• Save
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Upcoming SlideShare
Loading in...5

Web 2.0 Application Kung-Fu - Securing Ajax & Web Services






Total Views
Views on SlideShare
Embed Views



24 Embeds 2,959

http://www.blueinfy.com 2170
http://blueinfy.com 428
http://shreeraj.blogspot.com 123
http://www.blueinfy.com. 41
http://www.rudrak.blogspot.com 38
http://www.nexen.net 31
http://www.rudrak.blogspot.in 27
http://shreeraj.blogspot.in 26
http://www.slideshare.net 17
http://rudrak.blogspot.com 16
http://websecurity.com.ua 15
http://translate.googleusercontent.com 7
https://open-itsec.office.aol.com 5
http://shreeraj.blogspot.de 3
http://rudrak.blogspot.in 3
http://shreeraj.blogspot.tw 1
http://www.scoop.it 1
http://rudrak.blogspot.hu 1
http://www.shreeraj.blogspot.in 1
http://www.rudrak.blogspot.sg 1
http://static.slideshare.net 1
http://rudrak.blogspot.ru 1
http://www.rudrak.blogspot.be 1
https://www.linkedin.com 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • why all of your precious documents can't be downloaded?
    Are you sure you want to
    Your message goes here
  • Hi Shree Raj,

    This is really a very interesting and knowledge sharing slides. I would like to give my herat felt thank to you for sharing such a great content.

    Could you please do me a favour?, pls share it's detailed content to me because I would like to know more on it.

    My email address is love_chopra1@rediffmail.com.

    Thanks in advance and awaiting for your reply.


    Love Chopra
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Web 2.0 Application Kung-Fu - Securing Ajax & Web Services Web 2.0 Application Kung-Fu - Securing Ajax & Web Services Presentation Transcript

  • Web 2.0 Application Kung-Fu Securing Ajax & Web Services Shreeraj Shah DeepSec 2007– Vienna,2007
    • Founder & Director
      • Blueinfy Solutions Pvt. Ltd. (Brief)
    • Past experience
      • Net Square, Chase, IBM & Foundstone
    • Interest
      • Web security research
    • Published research
      • Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.
      • Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, wsChess etc.
      • Advisories - .Net, Java servers etc.
    • Books (Author)
      • Hacking Web Services (Thomson 2006)
      • Web Hacking (AWL 2003)
      • Web 2.0 Security (Work in progress)
    Who am I? http://shreeraj.blogspot.com [email_address]
  • Agenda
    • Web 2.0 overview and security concerns
    • Ajax Security – Attacks and Defense
      • Methods
      • Vectors
      • Defense
    • Web Services – Attacks and Defense
      • Methodology
      • Assessment and Tools
      • Defense
  • Web 2.0 Trends
    • 80% of companies are investing in Web Services as part of their Web 2.0 initiative (McKinsey2007 Global Survey)
    • By the end of 2007, 30 percent of large companies will have some kind of Web 2.0-based business initiative up and running. (Gartner)
    • 2008. Web Services or Service-Oriented Architecture (SOA) would surge ahead. (Gartner)
  • Web 2.0 – Ajax & Web Services HTML / JS / DOM RIA (Flash) Ajax Browser Internet Blog Local Application Database Authentication Internet Weather News Documents Emails Bank/Trade RSS feeds Web Services
  • Widget DOM HTML/CSS JavaScript SOAP XML-RPC JSON XML Open APIs SaaS Services REST Browser Protocols Web 2.0 Layers Ajax Flash / RIA JSON-RPC Structures Server-Side HTTP(S)
  • Technologies Web Server Static pages HTML,HTM etc.. Web Client Scripted Web Engine Dynamic pages ASP DHTML, PHP,CGI Etc.. DB X ASP.NET with .Net J2EE App Server Web Services Etc.. Application Servers And Integrated Framework Internet DMZ Trusted Internal/Corporate W E B S E R V I C E S Ajax RIA Client SOAP, REST, XML-RPC, JSON etc.
  • Web 2.0 Security
    • Complex architecture and confusion with technologies
    • Web 2.0 worms and viruses – Sammy, Yammaner & Spaceflash
    • Ajax and JavaScripts – Client side attacks are on the rise
    • Web Services attacks and exploitation
    • Flash clients are running with risks
  • Ajax Security – Attacks & Defense
    • Basics
    • Structures and streams
    • Fingerprinting
    • Scanning and Enumeration
    • XSS and CSRF issues
    • Securing code base
  • Ajax basics
    • Asynchronous JavaScript and XML
    HTML / CSS JS / DOM XMLHttpRequest (XHR) Database / Resource XML / Middleware / Text Web Server Asynchronous over HTTP(S)
  • Ajax - Sample
    • function loadhtml()
    • {
    • var http;
    • if(window.XMLHttpRequest){
    • http = new XMLHttpRequest();
    • }else if (window.ActiveXObject){
    • http=new ActiveXObject("Msxml2.XMLHTTP");
    • if (! http){
    • http=new ActiveXObject("Microsoft.XMLHTTP");
    • }
    • }
    • http.open("GET", "main.html", true);
    • http.onreadystatechange = function()
    • {
    • if (http.readyState == 4) {
    • var response = http.responseText;
    • document.getElementById('main').innerHTML = response;
    • }
    • }
    • http.send(null);
    • }
  • Ajax & Data structures
    • Ajax is using various data streams
    • Developers are innovating this field
    • JavaScript can talk with back end sources
    • Mashups application can be leveraged
    • It is important to understand these streams
    • It has significant security impact
    • JSON, Array, JS-Object etc.
  • Cross-domain calls
    • Browser security doesn’t support cross domain calls
    • But cross domain callback with JavaScript is possible
    • This can be lethal attack since cross domain information get executed on the current DOM context.
    • Developers put proxy to bypass the SOP.
  • Ajax fingerprinting
    • Determining Ajax calls
    • Framework fingerprinting
    • Running with what?
      • Atlas
      • GWT
      • Etc.
    • Ajaxfinger a tool to achieve this
    • Can help in assessment process
    • RIA finger printing is possible
  • Ajax attack points
    • Ajax components & Widgets
    • Cross domain vulnerable browsers and callback implementations
    • DOM manipulation calls and points
    • Insecure eval()
    • HTML tags
    • Intranet nodes and internal resources
  • Ajax attack vectors
    • Entry point scanning and enumeration
    • Cross site scripting (XSS) attacks
    • Cross site Request Forgery (CSRF) issues
    • Client side code reverse engineering
    • Security control and validation bypassing
    • Local privacy information enumeration
    • Ajax framework exploitation – known bugs
  • Ajax Scanning
    • Scanning Ajax components
    • Retrieving all JS include files
      • Part of <SCRIPT SRC=….>
    • Identifying XHR calls
    • Grabbing function
    • Mapping function to DOM event
    • Scanning code for XSS – look for eval() and document.write()
  • Ajax serialization issues
    • Ajax processing various information coming from server and third party sources. – XSS opportunities
    message = { from : &quot;john@example.com&quot;, to : &quot;jerry@victim.com&quot;, subject : &quot;I am fine&quot;, body : &quot;Long message here&quot;, showsubject : function(){document.write(this.subject)} }; XSS
  • Ajax serialization issues
    • JSON issues
    • JS – Array manipulation
    {&quot;bookmarks&quot;:[{&quot;Link&quot;:&quot;www.example.com&quot;,&quot;Desc&quot;:&quot;Interesting link&quot;}]} new Array(“Laptop”, “Thinkpad”, “T60”, “Used”, “900$”, “It is great and I have used it for 2 years”)
  • Ajax and JS manipulation
    • JavaScript exploitation – XSS
    • Identifying DOM points like document.write()
    • Eval() – another interesting point
    • Attack APIs and tools for exploitation
    • Lot can be done by an attacker from session hijacking to key loggers
  • Ajax and RSS injection
    • RSS feeds are another entry point to the browser
    • Injecting script to the RSS feeds and Ajax call may execute it.
    • One click – Malformed linked injected into it and can lead to exploit “javascript:”
    • Leveraging events – onClick, onMouse etc.
  • Ajax Crawling
    • Crawling Ajax driven app – a challenge
    • Resources are hidden in JavaScript
    • Simple scanner will fail
    • Crawling with actual DOM context
    • Automated crawling with browser is required
    • How?
  • Defending Ajax
    • No business logic information on client side.
    • Do not trust third party source – filter it out
    • No direct cross domain call back
    • Filtering at browser level before processing information
    • Avoiding client side validation
  • Defending Ajax
    • No secret in Ajax calls
    • Proper data structure selection and frameworks
    • Avoid client side validation
    • Securing client side calls like eval() and document.write()
    • HTML tags filtering before serving to end client
  • Web Services – Attacks & Defense
    • Methodology
    • Footprinting & Discovery
    • Profiling and Enumeration
    • Scanning and Fuzzing
    • Attack vectors
    • Scanning code for vulnerabilities
    • Defense by filtering
  • Methodology Footprinting & Discovery Enumeration & Profiling Vulnerability Detection Code / Config Scanning Web Services Firewall Secure Coding Insecure Web Services Secure Web Services Blackbox Whitebox Defense & Countermeasure
  • Footprinting and Discovery
    • Objective: Discovering Web Services running on application domain.
    • Methods
      • Primary discovery
        • Crawling and spidering
        • Script analysis and page scrubbing
        • Traffic analysis
      • Secondary discovery
        • Search engine queries
        • UDDI scanning
  • Primary Discovery
    • Crawling the application and mapping file extensions and directory structures, like “.asmx”
    • Page scrubbing – scanning for paths and resources in the pages, like atlas back end call to Web Services.
    • Recording traffic while browsing and spidering, look for XML based traffic – leads to XML-RPC, REST, SOAP, JSON calls.
  • Primary Discovery - Demos
    • Page scanning with grep – Look in JavaScripts for URLs, Paths etc.
    • Crawling – Simple!
    • Scanning for Atlas references – Framework creates stubs and proxy. – scanweb2.0/scanatlas
    • Urlgrep can be used as well.
  • Secondary Discovery
    • Searching UDDI server for Web Services running on particular domain.
      • Three tactics for it – business, services or tModel.
    • Running queries against search engines like Google or MSN with extra directives like “inurl” or “filetype”
      • Look for “asmx”
    • wsScanner – Discovery!
  • Enumerating and Profiling
    • Scanning WSDL
      • Looking for Methods
      • Collecting In/Out parameters
      • Security implementations
      • Binding points
      • Method signature mapping
  • Scanning strategies
    • Manual invocation and response analysis.
    • Dynamic proxy creation and scanning.
    • Auto auditing for various vectors.
    • Fuzzing Web Services streams – XML or JSON
    • Response analysis is the key
      • Look for fault code nodes
      • Enumerating fault strings
      • Dissecting XML message and finding bits
      • Hidden error messages in JSON
  • Cross Site Scripting (XSS)
    • XSS is possible through Web Services.
    • It would be DOM based XSS via eval().
    • JSON-RPC based stream coming in the browser and get injected into DOM.
    • Source of stream can be of third party and Un-trusted.
    • XML streams coming in the browser and can cause XSS via document.write call.
  • Injection Flaws
    • Web Services methods are consuming parameters coming from end users.
    • It is possible to inject malicious characters into the stream.
    • It can break Web Services code and send faultsting back to an attacker
    • Various injections possible – SQL and XPATH
  • Malicious File Execution
    • Malicious command can be injected through the parameter.
    • WS supports attachments as well and that can lead to uploading a file.
    • This can give remote command execution capability to the attacker.
  • Insecure Direct Object Reference
    • Injecting characters to break file system sequences.
    • Faultcode spits out internal information if not protected.
    • Customized error shows the file refernces.
    • Access to internal file and full traversal to directories
    • Inspecting methods and parameters in the profile stage can help.
  • Cross Site Request Forgery
    • CSRF with XML streams
    • XML-RPC or SOAP based request can be generated from browsers.
    • Splitting form and XML injection is possible – interesting trick.
    • If Content-Type is not validated on the server then it can cause a potential CSRF.
    • XForms usage in browser can produce XML requests to attack CSRF.
  • Code Analysis for Web Services
    • Scanning the code base.
    • Identifying linkages.
    • Method signatures and inputs.
    • Looking for various patterns for SQL, LDAP, XPATH, File access etc.
    • Checking validation on them.
    • Code walking and tracing the base - Key
    • Regular firewall will not work
    • Content filtering on HTTP will not work either since it is SOAP over HTTP/HTTPS
    • SOAP level filtering and monitoring would require
    • ISAPI level filtering is essential
    • SOAP content filtering through IHTTPModule
    Code filtering with IHTTPModule
  • HTTP Stack for .Net HttpRuntime HttpApplicationFactory HttpApplication HttpHandlerFactory IHttpModule Handler Web Application Firewall & IDS 148
  • IHTTPModule for Web Services Firewall
    • Code walkthrough – Events and Hooks
    • Loading the DLL
    • Setting up the rules
    • Up and running!
    • Demo.
  • Thanks!
    • Questions?
      • [email_address]