Ajax Security



                Andrew van der Stock
                vanderaj@owasp.org


OWASP
AppSec
Europe
           ...
AJAX and Security

Ajax

Limited guidance
New chapter in Guide




                        OWASP AppSec Europe 2006
Compliance
         OWASP AppSec Europe 2006
Accessibility

Accessibility is
 mandatory by law
  Except for “justifiable
   hardship”


Corporations and
 government...
Accessibility

Ask real users to test!

Accessibility aides
W3C WAI validator
Basic tools




                        ...
Back Button

The most used button
Ajax toolkits often
 destroy or hide it

Support the Back Button!




               ...
Privacy



 “”
 You have no privacy.
 Get over it.

    Scott McNealy




                        OWASP AppSec Europe 2006
Privacy



 “
 Nothing that we have
 authorized conflicts with any
 law regarding privacy or any


                       ...
Privacy



 “
 Relying on the
 government to protect
 your privacy is like asking
 a peeping tom to install


            ...
Privacy

Ajax has client side state

Local storage
Caching
Mash ups




                              OWASP AppSec Eur...
Privacy ... not

Javascript is clear text
   often cached regardless of browser settings
   Not private in any way




...
Privacy ... not

DOM can be manipulated by hostile code
  Not private in any way




                             OWASP ...
Privacy ... not

Dojo.Storage uses Flash
  “Solution” for client-side persistent storage
  Not private in any way

  O...
Mash ups

Who owns the data?
Who gets the data?
How are they going to handle it?




                              OWAS...
An example of a mash up




                          OWASP AppSec Europe 2006
Credit Rating Mashup




                       OWASP AppSec Europe 2006
Credit Rating Mashup




                       OWASP AppSec Europe 2006
Credit Rating Mashup




                       OWASP AppSec Europe 2006
Contentious issues




                     OWASP AppSec Europe 2006
Contentious issues




                     OWASP AppSec Europe 2006
Access Control AppSec Europe 2006
           OWASP
Authentication

Don’t let any old caller in

What’s okay without authentication?

Authenticate new XMLHttpRequest sessi...
Ask...




                             o
                         a! N
                       m
                    ok s!...
and ye shall receive




eah !
Yy
Bab

     e
  om pa!
 Ca
 to p




                       OWASP AppSec Europe 2006
Authorization




    Would you let Bart call
    your admin function?




                              OWASP AppSec Euro...
Authorization

Use same authorization methods



Default deny; all actions should be denied unless
 allowed

Error resp...
Sessions and State Management2006
                    OWASP AppSec Europe
Session Fixation

Use toolkits which send session tokens

Use proper session management to maintain the
 session

OWASP...
Cross-domain XML Http Requests

By security design, no browser supports this

Many designs want to do this
  or already...
State management

In the good olde days, state was on the server
With Ajax, a lot more state is on the client
Think “hi...
Sending state

Validate all state before use

Sending state to the client for display

   DOM injections
   HTML injec...
Exposing internal state

Just because it’s faster doesn’t mean it’s wiser
Keep sensitive state on the server, always
Do...
Ajax Attack Prevention Europe 2006
                OWASP AppSec
Injection Attacks

PHP toolkits: look for code injection attacks
JSON injection: be careful how you decode!
DOM injecti...
Data validation

Data from XMLHttpRequest must be validated

Perform validation after authorization checks
Validate usi...
Ajax APIs




            OWASP AppSec Europe 2006
Reconstructing Ajax API

 Many Ajax apps have
 been “decoded”

   e.g. libgmail, GMail Agent API,
   gmail.py, etc
   Spaw...
GET APIs




           OWASP AppSec Europe 2006
Pseudo API Injection

Almost all Ajax toolkits use GET by default
   Force them to use POST


Most PHP AJAX tool kits a...
Psuedo API

Guess what I can do?

Create proxy façades




                        OWASP AppSec Europe 2006
Event Management




            OWASP AppSec Europe 2006
Error Handling
Error handling is
 often neglected
                      Parentless window syndrome
Do not use
 Javascrip...
Auditing

Client-side auditing is a joke

Auditing must be:
   comprehensive
   unavoidable
   tamper resistant




 ...
Questions


                Andrew van der Stock
                vanderaj@owasp.org

                Images:

            ...
Upcoming SlideShare
Loading in …5
×

Ajax Security

3,040 views

Published on

Ajax Security - Andrew van der Stock

Published in: Business, Technology
0 Comments
13 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,040
On SlideShare
0
From Embeds
0
Number of Embeds
172
Actions
Shares
0
Downloads
0
Comments
0
Likes
13
Embeds 0
No embeds

No notes for slide

Ajax Security

  1. 1. Ajax Security Andrew van der Stock vanderaj@owasp.org OWASP AppSec Europe Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document May 2006 under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org/
  2. 2. AJAX and Security Ajax Limited guidance New chapter in Guide OWASP AppSec Europe 2006
  3. 3. Compliance OWASP AppSec Europe 2006
  4. 4. Accessibility Accessibility is mandatory by law Except for “justifiable hardship” Corporations and governments No choice - do it! Personal web sites No one will come after you... but... OWASP AppSec Europe 2006
  5. 5. Accessibility Ask real users to test! Accessibility aides W3C WAI validator Basic tools OWASP AppSec Europe 2006
  6. 6. Back Button The most used button Ajax toolkits often destroy or hide it Support the Back Button! OWASP AppSec Europe 2006
  7. 7. Privacy “” You have no privacy. Get over it. Scott McNealy OWASP AppSec Europe 2006
  8. 8. Privacy “ Nothing that we have authorized conflicts with any law regarding privacy or any ” provision of the constitution. John Ashcroft OWASP AppSec Europe 2006
  9. 9. Privacy “ Relying on the government to protect your privacy is like asking a peeping tom to install ” your window blinds. John Perry Barlow OWASP AppSec Europe 2006
  10. 10. Privacy Ajax has client side state Local storage Caching Mash ups OWASP AppSec Europe 2006
  11. 11. Privacy ... not Javascript is clear text often cached regardless of browser settings Not private in any way OWASP AppSec Europe 2006
  12. 12. Privacy ... not DOM can be manipulated by hostile code Not private in any way OWASP AppSec Europe 2006
  13. 13. Privacy ... not Dojo.Storage uses Flash “Solution” for client-side persistent storage Not private in any way Often used for cross-domain postings... ARGH OWASP AppSec Europe 2006
  14. 14. Mash ups Who owns the data? Who gets the data? How are they going to handle it? OWASP AppSec Europe 2006
  15. 15. An example of a mash up OWASP AppSec Europe 2006
  16. 16. Credit Rating Mashup OWASP AppSec Europe 2006
  17. 17. Credit Rating Mashup OWASP AppSec Europe 2006
  18. 18. Credit Rating Mashup OWASP AppSec Europe 2006
  19. 19. Contentious issues OWASP AppSec Europe 2006
  20. 20. Contentious issues OWASP AppSec Europe 2006
  21. 21. Access Control AppSec Europe 2006 OWASP
  22. 22. Authentication Don’t let any old caller in What’s okay without authentication? Authenticate new XMLHttpRequest sessions OWASP AppSec Europe 2006
  23. 23. Ask... o a! N m ok s! Lo kie coo OWASP AppSec Europe 2006
  24. 24. and ye shall receive eah ! Yy Bab e om pa! Ca to p OWASP AppSec Europe 2006
  25. 25. Authorization Would you let Bart call your admin function? OWASP AppSec Europe 2006
  26. 26. Authorization Use same authorization methods Default deny; all actions should be denied unless allowed Error responses for no authorization OWASP AppSec Europe 2006
  27. 27. Sessions and State Management2006 OWASP AppSec Europe
  28. 28. Session Fixation Use toolkits which send session tokens Use proper session management to maintain the session OWASP Guide - Session Management chapter OWASP AppSec Europe 2006
  29. 29. Cross-domain XML Http Requests By security design, no browser supports this Many designs want to do this or already do this (Google Maps, etc) How to do it safely? Only with federated security OWASP AppSec Europe 2006
  30. 30. State management In the good olde days, state was on the server With Ajax, a lot more state is on the client Think “hidden fields” but so much worse OWASP AppSec Europe 2006
  31. 31. Sending state Validate all state before use Sending state to the client for display DOM injections HTML injections Only send changed state back OWASP AppSec Europe 2006
  32. 32. Exposing internal state Just because it’s faster doesn’t mean it’s wiser Keep sensitive state on the server, always Don’t obfuscate JavaScript - it’s hard enough now OWASP AppSec Europe 2006
  33. 33. Ajax Attack Prevention Europe 2006 OWASP AppSec
  34. 34. Injection Attacks PHP toolkits: look for code injection attacks JSON injection: be careful how you decode! DOM injection - client side attacks now much easier XML injection - both client and server side Code injection - both client and server side OWASP AppSec Europe 2006
  35. 35. Data validation Data from XMLHttpRequest must be validated Perform validation after authorization checks Validate using same paths as existing code If you (de-)serialize, be aware of XML injection OWASP AppSec Europe 2006
  36. 36. Ajax APIs OWASP AppSec Europe 2006
  37. 37. Reconstructing Ajax API Many Ajax apps have been “decoded” e.g. libgmail, GMail Agent API, gmail.py, etc Spawned GMailFS, Win32 Gmail clients, etc Do not assume your app is special - it will be decoded! GMail Agent API in action OWASP AppSec Europe 2006
  38. 38. GET APIs OWASP AppSec Europe 2006
  39. 39. Pseudo API Injection Almost all Ajax toolkits use GET by default Force them to use POST Most PHP AJAX tool kits allow remote code injection by allowing client-side server code invocation eg: AJason, JPSpan and CPAINT (1.x) OWASP AppSec Europe 2006
  40. 40. Psuedo API Guess what I can do? Create proxy façades OWASP AppSec Europe 2006
  41. 41. Event Management OWASP AppSec Europe 2006
  42. 42. Error Handling Error handling is often neglected Parentless window syndrome Do not use Javascript alert() OWASP AppSec Europe 2006
  43. 43. Auditing Client-side auditing is a joke Auditing must be: comprehensive unavoidable tamper resistant OWASP AppSec Europe 2006
  44. 44. Questions Andrew van der Stock vanderaj@owasp.org Images: John Perry Barlow image used with permission OWASP Stock*Exchange Image After AppSec Andrew’s OWASP EU talks sponsored by Europe Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document May 2006 under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org/

×