SlideShare a Scribd company logo

Ajax Security

A
amiable_indian

Ajax Security - Andrew van der Stock

BusinessTechnology
1 of 44
Ajax Security Andrew van der Stock vanderaj@owasp.org OWASP AppSec Europe Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document May 2006 under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org/
AJAX and Security Ajax Limited guidance New chapter in Guide OWASP AppSec Europe 2006
Compliance OWASP AppSec Europe 2006
Accessibility Accessibility is mandatory by law Except for “justifiable hardship” Corporations and governments No choice - do it! Personal web sites No one will come after you... but... OWASP AppSec Europe 2006
Accessibility Ask real users to test! Accessibility aides W3C WAI validator Basic tools OWASP AppSec Europe 2006
Back Button The most used button Ajax toolkits often destroy or hide it Support the Back Button! OWASP AppSec Europe 2006
Privacy “” You have no privacy. Get over it. Scott McNealy OWASP AppSec Europe 2006
Privacy “ Nothing that we have authorized conflicts with any law regarding privacy or any ” provision of the constitution. John Ashcroft OWASP AppSec Europe 2006
Privacy “ Relying on the government to protect your privacy is like asking a peeping tom to install ” your window blinds. John Perry Barlow OWASP AppSec Europe 2006
Privacy Ajax has client side state Local storage Caching Mash ups OWASP AppSec Europe 2006
Privacy ... not Javascript is clear text often cached regardless of browser settings Not private in any way OWASP AppSec Europe 2006
Privacy ... not DOM can be manipulated by hostile code Not private in any way OWASP AppSec Europe 2006
Privacy ... not Dojo.Storage uses Flash “Solution” for client-side persistent storage Not private in any way Often used for cross-domain postings... ARGH OWASP AppSec Europe 2006
Mash ups Who owns the data? Who gets the data? How are they going to handle it? OWASP AppSec Europe 2006
An example of a mash up OWASP AppSec Europe 2006
Credit Rating Mashup OWASP AppSec Europe 2006
Credit Rating Mashup OWASP AppSec Europe 2006
Credit Rating Mashup OWASP AppSec Europe 2006
Contentious issues OWASP AppSec Europe 2006
Contentious issues OWASP AppSec Europe 2006
Access Control AppSec Europe 2006 OWASP
Authentication Don’t let any old caller in What’s okay without authentication? Authenticate new XMLHttpRequest sessions OWASP AppSec Europe 2006
Ask... o a! N m ok s! Lo kie coo OWASP AppSec Europe 2006
and ye shall receive eah ! Yy Bab e om pa! Ca to p OWASP AppSec Europe 2006
Authorization Would you let Bart call your admin function? OWASP AppSec Europe 2006
Authorization Use same authorization methods Default deny; all actions should be denied unless allowed Error responses for no authorization OWASP AppSec Europe 2006
Sessions and State Management2006 OWASP AppSec Europe
Session Fixation Use toolkits which send session tokens Use proper session management to maintain the session OWASP Guide - Session Management chapter OWASP AppSec Europe 2006
Cross-domain XML Http Requests By security design, no browser supports this Many designs want to do this or already do this (Google Maps, etc) How to do it safely? Only with federated security OWASP AppSec Europe 2006
State management In the good olde days, state was on the server With Ajax, a lot more state is on the client Think “hidden fields” but so much worse OWASP AppSec Europe 2006
Sending state Validate all state before use Sending state to the client for display DOM injections HTML injections Only send changed state back OWASP AppSec Europe 2006
Exposing internal state Just because it’s faster doesn’t mean it’s wiser Keep sensitive state on the server, always Don’t obfuscate JavaScript - it’s hard enough now OWASP AppSec Europe 2006
Ajax Attack Prevention Europe 2006 OWASP AppSec
Injection Attacks PHP toolkits: look for code injection attacks JSON injection: be careful how you decode! DOM injection - client side attacks now much easier XML injection - both client and server side Code injection - both client and server side OWASP AppSec Europe 2006
Data validation Data from XMLHttpRequest must be validated Perform validation after authorization checks Validate using same paths as existing code If you (de-)serialize, be aware of XML injection OWASP AppSec Europe 2006
Ajax APIs OWASP AppSec Europe 2006
Reconstructing Ajax API Many Ajax apps have been “decoded” e.g. libgmail, GMail Agent API, gmail.py, etc Spawned GMailFS, Win32 Gmail clients, etc Do not assume your app is special - it will be decoded! GMail Agent API in action OWASP AppSec Europe 2006
GET APIs OWASP AppSec Europe 2006
Pseudo API Injection Almost all Ajax toolkits use GET by default Force them to use POST Most PHP AJAX tool kits allow remote code injection by allowing client-side server code invocation eg: AJason, JPSpan and CPAINT (1.x) OWASP AppSec Europe 2006
Psuedo API Guess what I can do? Create proxy façades OWASP AppSec Europe 2006
Event Management OWASP AppSec Europe 2006
Error Handling Error handling is often neglected Parentless window syndrome Do not use Javascript alert() OWASP AppSec Europe 2006
Auditing Client-side auditing is a joke Auditing must be: comprehensive unavoidable tamper resistant OWASP AppSec Europe 2006
Questions Andrew van der Stock vanderaj@owasp.org Images: John Perry Barlow image used with permission OWASP Stock*Exchange Image After AppSec Andrew’s OWASP EU talks sponsored by Europe Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document May 2006 under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org/

Recommended

Ajax Security
Ajax SecurityAjax Security
Ajax Securitydrkimsky
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universeSebastien Gioria
 
strength of materials singer and pytel solution manual (chapter 9 )
strength of materials singer and pytel solution manual (chapter 9 )strength of materials singer and pytel solution manual (chapter 9 )
strength of materials singer and pytel solution manual (chapter 9 )Ahmad Haydar
 
Chap#6 Beam Deflections solutions
Chap#6 Beam Deflections solutionsChap#6 Beam Deflections solutions
Chap#6 Beam Deflections solutionsrnkhan
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
Best Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application FirewallsBest Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application Firewallsalexmeisel
 
Locust Fear
Locust FearLocust Fear
Locust FearAlan Lepofsky
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...gmaran23
 

Recommended

Ajax Security
Ajax SecurityAjax Security
Ajax Securitydrkimsky
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universeSebastien Gioria
 
strength of materials singer and pytel solution manual (chapter 9 )
strength of materials singer and pytel solution manual (chapter 9 )strength of materials singer and pytel solution manual (chapter 9 )
strength of materials singer and pytel solution manual (chapter 9 )Ahmad Haydar
 
Chap#6 Beam Deflections solutions
Chap#6 Beam Deflections solutionsChap#6 Beam Deflections solutions
Chap#6 Beam Deflections solutionsrnkhan
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
Best Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application FirewallsBest Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application Firewallsalexmeisel
 
Locust Fear
Locust FearLocust Fear
Locust FearAlan Lepofsky
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...gmaran23
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application DefencesDamilola Longe, CISSP, CCSP, MSc
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction alessiomarziali
 
OWASP Top10 IoT - CLUSIR Infornord Décembre 2014
OWASP Top10 IoT - CLUSIR Infornord Décembre 2014OWASP Top10 IoT - CLUSIR Infornord Décembre 2014
OWASP Top10 IoT - CLUSIR Infornord Décembre 2014Sébastien GIORIA
 
CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014Sebastien Gioria
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pjSébastien GIORIA
 
Networking Israeli Day 2013 - Hecatonchire: Transparent Memory Aggregation
Networking Israeli Day 2013 - Hecatonchire: Transparent Memory AggregationNetworking Israeli Day 2013 - Hecatonchire: Transparent Memory Aggregation
Networking Israeli Day 2013 - Hecatonchire: Transparent Memory Aggregationaidanshribman
 
VMware Studio & vAPP-s
VMware Studio & vAPP-sVMware Studio & vAPP-s
VMware Studio & vAPP-sJaroslav Mraz
 
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi FiOwasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi FiPaolo Perego
 
Cloud computing, Virtualisation and the Future
Cloud computing, Virtualisation and the FutureCloud computing, Virtualisation and the Future
Cloud computing, Virtualisation and the FutureAke Edlund
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Soa R 7 16 08 Appistry Private Clouds Etc Bob Lozano
Soa R 7 16 08 Appistry Private Clouds Etc Bob LozanoSoa R 7 16 08 Appistry Private Clouds Etc Bob Lozano
Soa R 7 16 08 Appistry Private Clouds Etc Bob LozanoGovCloud Network
 
Owasptunisiawebday2011 120112072523-phpapp02
Owasptunisiawebday2011 120112072523-phpapp02Owasptunisiawebday2011 120112072523-phpapp02
Owasptunisiawebday2011 120112072523-phpapp02Abwebnet
 
Owasp tunisia web day 2011
Owasp tunisia web day 2011Owasp tunisia web day 2011
Owasp tunisia web day 2011OWASPTunisia
 
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10Juan Golden Tiger
 
High-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityHigh-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityAtlassian
 
OWASP, the life and the universe
OWASP, the life and the universeOWASP, the life and the universe
OWASP, the life and the universeSébastien GIORIA
 
Bringing ESX Deployments into native OpenStack OVSvApp
Bringing ESX Deployments into native OpenStack OVSvAppBringing ESX Deployments into native OpenStack OVSvApp
Bringing ESX Deployments into native OpenStack OVSvAppRomil Gupta
 
Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksStefano Di Paola
 
Csrf protector
Csrf protectorCsrf protector
Csrf protectorMinhaz A V
 
Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commonsamiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art amiable_indian
 

More Related Content

Similar to Ajax Security

OWASP Top10 IoT - CLUSIR Infornord Décembre 2014
OWASP Top10 IoT - CLUSIR Infornord Décembre 2014OWASP Top10 IoT - CLUSIR Infornord Décembre 2014
OWASP Top10 IoT - CLUSIR Infornord Décembre 2014Sébastien GIORIA
 
CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014Sebastien Gioria
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
Networking Israeli Day 2013 - Hecatonchire: Transparent Memory Aggregation
Networking Israeli Day 2013 - Hecatonchire: Transparent Memory AggregationNetworking Israeli Day 2013 - Hecatonchire: Transparent Memory Aggregation
Networking Israeli Day 2013 - Hecatonchire: Transparent Memory Aggregationaidanshribman
 
VMware Studio & vAPP-s
VMware Studio & vAPP-sVMware Studio & vAPP-s
VMware Studio & vAPP-sJaroslav Mraz
 
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi FiOwasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi FiPaolo Perego
 
Cloud computing, Virtualisation and the Future
Cloud computing, Virtualisation and the FutureCloud computing, Virtualisation and the Future
Cloud computing, Virtualisation and the FutureAke Edlund
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Soa R 7 16 08 Appistry Private Clouds Etc Bob Lozano
Soa R 7 16 08 Appistry Private Clouds Etc Bob LozanoSoa R 7 16 08 Appistry Private Clouds Etc Bob Lozano
Soa R 7 16 08 Appistry Private Clouds Etc Bob LozanoGovCloud Network
 
Owasptunisiawebday2011 120112072523-phpapp02
Owasptunisiawebday2011 120112072523-phpapp02Owasptunisiawebday2011 120112072523-phpapp02
Owasptunisiawebday2011 120112072523-phpapp02Abwebnet
 
Owasp tunisia web day 2011
Owasp tunisia web day 2011Owasp tunisia web day 2011
Owasp tunisia web day 2011OWASPTunisia
 
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10Juan Golden Tiger
 
High-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityHigh-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityAtlassian
 
OWASP, the life and the universe
OWASP, the life and the universeOWASP, the life and the universe
OWASP, the life and the universeSébastien GIORIA
 
Bringing ESX Deployments into native OpenStack OVSvApp
Bringing ESX Deployments into native OpenStack OVSvAppBringing ESX Deployments into native OpenStack OVSvApp
Bringing ESX Deployments into native OpenStack OVSvAppRomil Gupta
 
Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksStefano Di Paola
 
Csrf protector
Csrf protectorCsrf protector
Csrf protectorMinhaz A V
 

Similar to Ajax Security (20)

Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
OWASP Top10 IoT - CLUSIR Infornord Décembre 2014
OWASP Top10 IoT - CLUSIR Infornord Décembre 2014OWASP Top10 IoT - CLUSIR Infornord Décembre 2014
OWASP Top10 IoT - CLUSIR Infornord Décembre 2014
 
CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
Networking Israeli Day 2013 - Hecatonchire: Transparent Memory Aggregation
Networking Israeli Day 2013 - Hecatonchire: Transparent Memory AggregationNetworking Israeli Day 2013 - Hecatonchire: Transparent Memory Aggregation
Networking Israeli Day 2013 - Hecatonchire: Transparent Memory Aggregation
 
VMware Studio & vAPP-s
VMware Studio & vAPP-sVMware Studio & vAPP-s
VMware Studio & vAPP-s
 
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi FiOwasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi Fi
 
Cloud computing, Virtualisation and the Future
Cloud computing, Virtualisation and the FutureCloud computing, Virtualisation and the Future
Cloud computing, Virtualisation and the Future
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Soa R 7 16 08 Appistry Private Clouds Etc Bob Lozano
Soa R 7 16 08 Appistry Private Clouds Etc Bob LozanoSoa R 7 16 08 Appistry Private Clouds Etc Bob Lozano
Soa R 7 16 08 Appistry Private Clouds Etc Bob Lozano
 
Owasptunisiawebday2011 120112072523-phpapp02
Owasptunisiawebday2011 120112072523-phpapp02Owasptunisiawebday2011 120112072523-phpapp02
Owasptunisiawebday2011 120112072523-phpapp02
 
Owasp tunisia web day 2011
Owasp tunisia web day 2011Owasp tunisia web day 2011
Owasp tunisia web day 2011
 
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
 
High-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityHigh-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
 
OWASP, the life and the universe
OWASP, the life and the universeOWASP, the life and the universe
OWASP, the life and the universe
 
Bringing ESX Deployments into native OpenStack OVSvApp
Bringing ESX Deployments into native OpenStack OVSvAppBringing ESX Deployments into native OpenStack OVSvApp
Bringing ESX Deployments into native OpenStack OVSvApp
 
Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacks
 
Csrf protector
Csrf protectorCsrf protector
Csrf protector
 

More from amiable_indian

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commonsamiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art amiable_indian
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentestersamiable_indian
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...amiable_indian
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in Indiaamiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyamiable_indian
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Codingamiable_indian
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learnedamiable_indian
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissectedamiable_indian
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunityamiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentationamiable_indian
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization amiable_indian
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Timeamiable_indian
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics? amiable_indian
 

More from amiable_indian (20)

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Time
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics?
 

Recently uploaded

Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCRashishs7044
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Pereraictsugar
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaoncallgirls2057
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
Islamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in IslamabadIslamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in IslamabadAyesha Khan
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis UsageNeil Kimberley
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfKhaled Al Awadi
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCRashishs7044
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCRashishs7044
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...ictsugar
 

Recently uploaded (20)

Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Perera
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
Islamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in IslamabadIslamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in Islamabad
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
 

Ajax Security

  • 1. Ajax Security Andrew van der Stock vanderaj@owasp.org OWASP AppSec Europe Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document May 2006 under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org/
  • 2. AJAX and Security Ajax Limited guidance New chapter in Guide OWASP AppSec Europe 2006
  • 3. Compliance OWASP AppSec Europe 2006
  • 4. Accessibility Accessibility is mandatory by law Except for “justifiable hardship” Corporations and governments No choice - do it! Personal web sites No one will come after you... but... OWASP AppSec Europe 2006
  • 5. Accessibility Ask real users to test! Accessibility aides W3C WAI validator Basic tools OWASP AppSec Europe 2006
  • 6. Back Button The most used button Ajax toolkits often destroy or hide it Support the Back Button! OWASP AppSec Europe 2006
  • 7. Privacy “” You have no privacy. Get over it. Scott McNealy OWASP AppSec Europe 2006
  • 8. Privacy “ Nothing that we have authorized conflicts with any law regarding privacy or any ” provision of the constitution. John Ashcroft OWASP AppSec Europe 2006
  • 9. Privacy “ Relying on the government to protect your privacy is like asking a peeping tom to install ” your window blinds. John Perry Barlow OWASP AppSec Europe 2006
  • 10. Privacy Ajax has client side state Local storage Caching Mash ups OWASP AppSec Europe 2006
  • 11. Privacy ... not Javascript is clear text often cached regardless of browser settings Not private in any way OWASP AppSec Europe 2006
  • 12. Privacy ... not DOM can be manipulated by hostile code Not private in any way OWASP AppSec Europe 2006
  • 13. Privacy ... not Dojo.Storage uses Flash “Solution” for client-side persistent storage Not private in any way Often used for cross-domain postings... ARGH OWASP AppSec Europe 2006
  • 14. Mash ups Who owns the data? Who gets the data? How are they going to handle it? OWASP AppSec Europe 2006
  • 15. An example of a mash up OWASP AppSec Europe 2006
  • 16. Credit Rating Mashup OWASP AppSec Europe 2006
  • 17. Credit Rating Mashup OWASP AppSec Europe 2006
  • 18. Credit Rating Mashup OWASP AppSec Europe 2006
  • 19. Contentious issues OWASP AppSec Europe 2006
  • 20. Contentious issues OWASP AppSec Europe 2006
  • 21. Access Control AppSec Europe 2006 OWASP
  • 22. Authentication Don’t let any old caller in What’s okay without authentication? Authenticate new XMLHttpRequest sessions OWASP AppSec Europe 2006
  • 23. Ask... o a! N m ok s! Lo kie coo OWASP AppSec Europe 2006
  • 24. and ye shall receive eah ! Yy Bab e om pa! Ca to p OWASP AppSec Europe 2006
  • 25. Authorization Would you let Bart call your admin function? OWASP AppSec Europe 2006
  • 26. Authorization Use same authorization methods Default deny; all actions should be denied unless allowed Error responses for no authorization OWASP AppSec Europe 2006
  • 27. Sessions and State Management2006 OWASP AppSec Europe
  • 28. Session Fixation Use toolkits which send session tokens Use proper session management to maintain the session OWASP Guide - Session Management chapter OWASP AppSec Europe 2006
  • 29. Cross-domain XML Http Requests By security design, no browser supports this Many designs want to do this or already do this (Google Maps, etc) How to do it safely? Only with federated security OWASP AppSec Europe 2006
  • 30. State management In the good olde days, state was on the server With Ajax, a lot more state is on the client Think “hidden fields” but so much worse OWASP AppSec Europe 2006
  • 31. Sending state Validate all state before use Sending state to the client for display DOM injections HTML injections Only send changed state back OWASP AppSec Europe 2006
  • 32. Exposing internal state Just because it’s faster doesn’t mean it’s wiser Keep sensitive state on the server, always Don’t obfuscate JavaScript - it’s hard enough now OWASP AppSec Europe 2006
  • 33. Ajax Attack Prevention Europe 2006 OWASP AppSec
  • 34. Injection Attacks PHP toolkits: look for code injection attacks JSON injection: be careful how you decode! DOM injection - client side attacks now much easier XML injection - both client and server side Code injection - both client and server side OWASP AppSec Europe 2006
  • 35. Data validation Data from XMLHttpRequest must be validated Perform validation after authorization checks Validate using same paths as existing code If you (de-)serialize, be aware of XML injection OWASP AppSec Europe 2006
  • 36. Ajax APIs OWASP AppSec Europe 2006
  • 37. Reconstructing Ajax API Many Ajax apps have been “decoded” e.g. libgmail, GMail Agent API, gmail.py, etc Spawned GMailFS, Win32 Gmail clients, etc Do not assume your app is special - it will be decoded! GMail Agent API in action OWASP AppSec Europe 2006
  • 38. GET APIs OWASP AppSec Europe 2006
  • 39. Pseudo API Injection Almost all Ajax toolkits use GET by default Force them to use POST Most PHP AJAX tool kits allow remote code injection by allowing client-side server code invocation eg: AJason, JPSpan and CPAINT (1.x) OWASP AppSec Europe 2006
  • 40. Psuedo API Guess what I can do? Create proxy façades OWASP AppSec Europe 2006
  • 41. Event Management OWASP AppSec Europe 2006
  • 42. Error Handling Error handling is often neglected Parentless window syndrome Do not use Javascript alert() OWASP AppSec Europe 2006
  • 43. Auditing Client-side auditing is a joke Auditing must be: comprehensive unavoidable tamper resistant OWASP AppSec Europe 2006
  • 44. Questions Andrew van der Stock vanderaj@owasp.org Images: John Perry Barlow image used with permission OWASP Stock*Exchange Image After AppSec Andrew’s OWASP EU talks sponsored by Europe Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document May 2006 under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org/