AJAX
What is AJAX? <ul><li>AJAX (Asynchronous JavaScript + XML)  is a combination of web browser technologies that allows web p...
What is AJAX? (cont.) <ul><li>In the background of an AJAX-enabled web page, data is transferred to and from the web serve...
Adaptive Path’s Original Diagram
The XHR Object
XHR Object Methods  Assigns header to be sent with a request  setRequestHeader(&quot;label&quot;, &quot;value&quot;)  Tran...
XHR Object Properties  String message accompanying the status code  statusText  Numeric code returned by server, such as 4...
The XHR Object <ul><li>The XHR open()  - open(&quot;method&quot;, &quot;URL&quot;, asyncFlag);  </li></ul><ul><ul><ul><li>...
XHR Object Properties <ul><li>Onreadystatechange - The objects only event handler. </li></ul><ul><ul><li>It is fired only ...
Example of XHR Object  <ul><li>var request = new XMLHttpRequest(); </li></ul><ul><li>request.onreadystatechange = myFuncti...
Basic Example of Request code <ul><li>AJAX POST </li></ul><ul><li>var req = GetXHRObject(); </li></ul><ul><li>req.open(&qu...
AJAX Advantages
What is AJAX used for? <ul><li>Data retrieval </li></ul><ul><li>Send data to the server for processing. </li></ul><ul><li>...
AJAX Advantages <ul><li>Rich applications in modern browsers </li></ul><ul><li>Rich UI experience in a Web page </li></ul>...
Web Application Architecture
The Browser is the new “OS” <ul><li>The browser has become a homogeneous execution platform </li></ul><ul><li>JavaScript i...
Web 1.0 to Web 2.0 Conversion
Architecture of Traditional Web Applications   <ul><li>Browser — A thin client </li></ul><ul><li>Most of the Application l...
Attacks Against Traditional Web Applications <ul><li>Attacks involve: </li></ul><ul><ul><li>Sending malicious data </li></...
Architecture of an AJAX Application   <ul><li>Browser—Rich/thick-client application </li></ul><ul><li>Application logic re...
Attacks Against AJAX Applications <ul><li>Traditional web application attacks still apply </li></ul><ul><li>Attacker is in...
JavaScript Browser Security “Same Domain Policy”
JavaScript Security in the Browser <ul><li>“ Mobile code” = potential security risk </li></ul><ul><li>Browsers execute Jav...
Browser’s “Same Origin” Policy <ul><li>Also called “Server of Origin” Policy </li></ul><ul><li>“ Origin” = (protocol + hos...
“Same Origin” Policy for AJAX
More “Same Origin” Policy Cases
Proxy Remote Services <ul><li>Also called “AJAX Bridging” or “Server-Side Proxy” </li></ul><ul><li>3rd-party proxy such as...
The Remote Proxy Solution <ul><li>Developers often create a local HTTP proxy on the host web server.  </li></ul><ul><ul><l...
Security Issues with AJAX Bridges <ul><li>An Ajax-enabled online book store called spibooks.com wants to access some of th...
Security Issues with AJAX Bridges <ul><li>If the attacker wants to copy the entire author database from majorbookstore.com...
Security Issues with AJAX Bridges <ul><li>An attacker can also send malicious requests through the Ajax bridge from spiboo...
AJAX & Application Security or What’s New in Web 2.0
Major Cause Of Security Concerns with AJAX based Applications <ul><li>Anyone CAN View the Source </li></ul><ul><ul><li>Any...
Exposure of Internal Details –  What’s new in Web 2.0?  <ul><li>Better tools to analyze client-side code </li></ul><ul><ul...
Exposure of Internal Details –  What’s new in Web 2.0? <ul><li>Hackers’ knowledge has increased </li></ul><ul><ul><li>Appl...
Exposure of Internal Details - Countermeasures <ul><li>Do not give out unnecessary information </li></ul><ul><li>Remove co...
JavaScript Code Obfuscation <ul><li>Obfuscation is not fool-proof </li></ul><ul><li>Obfuscation can make maintenance, debu...
Input Validation  What’s new in Web 2.0? <ul><li>Validation confusion </li></ul><ul><ul><li>Where is the validation done (...
Improper Validation Countermeasures <ul><li>Never trust the client! </li></ul><ul><li>Validate all input data to the appli...
Client Validation for AJAX Response <ul><li>Developers usually forget that the AJAX response is not perfect </li></ul><ul>...
Intranet Hacking
Intranet Hacking <ul><li>We tend to believe that while surfing the Web we are protected by firewalls and isolated through ...
Exploit Procedures <ul><li>A victim visits a malicious Web page or clicks a nefarious link; embedded JavaScript malware th...
Port Scanning Behind your Firewall <ul><li>JavaScript can: </li></ul><ul><ul><li>Request images from internal IP addresses...
Upcoming SlideShare
Loading in...5
×

download ppt

666

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
666
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "download ppt"

  1. 1. AJAX – New Technologies New Threats Dr. David Movshovitz IDC – School of Computer Science [email_address] 0544233779 14-09-2008
  2. 2. Lecture Agenda <ul><li>Browser Technology Overview </li></ul><ul><li>What is AJAX </li></ul><ul><ul><li>The XHR Object </li></ul></ul><ul><ul><li>AJAX Advantages </li></ul></ul><ul><li>Web Application Architecture </li></ul><ul><li>JavaScript Browser Security </li></ul><ul><ul><li>“ Same Domain Policy” </li></ul></ul><ul><ul><li>AJAX Bridging </li></ul></ul><ul><li>AJAX & Application Security - What’s new in Web 2.0 </li></ul><ul><ul><li>Exposure of Internal Details </li></ul></ul><ul><ul><li>Input Validation </li></ul></ul><ul><li>Intranet Hacking </li></ul>
  3. 3. AJAX Security is a Real Problem
  4. 4. Browser Technology Evolution <ul><li>Static HTML documents, one site at a time  </li></ul><ul><li>Data content from different sites (images, frames)  </li></ul><ul><li>Programmability with DOM (JavaScript)  </li></ul><ul><li>Dynamic HTML (JavaScript)  </li></ul><ul><li>AJAX & client-side mashup applications </li></ul>
  5. 5. What is AJAX
  6. 6. What is AJAX? <ul><li>AJAX (Asynchronous JavaScript + XML) is a combination of web browser technologies that allows web page content to be updated “on-the-fly” without the user moving from page to page. </li></ul><ul><ul><li>Coined by Jesse James Garrett of Adaptive Path </li></ul></ul><ul><ul><li>Not a language! </li></ul></ul><ul><ul><li>Uses JavaScript on the client and any Language on the Server </li></ul></ul><ul><li>Ajax is the latest inheritor of the Dynamic HTML mantle, and allows for the development of feature rich and practical web applications. </li></ul><ul><ul><li>Dynamic HTML - a DHTML webpage is any webpage in which client-side scripting changes variables of the presentation definition language, which in turn affects the look and function of otherwise &quot;static&quot; HTML page content, after the page has been fully loaded and during the viewing process. </li></ul></ul><ul><ul><li>AJAX is commonly used along with DHTML to provide enhanced user interface. </li></ul></ul><ul><ul><li>AJAX and DHTML are two separate things </li></ul></ul>
  7. 7. What is AJAX? (cont.) <ul><li>In the background of an AJAX-enabled web page, data is transferred to and from the web server. </li></ul><ul><li>The mechanism for performing asynchronous data transfers is a software library embedded in all modern web browsers called XMLHttpRequest (XHR) . </li></ul><ul><ul><li>AJAX web application uses an XHR JavaScript object to poll data from a remote web server and then manipulate this data to output to a web page utilizing the DOM </li></ul></ul><ul><li>“ Ajax Engine” - the XMLHttpRequest (XHR) Object </li></ul><ul><ul><li>Allows us to send information to the server without post backs </li></ul></ul><ul><ul><li>Makes the request and receives the data back </li></ul></ul><ul><ul><li>Can be asynchronous or synchronous </li></ul></ul><ul><li>XHR is the key to a website earning the “AJAX” moniker. Otherwise, it’s just fancy JavaScript. </li></ul>
  8. 8. Adaptive Path’s Original Diagram
  9. 9. The XHR Object
  10. 10. XHR Object Methods Assigns header to be sent with a request setRequestHeader(&quot;label&quot;, &quot;value&quot;) Transmits the request send(content) The heart and soul! Sets destination URL, method, and other optional attributes open(&quot;method&quot;, &quot;URL&quot;[, asyncFlag[, &quot;userName&quot;[, &quot;password&quot;]]]) Returns value of a specified header label getResponseHeader(&quot;headerLabel&quot;) Returns all header (labels/value) sets getAllResponseHeaders() Stops the current request abort() Description Method
  11. 11. XHR Object Properties String message accompanying the status code statusText Numeric code returned by server, such as 404 for &quot;Not Found&quot; or 200 for &quot;OK&quot; status DOM-compatible document object of data returned from server process responseXML String version of data returned from server process responseText Object status integer readyState Event handler for an event that fires at every state change onreadystatechange Description Property
  12. 12. The XHR Object <ul><li>The XHR open() - open(&quot;method&quot;, &quot;URL&quot;, asyncFlag); </li></ul><ul><ul><ul><li>method = GET or POST </li></ul></ul></ul><ul><ul><ul><li>URL = Page to request </li></ul></ul></ul><ul><ul><ul><li>asyncFlag = True or False </li></ul></ul></ul><ul><li>The XHR Send parameters – send(content) </li></ul><ul><ul><li>Send is like clicking the submit button on a form. </li></ul></ul><ul><ul><li>The parameters should be set to null or empty string if you are not posting any information. </li></ul></ul><ul><ul><li>If you are posting, the name/value pairs should look like a query-string without the question mark, i.e. req.send(&quot;foo=bar&ajax=123&quot;); </li></ul></ul><ul><ul><li>If you are using GET, append the values to the URL in the open method </li></ul></ul>
  13. 13. XHR Object Properties <ul><li>Onreadystatechange - The objects only event handler. </li></ul><ul><ul><li>It is fired only when in asynchronous mode (3 rd parameter is set to true in the open method) </li></ul></ul><ul><ul><li>It is fired a total of 4 times. </li></ul></ul><ul><ul><li>We can assign a reference to a function or build a anonymous function to it </li></ul></ul><ul><ul><ul><li>req.onreadystatechange = functionName; </li></ul></ul></ul><ul><ul><ul><li>req.onreadystatechange = function(){ //statements } </li></ul></ul></ul><ul><li>readyState values </li></ul><ul><ul><li>0 – Uninitialized; The initial value when new reference to Object is created </li></ul></ul><ul><ul><li>1 – Open; The open() method has been successfully called. </li></ul></ul><ul><ul><li>2 - Sent ; The request made it, but no data has yet been received. </li></ul></ul><ul><ul><li>3 – Receiving; All HTTP headers have been received. </li></ul></ul><ul><ul><li>4 – Loaded; The data transfer has been completed. We can now play with the data! </li></ul></ul>
  14. 14. Example of XHR Object <ul><li>var request = new XMLHttpRequest(); </li></ul><ul><li>request.onreadystatechange = myFunction; </li></ul><ul><li>request.open(&quot;GET&quot;, &quot;http://myserver.com/data.xml&quot;, true); </li></ul><ul><li>... </li></ul><ul><li>function myFunction() { </li></ul><ul><li>if (req.readyState == 4) { </li></ul><ul><li>doSomethingWith(req.responseXML); </li></ul><ul><li>} </li></ul><ul><li>else if (req.readyState == 3) { </li></ul><ul><li>showProgressIndicator(); </li></ul><ul><li>} </li></ul><ul><li>} </li></ul><ul><li>Web applications uses the XmlHttpRequest object for </li></ul><ul><li>Dynamically load XML or JSON formatted data files </li></ul><ul><li>Use DHTML to alter the page based on the data </li></ul>
  15. 15. Basic Example of Request code <ul><li>AJAX POST </li></ul><ul><li>var req = GetXHRObject(); </li></ul><ul><li>req.open(&quot;POST&quot;, &quot;secure.php&quot;, true); </li></ul><ul><li>req.onreadystatechange = finishRequest; </li></ul><ul><li>req.send(&quot;foo=bar&ajax=123&quot;); </li></ul><ul><li>Regular Form POST </li></ul><ul><li><form action=&quot;secure.php&quot; method=&quot;POST&quot;> </li></ul><ul><li><input type=&quot;text&quot; name=&quot;foo&quot; value=&quot;bar&quot;> </li></ul><ul><li><input type=&quot;hidden&quot; name=&quot;ajax&quot; value=&quot;123&quot;> </li></ul><ul><li><input type=&quot;submit&quot; name=&quot;sub1&quot;> </li></ul><ul><li></form> </li></ul><ul><li>Simple Scripted Attacks On A Server </li></ul><ul><li>var req = new Array(); </li></ul><ul><li>for(var i = 0; i<1000; i++){ </li></ul><ul><li>req[i] = GetXHRObject(); </li></ul><ul><li>req[i].open(&quot;POST&quot;, &quot;secure.aspx&quot;, true); </li></ul><ul><li>req[i].onreadystatechange = function(){}; </li></ul><ul><li>req[i].send(&quot;foo=&quot; + i); </li></ul><ul><li>} </li></ul>
  16. 16. AJAX Advantages
  17. 17. What is AJAX used for? <ul><li>Data retrieval </li></ul><ul><li>Send data to the server for processing. </li></ul><ul><li>Form Validation </li></ul><ul><li>Anything you might load a new page for. </li></ul><ul><ul><li>It is possible to build “One Page” Ajax Applications. </li></ul></ul>
  18. 18. AJAX Advantages <ul><li>Rich applications in modern browsers </li></ul><ul><li>Rich UI experience in a Web page </li></ul><ul><li>AJAX technology makes website interactivity smoother and more responsive </li></ul><ul><ul><li>No more dreaded page refreshes </li></ul></ul><ul><ul><li>Very user-visible effect </li></ul></ul><ul><ul><li>In the case of Gmail, new email messages are displayed as they arrive automatically. </li></ul></ul><ul><li>No issues with installation </li></ul><ul><ul><li>Portable across browsers </li></ul></ul><ul><ul><li>All advantages of zero-install Web app </li></ul></ul><ul><li>Built upon existing infrastructure – TCP/IP, XML, HTTP, SSL, etc. </li></ul>
  19. 19. Web Application Architecture
  20. 20. The Browser is the new “OS” <ul><li>The browser has become a homogeneous execution platform </li></ul><ul><li>JavaScript is much more powerful </li></ul><ul><ul><li>Object Oriented </li></ul></ul><ul><ul><li>Extendable: String.prototype.foo = function() {…} </li></ul></ul><ul><ul><li>Dynamic code execution </li></ul></ul><ul><ul><li>Regular Expressions </li></ul></ul><ul><ul><li>Very rich interface to/from browser/plugins </li></ul></ul><ul><li>If JavaScript can’t do it, Flash/Java can </li></ul>
  21. 21. Web 1.0 to Web 2.0 Conversion
  22. 22. Architecture of Traditional Web Applications <ul><li>Browser — A thin client </li></ul><ul><li>Most of the Application logic resides almost exclusively on server </li></ul><ul><ul><li>Flow/business logic </li></ul></ul><ul><ul><li>Presentation logic </li></ul></ul><ul><li>Client acts as a dumb terminal sending actions to the server </li></ul><ul><li>Server does all the processing and returns whole new page </li></ul>
  23. 23. Attacks Against Traditional Web Applications <ul><li>Attacks involve: </li></ul><ul><ul><li>Sending malicious data </li></ul></ul><ul><ul><li>Sending code as data </li></ul></ul><ul><ul><li>Trying to access unauthorized data </li></ul></ul><ul><li>Malicious input/command hits edge cases in application design </li></ul><ul><li>Countermeasures: </li></ul><ul><ul><li>Validate input parameters </li></ul></ul><ul><ul><li>Use proper authentication </li></ul></ul><ul><ul><li>Use proper authorization </li></ul></ul>
  24. 24. Architecture of an AJAX Application <ul><li>Browser—Rich/thick-client application </li></ul><ul><li>Application logic resides both on client and server </li></ul><ul><li>JavaScript™ technology takes on a bigger role </li></ul><ul><li>Uses XmlHttpRequest object </li></ul><ul><li>Fetch any kind of resource </li></ul><ul><ul><li>HTML, GIF (view centric) </li></ul></ul><ul><ul><li>XML, JSON (data centric) </li></ul></ul><ul><ul><li>JavaScript technology (code centric) </li></ul></ul><ul><li>Client DOM tree is being manipulated </li></ul>
  25. 25. Attacks Against AJAX Applications <ul><li>Traditional web application attacks still apply </li></ul><ul><li>Attacker is inside your application </li></ul><ul><ul><li>Knowledge increases </li></ul></ul><ul><ul><li>Larger attack surface </li></ul></ul><ul><ul><li>Data serialization from unknown/untrusted sources </li></ul></ul><ul><ul><li>Companies migrate to AJAX without much thought to security </li></ul></ul><ul><li>In the case of mashups, attacking 3rd-party servers </li></ul>
  26. 26. JavaScript Browser Security “Same Domain Policy”
  27. 27. JavaScript Security in the Browser <ul><li>“ Mobile code” = potential security risk </li></ul><ul><li>Browsers execute JavaScript code in a sandbox </li></ul><ul><li>Restrictions on JavaScript code in the sandbox </li></ul><ul><ul><li>Cannot read/write files from/to the local system </li></ul></ul><ul><ul><li>Cannot execute any other programs </li></ul></ul><ul><ul><li>Cannot read the history of the browser </li></ul></ul><ul><ul><li>Cannot close a window that mobile code did not open </li></ul></ul><ul><ul><li>Cannot open a window that is too small </li></ul></ul>
  28. 28. Browser’s “Same Origin” Policy <ul><li>Also called “Server of Origin” Policy </li></ul><ul><li>“ Origin” = (protocol + host + port) parts of the URL </li></ul><ul><li>Restriction limits interaction between frames, iframes, and script tags from different origins </li></ul><ul><li>Prevents client-side JavaScript from making requests to any server other than the server from which it was downloaded </li></ul><ul><li>Restriction has been extended to include XMLHttpRequest </li></ul><ul><li>XHR has security protections built-in, preventing a user’s browser on Website A from making connections to Website B, to protect users from malicious websites </li></ul><ul><ul><li>Can only load XML from originating server </li></ul></ul><ul><li>Different browser vendors implement this security somewhat differently </li></ul>
  29. 29. “Same Origin” Policy for AJAX
  30. 30. More “Same Origin” Policy Cases
  31. 31. Proxy Remote Services <ul><li>Also called “AJAX Bridging” or “Server-Side Proxy” </li></ul><ul><li>3rd-party proxy such as Apache mod proxy or custom proxy </li></ul><ul><li>Has performance / security limitations </li></ul>
  32. 32. The Remote Proxy Solution <ul><li>Developers often create a local HTTP proxy on the host web server. </li></ul><ul><ul><li>To have the client pull in data from a third-party website, they’ll direct an XHR request through the local proxy pointing to the intended destination. </li></ul></ul><ul><li>Consider the following example request generated by the web browser: </li></ul><ul><ul><ul><li>http://websiteA/proxy?url=http://websitesB/ </li></ul></ul></ul><ul><ul><li>Website A takes the incoming request, and sends a request to Website B designated by the “URL” parameter value. </li></ul></ul><ul><li>The security issue is that Website A is hosting an unrestricted HTTP proxy, and attackers love open proxies because they can initiate attacks that cannot be traced to their origin. </li></ul><ul><li>The capabilities of the proxy should be carefully controlled and restricted with regard to which websites it will connect to and how. </li></ul>
  33. 33. Security Issues with AJAX Bridges <ul><li>An Ajax-enabled online book store called spibooks.com wants to access some of the Web services that majorbookstore.com provides, such as an author search or genre recommendation service. </li></ul><ul><li>While anyone can sign up for a free account to access majorbookstore.com’s Web services, these free accounts have very limited privileges: </li></ul><ul><ul><li>The number of unique queries, </li></ul></ul><ul><ul><li>The number of simultaneous queries, </li></ul></ul><ul><ul><li>The number of hits per second will be set very low. </li></ul></ul><ul><li>A formal partner agreement between the two companies allows spibooks.com to access majorbookstore.com with fewer restrictions. </li></ul>
  34. 34. Security Issues with AJAX Bridges <ul><li>If the attacker wants to copy the entire author database from majorbookstore.com, </li></ul><ul><ul><li>he or she can simply issue thousands of queries to the Ajax bridge running on spibooks.com. </li></ul></ul><ul><li>The relationship between the two Web sites allows the attacker to extract more data by going through spibooks.com than if he or she had used a free account directly from majorbookstore.com. </li></ul><ul><li>It is common in these situations for spibooks.com to limit the number of queries it has to make, reduce bandwidth, and improve performance for its users by caching the results it receives from majorbookstore.com. </li></ul><ul><ul><li>Since the attacker’s query may already be in the cache, the attacker may be able to extract data faster by using spibooks.com. </li></ul></ul>
  35. 35. Security Issues with AJAX Bridges <ul><li>An attacker can also send malicious requests through the Ajax bridge from spibooks.com to majorbookstore.com using the bridge is another layer for the attacker to hide behind. </li></ul><ul><li>An attacker, may cause a Denial of Service attack against all spibooks.com users. </li></ul><ul><ul><li>if an IPS at majorbookstore.com detects the malicious requests coming from spibooks.com’s IP address, and then automatically blocks all requests from spibooks.com. </li></ul></ul><ul><li>It is possible that majorbookstore.com will not detect the attack being relayed through the Ajax bridge. </li></ul><ul><ul><li>if majorbookstore.com does not scrutinize the requests it receives from spibooks.com for malicious content as closely as the requests it receives from others. </li></ul></ul><ul><ul><li>This is common practice, since the two parties have an agreement to help each other and there is an immense amount of traffic coming in from spibooks.com. </li></ul></ul>
  36. 36. AJAX & Application Security or What’s New in Web 2.0
  37. 37. Major Cause Of Security Concerns with AJAX based Applications <ul><li>Anyone CAN View the Source </li></ul><ul><ul><li>Anyone can see the page that it is requesting from the JavaScript code! </li></ul></ul><ul><ul><li>Anyone can see the parameters being sent! </li></ul></ul><ul><ul><li>Anyone can see the validation! </li></ul></ul><ul><ul><li>Anyone can see the Business Logic! </li></ul></ul><ul><li>XHR Object can be used to make requests without the users knowledge. </li></ul><ul><ul><li>Attacker can also use images, iframes, frames, popup windows. </li></ul></ul><ul><li>AJAX model uses WebServices </li></ul><ul><ul><li>More Ajax Functionality = More WebServices = More places to attack (Just need to forget one thing to make a new hole) </li></ul></ul><ul><ul><li>AJAX Adds More Attack Vectors </li></ul></ul>
  38. 38. Exposure of Internal Details – What’s new in Web 2.0? <ul><li>Better tools to analyze client-side code </li></ul><ul><ul><li>Firebug (view DOM tree, put breakpoints, alter values) </li></ul></ul><ul><ul><li>Watir - Ruby-based tool </li></ul></ul><ul><ul><li>Selenium - Java technology based Tool </li></ul></ul><ul><li>Much more client-side code for hacker to view and dissect </li></ul><ul><li>Potentially more client-side comments for hacker to view </li></ul><ul><li>Better social community (blogs, newsgroups, forums) </li></ul>
  39. 39. Exposure of Internal Details – What’s new in Web 2.0? <ul><li>Hackers’ knowledge has increased </li></ul><ul><ul><li>Application architecture/design details </li></ul></ul><ul><ul><li>Program business/logic flow details </li></ul></ul><ul><ul><li>Function names, variable names, return types </li></ul></ul><ul><ul><li>Helps build a footprint of the web application </li></ul></ul><ul><li>Direct API access </li></ul><ul><ul><li>Developers encouraged to expose more web services </li></ul></ul><ul><ul><li>Attacker calls your backend functions directly </li></ul></ul><ul><ul><li>Bypasses logic in the client side </li></ul></ul><ul><ul><li>Calls functions out of order </li></ul></ul>
  40. 40. Exposure of Internal Details - Countermeasures <ul><li>Do not give out unnecessary information </li></ul><ul><li>Remove comments from HTML/JavaScript technology code </li></ul><ul><ul><li>Developer names, design details, notes, build numbers </li></ul></ul><ul><ul><li>Use build-time tools to remove comments </li></ul></ul><ul><li>Turn off WSDL for your web services </li></ul><ul><ul><li>Many tools auto generate WSDLs — turn them off </li></ul></ul><ul><ul><li>No need to expose all services, inputs, and types to users </li></ul></ul><ul><li>Is AJAX the appropriate technology? </li></ul><ul><ul><li>Use traditional web-application technology where security is a high priority </li></ul></ul><ul><li>Obfuscate your JavaScript technology code </li></ul>
  41. 41. JavaScript Code Obfuscation <ul><li>Obfuscation is not fool-proof </li></ul><ul><li>Obfuscation can make maintenance, debugging, and code review harder which degrades security </li></ul>
  42. 42. Input Validation What’s new in Web 2.0? <ul><li>Validation confusion </li></ul><ul><ul><li>Where is the validation done (client/server/both)? </li></ul></ul><ul><ul><li>With Sophisticated drag and drop IDEs, validation details are hidden </li></ul></ul><ul><li>Complexity of data has increased </li></ul><ul><ul><li>Lack of good toolkits/regular expressions available to validate these types of input </li></ul></ul><ul><li>What input gets validated? </li></ul><ul><ul><li>Developers usually validate GET/POST parameters </li></ul></ul><ul><ul><li>Developers often forget about HTTP Headers </li></ul></ul><ul><ul><li>Developers forget about file input (images, audio, video) </li></ul></ul><ul><li>Trusting data from B2B partners </li></ul><ul><ul><li>Mashups are bringing data from non-validated sources </li></ul></ul>
  43. 43. Improper Validation Countermeasures <ul><li>Never trust the client! </li></ul><ul><li>Validate all input data to the application </li></ul><ul><li>Use strong validation techniques </li></ul><ul><ul><li>Correctness, type, format, length, range, and context </li></ul></ul><ul><ul><li>Use white-listing instead of Black-listing </li></ul></ul><ul><ul><li>Escaping input if possible </li></ul></ul><ul><li>Always validate on the server side </li></ul><ul><ul><li>Server-side validation = data integrity and security </li></ul></ul><ul><li>Client-side validation as a subset of server side </li></ul><ul><ul><li>Client-side validation = usability and performance </li></ul></ul><ul><li>For mashups, never trust the external server </li></ul>
  44. 44. Client Validation for AJAX Response <ul><li>Developers usually forget that the AJAX response is not perfect </li></ul><ul><li>Developers doesn’t validate the AJAX response </li></ul><ul><ul><li>Usability and Security issues </li></ul></ul><ul><li>Solution: </li></ul><ul><li>Make sure the data is what you expect it to be! </li></ul><ul><li>Validate your data </li></ul><ul><ul><li>Use regular expressions to check for patterns </li></ul></ul><ul><ul><li>Look for key parts of the expression </li></ul></ul><ul><ul><li>Look for things that do not belong </li></ul></ul>
  45. 45. Intranet Hacking
  46. 46. Intranet Hacking <ul><li>We tend to believe that while surfing the Web we are protected by firewalls and isolated through private network address translated Internet Protocol (IP) addresses. </li></ul><ul><li>With this understanding we assume the soft security of intranet Web sites and the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, and so forth, even if left unpatched </li></ul><ul><li>Nothing is capable of directly connecting in from the outside world. Right? </li></ul><ul><li>Web browsers can be completely controlled by any Web page, enabling them to become launching points to attack internal network resources. </li></ul><ul><li>The Web browser of every user on an enterprise network becomes a stepping-stone for intruders. </li></ul>
  47. 47. Exploit Procedures <ul><li>A victim visits a malicious Web page or clicks a nefarious link; embedded JavaScript malware then assumes control over their Web browser. </li></ul><ul><li>JavaScript malware loads a Java applet revealing the victim’s internal NAT IP address. </li></ul><ul><li>Then, using the victim’s Web browser as an attack platform, the JavaScript malware identifies and fingerprints Web servers on the internal network. </li></ul><ul><li>Attacks are initiated against internal or external Web sites, and compromised information is sent outside the network for collection. </li></ul>
  48. 48. Port Scanning Behind your Firewall <ul><li>JavaScript can: </li></ul><ul><ul><li>Request images from internal IP addresses, e.g. <img src=“192.168.0.4:8080”/> </li></ul></ul><ul><ul><li>Use timeout/onerror to determine success/failure </li></ul></ul><ul><ul><li>Fingerprint webapps using known image names </li></ul></ul>Server Malicious Web page Firewall Browser 1) “show me dancing pigs!” 2) “check this out” scan scan scan 3) port scan results
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×