AJAX
10070 views
Designing For Ajax
28399 views
Flash and AJAX
32165 views
Pascarello_Investigating JavaScript an...
5297 views
Ruby on Rails Security
13442 views
Naked Security
8522 views
Ajax 101 Workshop
23294 views
How to make Ajax work for you
18427 views
on Slideshare: 4011
from embeds: 309* * Views from embeds since 21 Aug, 07
Most viewed embeds (Top 5):
Slideshow transcript
Slide 1: Is This On?
Slide 2: A jax S ecurity Douglas Crockford Yahoo! javascript.crockford.com/security.ppt
Slide 3: S ecurity The number 1 biggest problem with the whole World Wide Web.
Slide 4: The browser is not a safe programming environment. It is inherently insecure.
Slide 5: What can an attacker do if he gets some script into your page?
Slide 6: A n attacker can request additional scripts from any server in the world. Once it gets a foothold, it can obtain all of the scripts it needs.
Slide 7: A n attacker can make requests of your server. Y our server cannot detect that the request did not originate with your application.
Slide 8: A n attacker can read the document. The attacker can see everything the user sees.
Slide 9: A n attacker has control over the display and can request information from the user. The user cannot detect that the request did not originate with your application.
Slide 10: A n attacker can send information to servers anywhere in the world.
Slide 11: The browser does not prevent any of these. That's why they happen.
Slide 12: The consequences of a successful attack are horrible. Harm to customers. Loss of trust. Legal liabilities. Possible criminal penalties.
Slide 13: This is not a Web 2.0 problem. A ll of these problems came with Netscape 2 in 1995.
Slide 14: The Turducken Problem • M any L anguages: • HTTP, HTM L , URL , CS S , JavaS cript, X M L , JS ON, plaintext, S QL ... • E ach language has different quoting and commenting conventions. • The languages can be nested inside each other.
Slide 15: A text that is benign in one context might be dangerous in another. S loppy encoding allows injection of evil scripts
Slide 16: A S imple A ttack http://yourdomain.com/ <script>alert("XSS");</script> <html><body> <p>File not found: <script>alert("XSS");</script> </p></body></html> • The script runs with the authority of your site.
Slide 17: A S imple A ttack http://yourdomain.com/ <script>alert("XSS");</script> <html><body> <p>File not found: <script>alert("XSS");</script> </p></body></html> • Proper escapement provides some safety.
Slide 18: A nother E xample • B ad text " + alert("XSS") + " • B ad encoding {"json": "" + alert("XSS") + ""} • Good encoding {"json": "" + alert("XSS") + ""}
Slide 19: Coding hygiene is critical for avoiding turducken attacks. Use good encoders. json.org/json2.js Do not use simple concatenation. Never trust the browser. V alidate all input.
Slide 20: Cross S ite Data A ccess It is extremely useful to obtain data from other sites and mash it up.
Slide 21: S ame Origin Policy Prevents useful things. A llows dangerous things.
Slide 22: S cript Tag Hack • S cripts (strangely) are exempt from S ame Origin Policy. • A dynamic script tag can make a GE T request from a server. receiver(jsontext); • E xtremely dangerous. It is impossible to assure that the server did not send an evil script.
Slide 23: JavaS cript's Global Object The root cause of X S S attacks. A ll scripts run with the same authority.
Slide 24: JavaS cript is an insecure language. The E S 4 Proposal is even worse. It should be abandoned.
Slide 25: Document Object M odel A ll nodes are linked to all other nodes and to the network.
Slide 26: Cookies A mbient authority leads to confusion and impersonation (X S RF )
Slide 27: Remedy: Crumbs A n explicit secret should be sent with the ambient cookie. F rustrates X S RF attacks. Not effective against X S S attacks.
Slide 28: E xcellent Code Quality If code is clean and readable, it is less likely to contain insecurities.
Slide 29: JS L int • JS L int defines a professional subset of JavaS cript. • It imposes a programming discipline that makes me much more confident in a dynamic, loosely-typed environment. http://www.JSLint.com/
Slide 30: Warning! JS Lint will hurt your feelings.
Slide 31: If the web as been totally screwed up from the beginning, why should we worry about it now? 1. Escalating legal penalties 2. M ashups 3. Competition
Slide 32: M ashups The most interesting innovation in software development in 20 years.
Slide 33: M ashups are insecure. M ashups must not have access to any confidential information.
Slide 34: If there is script from two or more sources, the application is not secure. Period.
Slide 35: A dvertising is a mashup.
Slide 36: Competition to displace the web. S ilverlight. A IR. JavaFX.
Slide 37: That would'nt be the end of the world. It would just be the end of the WWW.
Slide 38: A Three Prong S trategy to Fix the Web 2. S afe JavaS cript subsets. 3. S mall browser improvements. 4. M assive browser improvements. • This could take a while, so we should proceed on all three immediately.
Slide 39: 1. S afe JavaS cript S ubsets. The easiest way to improve JavaS cript is to make it smaller.
Slide 40: A Dsafe • A JS L int option. • It defines a safe HTM L /JavaS cript subset. • Removes from JavaS cript all features that are unsafe or suspect. • A llows foreign ads and widgets to safely interact.
Slide 41: A Dsafe • No global variables or functions may be defined. • No global variables or functions can be accessed except the ADSAFE object. • The [] subscript operator may not be used. • These words cannot be used: apply call callee caller clone constructor eval new prototype source this toSource toString watch • Words starting with _ cannot be used.
Slide 42: Dangers • There may still be undiscovered weaknesses in E CM A S cript and its many implementations. • B rowser implementations are changing, introducing new weaknesses. • The DOM wrappers must be flawless. • We are still subject to X S S attacks.
Slide 43: 2. A dd S imple Features to the B rowsers. E ven simple improvements can take a long time to distribute.
Slide 44: JS ONRequest for safe data interchange.
Slide 45: V ats Communicating computational containment vessels
Slide 46: HTM L Provides No M odules • It was conceived to be a document format. • We are using it as an application format. • A pplications requires modules. • M odules protect their contents. • M odules communicate by exposing clean interfaces.
Slide 47: V ats • A dapting Google's Gears or A dobe's A IR to provide communicating containment. • Provides cooperation under mutual suspicion. • Heavyweight. • Distribution is difficult. • S till subject to X S S attacks.
Slide 48: 3. We need to replace JavaS cript and the DOM . A s long as we are using insecure languages, we will be subject to X S S attacks.
Slide 49: S tart with the A Dsafe subset, and then carefully add features to enhance expressiveness.
Slide 50: A is an Object. Object A has state A and behavior.
Slide 51: has-a A B Object A has a reference to A n object can have Object B . references to other objects.
Slide 52: Object A can communicate with Object B ... A B ...because it has a reference to Object B .
Slide 53: Object B provides an interface that constrains access to its own state A and references. B E very object is a micro vat.
Slide 54: Object A does not have a reference to Object C, so Object A cannot communicate with Object C. A B In an Object Capability S ystem, an object can only communicate with objects that it has references to. C
Slide 55: A n Object Capability S ystem is produced by constraining the ways that references are obtained. A reference cannot be obtained simply by knowing the name of a global variable or a public class.
Slide 56: There are exactly three ways to obtain a reference. 2. B y Creation. 4. B y Construction. 6. B y Introduction.
Slide 57: 1. B y Creation If a function creates an object, it gets a reference to that object.
Slide 58: 2. B y Construction A n object may be endowed by its constructor with references. This can include references in the constructor's context and inherited references.
Slide 59: 3. B y Introduction A has a references to B and C. B has no references, so it cannot communicate with A or C. C has no references, so it cannot communicate with A or B . A C B
Slide 60: 3. B y Introduction A calls B , passing a reference to C. A C B
Slide 61: 3. B y Introduction B is now able to communicate with C. A C B It has the capability.
Slide 62: Weaknesses to avoid include 1. A rrogation. 2. Corruption. 3. Confusion. 4. Collusion.
Slide 63: There is no security in obscurity Tricks and puzzles are not effective. S peed bumps are not effective.
Slide 64: False security increases the danger. Ineffective measures make things worse.
Slide 65: The security problems are not new. The problems are getting harder to ignore.
Slide 66: Ultimately • We need to replace JavaS cript with a secure language. • The current E S 4 proposal is not that language. • We need to replace HTM L and the DOM with a secure application delivery system. • The current HTM L 5 proposal is not that either.
Slide 67: Ultimately • S ecure programming language to replace JavaS cript. • A modular application framework to replace the DOM and CS S . • A common text representation and protocol to replace HTTP and the A jax stack. • Otherwise, the web may fall to newer proprietary systems.
Slide 68: M eanwhile • Never trust the browser. • Formally validate everything you receive from the browser. • Properly encode everything you send to the browser or database. • Do not circumvent what little security the browser offers. • Never put data on the wire unless you want it ot be delivered. • Don't take ineffective measures.
Slide 69: B e Rigorous • S loppiness aids the E nemy. • Neatness counts. • Use good encoders. • A void concatenation. • B e paranoid.
Slide 70: Turducken
Add a comment on Slide 1
If you have a SlideShare account, login to comment; else you can comment as a guest- Favorites & Groups
Showing 1-50 of 5 (more)