SlideShare a Scribd company logo

Scrubbing Your AJAX

Download as PPTX, PDF
G
goodfriday

Learn how AJAX is being used for good and evil. See where to find vulnerabilities (hint: not just in the code). Discuss methods others are using to overcome challenges and methods for securing AJAX-based applications.

Technology
1 of 12
What is Cross Site Scripting Cross Site Scripting (XSS) is a security exploit where malicious scripts are injected into the URL (query strings?) or form fields of a site and then run by unsuspecting victims. Reflected Stored Local
Hacker Persuades Victim to click on a URL Victim Clicks Link Script Embedded in URL Steals Sensitive Info Hacker Victim
<HTML> <HEAD> <TITLE>Search Example</TITLE> <META http-equiv=quot;content-typequot; content=quot;text/html; charset=utf-8quot;> </HEAD> <BODY> <H1>Search Results</H1> for <SCRIPT>alert(quot;Running!quot;)</SCRIPT> <BR> <BR> <h2>Sorry, no results were found.</h2> <BR> <FORM name=search> <INPUT type=text name=quot;keywordquot; value=“<SCRIPT>alert(&quot;Running!&quot;)</SCRIPT> <INPUT type=submit value=quot;Goquot;> </FORM> </BODY> </HTML> http://myserver/search.aspx?keyword=<SCRIPT>alert(quot;Running!quot;)</SCRIPT>
Input Validation Client side?? Request Validation Attribute Output Encoding HTMLEncode – Black listing Microsoft Anti-Cross Site Scripting Library - Whitelisting
Hacker Injects Script to Datastore When Victim visits, it is run on their machine Hacker Victim
First Name Last Name Comments <script> Anything</script>
Input Validation Client side?? Request Validation Attribute Output Encoding HTMLEncode – Black listing Microsoft Anti-Cross Site Scripting Library - Whitelisting
Hacker Injects Script to Datastore When Victim visits, it is run on their machine Victim X Hacker
<HTML> <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos=document.URL.indexOf(quot;name=quot;)+5; document.write(document.URL.substring(pos,document.URL.length)); </SCRIPT> <BR> Welcome to our system … </HTML> http://www.vulnerable.site/welcome.html#name=<script>alert(document.cookie)<script>
Javascript Hardening Analyze Dom Modifications document window Eval() (don’t use) Regular Expressions Remember Hacker can see your javascript Use a JSON Parser instead of Eval() (www.json.org)
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Recommended

Randy Witt Audio Assignment
Randy Witt Audio AssignmentRandy Witt Audio Assignment
Randy Witt Audio AssignmentPAVenturer
 
IST 561 Session2--Feb 2, 2009 Basic XHTML Concepts
IST 561 Session2--Feb 2, 2009 Basic XHTML ConceptsIST 561 Session2--Feb 2, 2009 Basic XHTML Concepts
IST 561 Session2--Feb 2, 2009 Basic XHTML ConceptsD.A. Garofalo
 
Intro to Html 5
Intro to Html 5Intro to Html 5
Intro to Html 5Shauvik Roy Choudhary, Ph.D.
 
Building a Real, Money-Making Business Application Using Microsoft Virtual Earth
Building a Real, Money-Making Business Application Using Microsoft Virtual EarthBuilding a Real, Money-Making Business Application Using Microsoft Virtual Earth
Building a Real, Money-Making Business Application Using Microsoft Virtual Earthgoodfriday
 
Measuring Social Media Marketing
Measuring Social Media MarketingMeasuring Social Media Marketing
Measuring Social Media Marketinggoodfriday
 
Copy Of Lent 2
Copy Of Lent 2Copy Of Lent 2
Copy Of Lent 2goodfriday
 
Latvian Easter
Latvian EasterLatvian Easter
Latvian Eastergoodfriday
 
5c. Easter Sunday William Lee
5c. Easter Sunday William Lee5c. Easter Sunday William Lee
5c. Easter Sunday William Leegoodfriday
 

Recommended

Randy Witt Audio Assignment
Randy Witt Audio AssignmentRandy Witt Audio Assignment
Randy Witt Audio AssignmentPAVenturer
 
IST 561 Session2--Feb 2, 2009 Basic XHTML Concepts
IST 561 Session2--Feb 2, 2009 Basic XHTML ConceptsIST 561 Session2--Feb 2, 2009 Basic XHTML Concepts
IST 561 Session2--Feb 2, 2009 Basic XHTML ConceptsD.A. Garofalo
 
Intro to Html 5
Intro to Html 5Intro to Html 5
Intro to Html 5Shauvik Roy Choudhary, Ph.D.
 
Building a Real, Money-Making Business Application Using Microsoft Virtual Earth
Building a Real, Money-Making Business Application Using Microsoft Virtual EarthBuilding a Real, Money-Making Business Application Using Microsoft Virtual Earth
Building a Real, Money-Making Business Application Using Microsoft Virtual Earthgoodfriday
 
Measuring Social Media Marketing
Measuring Social Media MarketingMeasuring Social Media Marketing
Measuring Social Media Marketinggoodfriday
 
Copy Of Lent 2
Copy Of Lent 2Copy Of Lent 2
Copy Of Lent 2goodfriday
 
Latvian Easter
Latvian EasterLatvian Easter
Latvian Eastergoodfriday
 
5c. Easter Sunday William Lee
5c. Easter Sunday William Lee5c. Easter Sunday William Lee
5c. Easter Sunday William Leegoodfriday
 
RESTful Services for the Programmable Web with Windows Communication Foundation
RESTful Services for the Programmable Web with Windows Communication FoundationRESTful Services for the Programmable Web with Windows Communication Foundation
RESTful Services for the Programmable Web with Windows Communication Foundationgoodfriday
 
IIS7 As a Developer Platform
IIS7 As a Developer PlatformIIS7 As a Developer Platform
IIS7 As a Developer Platformgoodfriday
 
03 16 2008 Palm Passion Sunday
03 16 2008 Palm Passion Sunday03 16 2008 Palm Passion Sunday
03 16 2008 Palm Passion Sundaygoodfriday
 
The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...
The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...
The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...goodfriday
 
The Easter Freeze Of April 2007
The Easter Freeze Of April 2007The Easter Freeze Of April 2007
The Easter Freeze Of April 2007goodfriday
 
A Designer's Overview of Windows Presentation Foundation
A Designer's Overview of Windows Presentation FoundationA Designer's Overview of Windows Presentation Foundation
A Designer's Overview of Windows Presentation Foundationgoodfriday
 
Narine Presentations 20051021 134052
Narine Presentations 20051021 134052Narine Presentations 20051021 134052
Narine Presentations 20051021 134052goodfriday
 
Enhancing Large Windows Media Platforms with Microsoft Silverlight
Enhancing Large Windows Media Platforms with Microsoft SilverlightEnhancing Large Windows Media Platforms with Microsoft Silverlight
Enhancing Large Windows Media Platforms with Microsoft Silverlightgoodfriday
 
Dipl. Anerkennung
Dipl. AnerkennungDipl. Anerkennung
Dipl. AnerkennungSamee Ullah
 
Abertura ademar 29_03
Abertura ademar 29_03Abertura ademar 29_03
Abertura ademar 29_03Ademar Bueno
 
Desafio swu
Desafio swuDesafio swu
Desafio swuAdemar Bueno
 
Compañia
CompañiaCompañia
CompañiaRosa Cervantes
 
Internet Explorer 8 Developer Overview
Internet Explorer 8 Developer OverviewInternet Explorer 8 Developer Overview
Internet Explorer 8 Developer OverviewDave Bost
 
Designing with Microsoft Expression Web: Today and Tomorrow
Designing with Microsoft Expression Web: Today and TomorrowDesigning with Microsoft Expression Web: Today and Tomorrow
Designing with Microsoft Expression Web: Today and Tomorrowgoodfriday
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Jeremiah Grossman
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Advanced SEO for Developers (Mix08)
Advanced SEO for Developers (Mix08)Advanced SEO for Developers (Mix08)
Advanced SEO for Developers (Mix08)Nathan Buggia
 
&lt;img src="xss.com">
&lt;img src="xss.com">&lt;img src="xss.com">
&lt;img src="xss.com">"&lt;u>aaa&lt;/u>
 
Fav
FavFav
Favhelloppt
 
Securing Applications
Securing ApplicationsSecuring Applications
Securing ApplicationsBurak DAYIOGLU
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG PresentationDamon Cortesi
 

More Related Content

Viewers also liked

RESTful Services for the Programmable Web with Windows Communication Foundation
RESTful Services for the Programmable Web with Windows Communication FoundationRESTful Services for the Programmable Web with Windows Communication Foundation
RESTful Services for the Programmable Web with Windows Communication Foundationgoodfriday
 
IIS7 As a Developer Platform
IIS7 As a Developer PlatformIIS7 As a Developer Platform
IIS7 As a Developer Platformgoodfriday
 
03 16 2008 Palm Passion Sunday
03 16 2008 Palm Passion Sunday03 16 2008 Palm Passion Sunday
03 16 2008 Palm Passion Sundaygoodfriday
 
The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...
The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...
The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...goodfriday
 
The Easter Freeze Of April 2007
The Easter Freeze Of April 2007The Easter Freeze Of April 2007
The Easter Freeze Of April 2007goodfriday
 
A Designer's Overview of Windows Presentation Foundation
A Designer's Overview of Windows Presentation FoundationA Designer's Overview of Windows Presentation Foundation
A Designer's Overview of Windows Presentation Foundationgoodfriday
 
Narine Presentations 20051021 134052
Narine Presentations 20051021 134052Narine Presentations 20051021 134052
Narine Presentations 20051021 134052goodfriday
 
Enhancing Large Windows Media Platforms with Microsoft Silverlight
Enhancing Large Windows Media Platforms with Microsoft SilverlightEnhancing Large Windows Media Platforms with Microsoft Silverlight
Enhancing Large Windows Media Platforms with Microsoft Silverlightgoodfriday
 
Dipl. Anerkennung
Dipl. AnerkennungDipl. Anerkennung
Dipl. AnerkennungSamee Ullah
 
Abertura ademar 29_03
Abertura ademar 29_03Abertura ademar 29_03
Abertura ademar 29_03Ademar Bueno
 

Viewers also liked (12)

RESTful Services for the Programmable Web with Windows Communication Foundation
RESTful Services for the Programmable Web with Windows Communication FoundationRESTful Services for the Programmable Web with Windows Communication Foundation
RESTful Services for the Programmable Web with Windows Communication Foundation
 
IIS7 As a Developer Platform
IIS7 As a Developer PlatformIIS7 As a Developer Platform
IIS7 As a Developer Platform
 
03 16 2008 Palm Passion Sunday
03 16 2008 Palm Passion Sunday03 16 2008 Palm Passion Sunday
03 16 2008 Palm Passion Sunday
 
The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...
The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...
The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...
 
The Easter Freeze Of April 2007
The Easter Freeze Of April 2007The Easter Freeze Of April 2007
The Easter Freeze Of April 2007
 
A Designer's Overview of Windows Presentation Foundation
A Designer's Overview of Windows Presentation FoundationA Designer's Overview of Windows Presentation Foundation
A Designer's Overview of Windows Presentation Foundation
 
Narine Presentations 20051021 134052
Narine Presentations 20051021 134052Narine Presentations 20051021 134052
Narine Presentations 20051021 134052
 
Enhancing Large Windows Media Platforms with Microsoft Silverlight
Enhancing Large Windows Media Platforms with Microsoft SilverlightEnhancing Large Windows Media Platforms with Microsoft Silverlight
Enhancing Large Windows Media Platforms with Microsoft Silverlight
 
Dipl. Anerkennung
Dipl. AnerkennungDipl. Anerkennung
Dipl. Anerkennung
 
Abertura ademar 29_03
Abertura ademar 29_03Abertura ademar 29_03
Abertura ademar 29_03
 
Desafio swu
Desafio swuDesafio swu
Desafio swu
 
Compañia
CompañiaCompañia
Compañia
 

Similar to Scrubbing Your AJAX

Internet Explorer 8 Developer Overview
Internet Explorer 8 Developer OverviewInternet Explorer 8 Developer Overview
Internet Explorer 8 Developer OverviewDave Bost
 
Designing with Microsoft Expression Web: Today and Tomorrow
Designing with Microsoft Expression Web: Today and TomorrowDesigning with Microsoft Expression Web: Today and Tomorrow
Designing with Microsoft Expression Web: Today and Tomorrowgoodfriday
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Jeremiah Grossman
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Advanced SEO for Developers (Mix08)
Advanced SEO for Developers (Mix08)Advanced SEO for Developers (Mix08)
Advanced SEO for Developers (Mix08)Nathan Buggia
 
MTaulty_DevWeek_Silverlight
MTaulty_DevWeek_SilverlightMTaulty_DevWeek_Silverlight
MTaulty_DevWeek_Silverlightukdpe
 
Getting More Traffic From Search Advanced Seo For Developers Presentation
Getting More Traffic From Search Advanced Seo For Developers PresentationGetting More Traffic From Search Advanced Seo For Developers Presentation
Getting More Traffic From Search Advanced Seo For Developers PresentationSeo Indonesia
 
Understanding Web Applications and Web Testing Tools - QAConf
Understanding Web Applications and Web Testing Tools - QAConfUnderstanding Web Applications and Web Testing Tools - QAConf
Understanding Web Applications and Web Testing Tools - QAConfnarayanraman
 
Advanced SEO for Web Developers
Advanced SEO for Web DevelopersAdvanced SEO for Web Developers
Advanced SEO for Web DevelopersNathan Buggia
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filterkuza55
 
Securing Web Applications
Securing Web ApplicationsSecuring Web Applications
Securing Web Applicationsgoodfriday
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Securityjgrahamc
 
Building Web Applications with Windows Azure
Building Web Applications with Windows AzureBuilding Web Applications with Windows Azure
Building Web Applications with Windows Azuregoodfriday
 

Similar to Scrubbing Your AJAX (20)

Internet Explorer 8 Developer Overview
Internet Explorer 8 Developer OverviewInternet Explorer 8 Developer Overview
Internet Explorer 8 Developer Overview
 
Designing with Microsoft Expression Web: Today and Tomorrow
Designing with Microsoft Expression Web: Today and TomorrowDesigning with Microsoft Expression Web: Today and Tomorrow
Designing with Microsoft Expression Web: Today and Tomorrow
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Advanced SEO for Developers (Mix08)
Advanced SEO for Developers (Mix08)Advanced SEO for Developers (Mix08)
Advanced SEO for Developers (Mix08)
 
&lt;img src="xss.com">
&lt;img src="xss.com">&lt;img src="xss.com">
&lt;img src="xss.com">
 
Fav
FavFav
Fav
 
Securing Applications
Securing ApplicationsSecuring Applications
Securing Applications
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
MTaulty_DevWeek_Silverlight
MTaulty_DevWeek_SilverlightMTaulty_DevWeek_Silverlight
MTaulty_DevWeek_Silverlight
 
Getting More Traffic From Search Advanced Seo For Developers Presentation
Getting More Traffic From Search Advanced Seo For Developers PresentationGetting More Traffic From Search Advanced Seo For Developers Presentation
Getting More Traffic From Search Advanced Seo For Developers Presentation
 
Understanding Web Applications and Web Testing Tools - QAConf
Understanding Web Applications and Web Testing Tools - QAConfUnderstanding Web Applications and Web Testing Tools - QAConf
Understanding Web Applications and Web Testing Tools - QAConf
 
Advanced SEO for Web Developers
Advanced SEO for Web DevelopersAdvanced SEO for Web Developers
Advanced SEO for Web Developers
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filter
 
Securing Web Applications
Securing Web ApplicationsSecuring Web Applications
Securing Web Applications
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Security
 
Building Web Applications with Windows Azure
Building Web Applications with Windows AzureBuilding Web Applications with Windows Azure
Building Web Applications with Windows Azure
 

More from goodfriday

09 03 22 easter
09 03 22 easter09 03 22 easter
09 03 22 eastergoodfriday
 
Holy Week Easter 2009
Holy Week Easter 2009Holy Week Easter 2009
Holy Week Easter 2009goodfriday
 
Holt Park Easter 09 Swim
Holt Park Easter 09 SwimHolt Park Easter 09 Swim
Holt Park Easter 09 Swimgoodfriday
 
Swarthmore Lentbrochure20092
Swarthmore Lentbrochure20092Swarthmore Lentbrochure20092
Swarthmore Lentbrochure20092goodfriday
 
Eastercard2009
Eastercard2009Eastercard2009
Eastercard2009goodfriday
 
Easterservices2009
Easterservices2009Easterservices2009
Easterservices2009goodfriday
 
Bulletin Current
Bulletin CurrentBulletin Current
Bulletin Currentgoodfriday
 
March 2009 Newsletter
March 2009 NewsletterMarch 2009 Newsletter
March 2009 Newslettergoodfriday
 
Lent Easter 2009
Lent Easter 2009Lent Easter 2009
Lent Easter 2009goodfriday
 
Easterpowersports09
Easterpowersports09Easterpowersports09
Easterpowersports09goodfriday
 
Easter Trading 09
Easter Trading 09Easter Trading 09
Easter Trading 09goodfriday
 
Easter Brochure 2009
Easter Brochure 2009Easter Brochure 2009
Easter Brochure 2009goodfriday
 
March April 2009 Calendar
March April 2009 CalendarMarch April 2009 Calendar
March April 2009 Calendargoodfriday
 
Easter 2009 Advertising
Easter 2009 AdvertisingEaster 2009 Advertising
Easter 2009 Advertisinggoodfriday
 

More from goodfriday (20)

Triunemar05
Triunemar05Triunemar05
Triunemar05
 
09 03 22 easter
09 03 22 easter09 03 22 easter
09 03 22 easter
 
Holy Week Easter 2009
Holy Week Easter 2009Holy Week Easter 2009
Holy Week Easter 2009
 
Holt Park Easter 09 Swim
Holt Park Easter 09 SwimHolt Park Easter 09 Swim
Holt Park Easter 09 Swim
 
Easter Letter
Easter LetterEaster Letter
Easter Letter
 
April2009
April2009April2009
April2009
 
Swarthmore Lentbrochure20092
Swarthmore Lentbrochure20092Swarthmore Lentbrochure20092
Swarthmore Lentbrochure20092
 
Eastercard2009
Eastercard2009Eastercard2009
Eastercard2009
 
Easterservices2009
Easterservices2009Easterservices2009
Easterservices2009
 
Bulletin Current
Bulletin CurrentBulletin Current
Bulletin Current
 
Easter2009
Easter2009Easter2009
Easter2009
 
Bulletin
BulletinBulletin
Bulletin
 
March 2009 Newsletter
March 2009 NewsletterMarch 2009 Newsletter
March 2009 Newsletter
 
Mar 29 2009
Mar 29 2009Mar 29 2009
Mar 29 2009
 
Lent Easter 2009
Lent Easter 2009Lent Easter 2009
Lent Easter 2009
 
Easterpowersports09
Easterpowersports09Easterpowersports09
Easterpowersports09
 
Easter Trading 09
Easter Trading 09Easter Trading 09
Easter Trading 09
 
Easter Brochure 2009
Easter Brochure 2009Easter Brochure 2009
Easter Brochure 2009
 
March April 2009 Calendar
March April 2009 CalendarMarch April 2009 Calendar
March April 2009 Calendar
 
Easter 2009 Advertising
Easter 2009 AdvertisingEaster 2009 Advertising
Easter 2009 Advertising
 

Recently uploaded

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Scrubbing Your AJAX

  • 1.
  • 2. What is Cross Site Scripting Cross Site Scripting (XSS) is a security exploit where malicious scripts are injected into the URL (query strings?) or form fields of a site and then run by unsuspecting victims. Reflected Stored Local
  • 3. Hacker Persuades Victim to click on a URL Victim Clicks Link Script Embedded in URL Steals Sensitive Info Hacker Victim
  • 4. <HTML> <HEAD> <TITLE>Search Example</TITLE> <META http-equiv=quot;content-typequot; content=quot;text/html; charset=utf-8quot;> </HEAD> <BODY> <H1>Search Results</H1> for <SCRIPT>alert(quot;Running!quot;)</SCRIPT> <BR> <BR> <h2>Sorry, no results were found.</h2> <BR> <FORM name=search> <INPUT type=text name=quot;keywordquot; value=“<SCRIPT>alert(&quot;Running!&quot;)</SCRIPT> <INPUT type=submit value=quot;Goquot;> </FORM> </BODY> </HTML> http://myserver/search.aspx?keyword=<SCRIPT>alert(quot;Running!quot;)</SCRIPT>
  • 5. Input Validation Client side?? Request Validation Attribute Output Encoding HTMLEncode – Black listing Microsoft Anti-Cross Site Scripting Library - Whitelisting
  • 6. Hacker Injects Script to Datastore When Victim visits, it is run on their machine Hacker Victim
  • 7. First Name Last Name Comments <script> Anything</script>
  • 8. Input Validation Client side?? Request Validation Attribute Output Encoding HTMLEncode – Black listing Microsoft Anti-Cross Site Scripting Library - Whitelisting
  • 9. Hacker Injects Script to Datastore When Victim visits, it is run on their machine Victim X Hacker
  • 11. Javascript Hardening Analyze Dom Modifications document window Eval() (don’t use) Regular Expressions Remember Hacker can see your javascript Use a JSON Parser instead of Eval() (www.json.org)
  • 12. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.