WebGoat Learning Environment Installation
To install X
To Run Eclipse (the AJAX Labs IDE) X
Double-click eclipse.bat in the C:\AspectClass\AJAX\Labs folder
To Build and Run WebGoat in Eclipse X X X
From CD – Double-click AspectClassCD.exe (the installer) and follow directions (i.e., just hit Next, Install, Finish as requested)
Select Project -> Clean… from the main menu and click OK Select Servers -> Tomcat v5.5 Server @ localhost and hit F5 In the Servers pane, right-click on Tomcat and select Start
To Browse to WebGoat X
Double-click the “Browse to WebGoat” shortcut in C:\AspectClass\AJAX\Labs or browse to
http://localhost.:8089/WebGoat/attack X
The username and password are "guest"
To Remove X
Run C:\AspectClass\AspectClassUnistaller.exe or separate uninstallers under each separate directory
Page 2 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Course Objectives Target Audience X Developers X Architects X Quality
and Designers
Assurance / Testers
X Security
Specialists
After completing this course, participants will… X Recognize
the need for Ajax security
X Be
able to apply best practices and security controls
X Be
able to recognize common Ajax vulnerability patterns
X Be
able to design and implement safer Ajax applications
X Be
able to test Ajax applications for common security flaws
Page 3 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Table of Contents 7 20 32 45 61 103 110
Exploring Ajax Security XSS and CSRF Review Ajax Frameworks Exploring the Ajax Attack Surface Key Ajax Security Controls Process: Ajax Development Best Practices References
Page 4 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Aspect Security Background info@aspectsecurity.com
Page 5 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Agenda Day 1 8:30
Welcome and Introductions
9:00
Ajax Overview
9:20
Exploring the Ajax Attack Surface
10:00
BREAK
10:20 Ajax Frameworks 10:40 11:00 11:20
Cross Site Scripting (XSS)
11:40 12:00 12:20
LUNCH
12:40 13:00 13:20
Cross Site Request Forgery (CSRF)
13:40 14:00 14:20
Key Ajax Security Controls
14:40 15:00
BREAK
15:20 Ajax Best Practices 15:40 16:00
References
16:20
Wrap-Up
16:30
Page 6 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Warning
WARNING Using the techniques described in this course without permission could lead to job termination, financial liability, and/or criminal penalties.
Notes X Hacking X The
is illegal
term ‘hacking’ is not well-defined
X Hacking
may be considered terrorism
Page 7 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Exploring Ajax Security
2008-Q401 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Ajax Overview Ajax allows highly interactive, dynamic web applications X Often
thought to mean “Asynchronous JavaScript and XML”
Consists of X DOM
– dynamic data repository and view
X JavaScript
– client-side application logic
X XmlHttpRequest X DHTML
– asynchronous requests to the server
/ CSS – “rich” controls, such as sliders, tabs, fades
“Web 2.0” adds X Social
interfaces (client-to-client interaction, forums, etc)
Page 9 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Ajax-Enabled Web Applications
browser
user
1 – user visits web site
web server
2 – browser fetches index.html 4 – browser renders page and runs scripts
5 – user starts typing
6 – javascript asynchronous XHR to service 9 – user’s page updated without interruption
3 – server sends index.html and referenced javascript
7 service application returns XML
8 – script receives data, updates DOM
Page 10 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
JavaScript and the DOM JavaScript X Object-oriented X Built
interpreted language
into most browsers
X Quite
powerful, but can be slow
X Scripts,
objects, functions, variables are held within the DOM
Document Object Model (DOM) X Collection
of objects which describes the current page
X Can
contain objects which are not visible: data, scripts, variables
Ajax client code is always visible X Need
to protect confidential business logic
X Need
to protect confidential and personally identifiable information
Page 11 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
XMLHttpRequest (1 of 3) XMLHttpRequest X The
key to Ajax
X Allows
asynchronous HTTP requests to the server from JavaScript
X First
used by Outlook Web Access in Exchange 5.0 in 1998
Google Maps X Caches
about-to-be-seen map
tiles Yahoo Search X Predictive
search suggestions
vBulletin X Sends
new posts to the server without a page refresh
Page 12 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
XMLHttpRequest (2 of 3)
Available in all major browsers JavaScript asynchronously talks
to server in background
Browser has no idea page’s
JavaScript is talking to server
Back/Forward buttons not what
you expect - browser doesn't know about JavaScript’s communications
Normal visual cues that activity is
going on are missing
Page 13 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
XMLHttpRequest (3 of 3) function reloadContents() { httpObj = new XMLHttpRequest(); httpObj.onreadystatechange = handleReloadContents; httpObj.open("GET","/GetContentsServlet",true); httpObj.send(null); } function handleReloadContents() { if (httpObj.readyState == 4 || httpObj.readyState=="complete") { var cell = document.getElementById("mainBody"); cell.innerHTML = httpObj.responseText; } } Page 14 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Ajax: Another HTTP Technology function reloadContents() { httpObj = new XMLHttpRequest(); httpObj.onreadystatechange = getAjaxData; httpObj.open( “GET", “/GetContentsServlet”, true); httpObj.send(null); }
GET http://maps.google.com/GetContentsServlet HTTP/1.0 Accept: */* Referer: http://maps.google.com/ Accept-Language: en-us
Flash, Ajax, all RIA technology…
Proxy-Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
It’s the same stuff!
Host: maps.google.com Cookie: PREF=ID=8e2690f29f4050c8:TB=2:TM=1142526213;
Page 15 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
The Browser “Same Origin” Policy www.mybank.com
XHR
TAG
TAG
XHR
JS
investorsblog.net document, cookies A script can only interact with browser resources (cookies, DOM, JavaScript) if their “origin” (domain, path and port) is exactly the same
16
Page 16 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Same Origin Policy Restrictions Same origination policy protects against evil sites seeing your
cookies and data X XMLHttpRequest
is also restricted by same origin policy
However, mash ups and other business models want to interact with
other sites, thus they need to violate same origin policy X Flash
has support for this today (crossdomain.xml)
X Proposed X Firefox
extension: JSONRequest
3.0 may have native support using JSONRequest
X Many
Ajax toolkits use browser bugs to violate Same Origin Policy restrictions (typically IFRAMEs)
X Can
also emulate this via the use of proxies
Do not violate same origin policy restrictions X Unless
sending or receiving public unclassified data
Page 17 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Demonstration: Firebug
Page 18 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Security in Web 1.0 and Web 2.0 All the Ajax technology is available in the browser X It’s
available even when you’re using a Web 1.0 application
X Attackers
are already using JavaScript and XmlHttpRequest
Web 1.0 applications are exposed to significantly increased risk
because of Ajax technology – particularly through XSS X XSS
#1 Threat on the OWASP Top Ten (87% of websites)
X XSS
is no longer about stealing cookies
X XSS
allows complete browser takeover
X Widespread X Attackers
CSRF (99% of websites)
can remotely control your browser using your credentials
Web 2.0 applications have all the same risks as Web 1.0 X And
they add several new risks which we cover in this class
Page 19 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Rule #1 (Does Not Change)
Rule #1: Never trust anything from the HTTP request
Page 20 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Principle: All Web 1.0 Security Principles Still Apply Ajax only adds a few new issues X Direct
content replacement
X JSON
injection
X XML
Injection
Does not fix any of the previous critical security areas: X Authentication X Access
control – direct object references, forced browsing
X Session X Input
– must be performed server side
management – collaboration between server and client
validation – must be validated on server
X Accountability X Cryptography
(logging, error handling, auditing)
– must have private keys on server
Page 21 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
XSS and CSRF Review
2008-Q401 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
XSS – Review Cross Site Scripting Cross-Site Scripting (XSS) is a vulnerability which allows the
attacker to insert arbitrary HTML and JavaScript into the DOM
Has surpassed buffer overflow as the #1 vulnerability Page 23 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
XSS – Illustrated
http://www.boi.com
Search-field input is often reflected back to user.
<script>alert(document.cookie)</script> <script>alert(document.cookie)</script> </script> Site reflects the script back to user where it executes and displays the session cookie in a pop-up. Page 24 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
XSS Protection – Server Side Validation and Encoding Server side validation and encoding is critical
Examine each external system for interpreters X Know
the Interpreters
X HTML,
JSON, XML, XPath, XSLT, LDAP, SQL, OS Shell, etc…
Ensure input validation and output encoding
Page 25 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
MySpace Worm MySpace XSS Worm - Oct 2005 X Developed
by ‘Really Smart’ 19 year old named Samy
X Introduced
an XSS script into his own profile
X When
victim viewed his profile, the attack » added Samy as a friend ‘samy is my hero’ to victim’s profile » and infected victim’s profile with same XSS script
X “In
MySpace’s defense, they did a great job of blocking malicious code, JavaScript, etc. The reason I was still able to get JavaScript past their filters is by using browsers’ leniencies."
The exploit X Anyone
viewing Samy’s profile was infected – spreads geometrically
X Used
‘java\nscript’ since ‘javascript’ was filtered out, String.fromCharCode(34) to generate a double quote, etc.
X 10
hours – 560 friends, 13 hours – 6400 friends, 18 hours – 1,000,000 friends, 19 hours – entire site is down. Took 3 days to get site fully operational again.
Page 26 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
CSRF – Review Cross-Site Request Forgery bank.com
Go to Transfer Assets Select FROM Fund https://bank.com/fn?param=1 Select TO Fund https://bank.com/fn?param=1 Select Dollar Amount https://bank.com/fn?param=1 Submit Transaction https://bank.com/fn?param=1 Confirm Transaction https://bank.com/fn?param=1 https://bank.com/fn?param=1
attacker’s post at blog.net
27 Page 27 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
CSRF – How Does It Work? Tags <img src=“https://bank.com/fn?param=1”> <iframe src=“https://bank.com/fn?param=1”> <script src=“https://bank.com/fn?param=1”>
Autoposting Forms <body onload="document.forms[0].submit()"> <form method="POST" action=“https://bank.com/fn”> <input type="hidden" name="sp" value="8109"/> </form>
XmlHttpRequest X Subject
to same origin policy 28
Page 28 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
CSRF – Credentials Included bank.com
https://bank.com/fn?param=1 JSESSIONID=AC934234…
blog.net
29 Page 29 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Tool: OWASP CSRFTester Test your applications for
CSRF
X Record X Tune
and replay transactions
the recorded test
case X Run
test case with exported HTML document
Test case alternatives X Auto-Posting X Evil
iFrame
X IMG
Tag
Forms
X XMLHTTPRequest X Link
30 Page 30 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
CSRF Consequences Anything an authenticated user can do X Click X Fill
links
out and submit forms
X Follow
all the steps of a wizard interface
No restriction from same origin policy, except… X Attackers X Limited
cannot read responses from other origins
on what can be done with data
Severe impact on accountability X Log
entries reflect the actions a victim was tricked into executing
31 Page 31 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
CSRF Attacks on Intranet
attacker.com internal browser
CSRF
TAG
Internal Site Allowed!
internal.mybank.com
32 Page 32 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
CSRF Defenses that Don’t Work Only accept POST X Stops X But
simple link-based attacks (IMG, frames, etc.)
hidden POST requests can be created with frames, scripts, etc…
Referer checking X Some
users prohibit referers, so you can’t just require referer headers
X Techniques
to selectively create HTTP request without referers exist
Requiring multi-step transactions X CSRF
attack can perform each step in order
URL Rewriting X General
session id exposure in logs, cache, etc.
None of these approaches will sufficiently protect against CSRF!
Page 33 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Tool: OWASP CSRFGuard 2.0
Adds token to: X href X src
attribute
attribute
X hidden
field in all forms
Actions: X Log http://www.owasp.org/index.php/CSRFGuard
X Invalidate X Redirect
Page 34 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Ajax Frameworks
2008-Q401 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Why Frameworks? Three broad categories
Frameworks X Lots
of good looking GUI components and effects
X May
have hidden security defects
X Difficult
to verify
Page 36 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Single Page Interfaces Many Ajax frameworks use a single page interface (SPI) X Examples:
Backbase, Tibco General Interface (GI), Google Maps
Single page interfaces X Run
without changing the URL
X Do
not support the “back” button
X Do
not support for bookmarking pages or functions
X May
be confusing to users expecting a traditional web page
Blurs the line between web and rich-client applications X Often
called “Rich Internet Applications” (RIA)
X Danger
comes from moving more functionality into the client
Page 37 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Multi Page Interfaces Multi Page interfaces X Similar
to traditional web applications
X Browser
loads HTML and enabling scripts for each URL
X Used
to Ajax-enable existing applications
Advantages X Allows
use of bookmarks
X Allows
use of back button (good)
X Maintains
accessibility (ADA compliance)
X Allows
slow loading components to work in background whilst the overall site feels snappy
X Keeps
Example: CNN Local Weather/News uses Ajax asynchronous content replacement to update content dynamically
more control on server
Page 38 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
ASP.NET Ajax (Codename Atlas) Microsoft’s Ajax framework X Free
download for Visual Studio 2005
X http://www.asp.net/ajax X Included
in VS 2008
Contains X Asynchronous
comms
X Timers X Extensive
DHTML controls
X Non-visual X Web
control library
Services
X Localization X Debugging
and tracing
Page 39 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Google Web Toolkit Powers Google Maps, Gmail, and iGoogle X Free
download: http://code.google.com/webtoolkit
Java based X Compiles
Java to JavaScript
Provides X Asynchronous X Browser X Widget
RPC
history management
library
X Debugging
and Junit
X Internationalization X Hooks
into Google Gears for local storage
Page 40 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Dojo, YUI, Backbase and Other UI Toolkits Many toolkits focus on just
the user interface X Backbase X Dojo X Prototype
/ Scriptaculous
X YUI
Use for resurfacing X Adding
a thin shim of Ajax to an existing application
Combine with your own
custom Ajax layer or mix with other toolkits
Page 41 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Hybrid Toolkits Dynamic “rich” web site using Flash-like browser plug-ins Leverages web technologies X HTTP, X XML
XHR, HTML
for data transfer
X Apps
typically written in scripting language
X Bi-directional
communications
Most hybrid toolkits require significant design capability X Provides X Use
exacting control of design elements
advanced tools such as Dreamweaver MX or Photoshop CS3
X Suits
design-heavy applications such as brochureware or games
Page 42 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Hybrid Toolkits and Same Origin Nearly all allow violation of Same Origin Policy X Developers X Trusts
can write apps that connect to multiple data sources
the rich client not to mix up the data
X Assumes
the client does not contain vulnerabilities
Danger X Allows X Can
attackers to write malicious applications
access data in the DOM from other origins
Page 43 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Choosing a Framework Ajax allows web applications to approach traditional desktop
applications in capability and features X Although X Ajax
challenging, it is possible to write a secure Ajax application
has all the old web application security issues and a few new ones
Critical success factors X Choose
the best Ajax framework based upon your needs
X Analyze
the framework and create an installation / hardening guideline
X Perform
risk-based security analysis during architecture and design
X Create
security standards and guidelines to guide developers
X Perform
security testing
Page 44 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Exploring the Ajax Attack Surface
2008-Q401 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Know the Attack Surface of Your Application Traditional Application
Ajax Application
Page 46 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Principle: Browser Is Untrusted Ajax runs code within the untrusted browser X Ensure
Ajax code running on the client does not require trust
X Segregate
code for different roles
Implementation X Verify X Do
all the code you include in your application
not allow importing external code
Authorization X Access
control checks like isAdmin() or isUserInRole() can only be safely performed on the server
X Data
layer access control can only be enforced on the server
Encryption X Cannot
be performed on the client in a way that prevents the client from accessing the keys, algorithm, and plaintext
Page 47 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Client-Server Trust Boundary There are many trust
boundaries in modern applications X Browser X Web
web app server
app data repository
X Mash-up
data feed
Office Partners
X Back
X Mainframe
Batch
Perform threat modeling X Data
classification
X Business X Trust
risks
boundaries
Apply critical security controls Page 48 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Client-Server Trust Boundary: Frameworks Some frameworks blur the distinction between server and client
code X Google
Web Toolkit
X Microsoft
Ajax toolkit
GWT compiles Java into JavaScript X Hides X May
details of the generated JavaScript
not be clear to developers what exactly is happening
Challenges X Where
is code running?
X Where
are the security critical decisions being made?
X Where
is critical data being stored?
Page 49 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Client-Server Trust Boundary: GWT Google Web Toolkit (GWT) X Runs
most of the Google Ajax library: Gmail, Google Maps, Analytics
X Written
in Java, compiles Java to JavaScript
X Provides
a number of services and basic widgets
Design your applications X It
should be crystal clear as to what is client code and server code
X Resist
the temptation to compile as much as possible for the client
X Ensure
authorization and business logic stay on the server
Page 50 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Problems Scanning Ajax Ajax makes scanning difficult X Entire
application runs within a single URL
X Services X Data
are invoked with XHR
formats are custom, not like HTTP name=value pairs
X Many
custom frameworks, all very different
Sprajax for ASP.NET Ajax - too specialized to be generally useful Page 51 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Exercise: Tracing Ajax Traffic
Page 52 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Principle: Avoid Security Through Obscurity Security should not rely on keeping details hidden X Assume
the user can guess/reconstruct your application information
X Database
structure, field names, data types, etc
X Information X 3rd
contained in cookies or tokens
party products used in the application
X Location
of application files
Acknowledge that potentially hostile parties may have access to
your application source code at some point X Ex-employees,
internal employees (that have been paid to do malicious deeds), outsourced developers / consultants / contractors,
X Customers
and partners (via service/maintenance agreements), competitors (via all of the above)
X Insiders
may access code in CM, on developer machines, in test environments, etcâ&#x20AC;Ś
Page 53 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Protocols: REST vs. SOAP REST
GET http://ajax.com/getData HTTP/1.0 Accept: */* Referer: http://ajax.com/ Accept-Language: en-us HTTP/1.1 200Keep-Alive OK Proxy-Connection: Content-Type: text/xml User-Agent: Mozilla/4.0 Date: Wed, 03 Nov 2004 23:31:00 GMT Host: ajax.com Server: Apache Coyote/1.0 Cookie: JSESSIONID=9ABF9B823A874823A874 Connection: close
X Simple
HTTP GET requests with JSON in response
X Doesn’t
support complex authentication or authorization
SOAP X Full
web services with WS-Security and WSDL
X XML
<books> <book> <title>JavaScript Guide</title>
for request and response
X Standards
compliance
POST /webservices/getData HTTP/1.1 Host: ajax.com Content-Type: text/xml Content-Length: 140 200 OK Cookie:HTTP/1.1 JSESSIONID=9ABF9B823A874823A874 Content-Type: text/xml Date: Wed, 03 encoding=“utf-8”?> Nov 2004 23:31:00 GMT <?xml version=“1.0” Server: Apache Coyote/1.0 <soap:Envelope>… Connection: close <soap:Body>
X Re-use
of existing SOA infrastructure and services
X Lots
of JavaScript code for complete web service support
Discovery X http://example.com/soa/myService.
asmx?WSDL
…xml parameters… <?xml version=“1.0” encoding=“utf-8”?> <soap:Envelope>… <books> <book> <title>JavaScript Guide</title>
Page 54 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Data Formats: XML XML is a human readable data
exchange format X
Widely used by traditional web services
X
Often used by Ajax apps to send data back to the client
<memories xmlns:xsi="http://www.w3.org/2001/XMLSchemainstance">
Advantages X Data X Can X Is
island: Separates logic and data
<memory tapeid="23412"> <subdate>5/23/2001</subdate> <donor>John Baker</donor> <subject>Fishing</subject> </memory>
be validated using XSDs
searchable by XPath
X Can
be used with XSL style sheets to directly present data (such as reports)
Disadvantages X Difficult
<?xml version="1.0"?>
<memory tapeid="23692"> <subdate>8/01/2001</subdate> <donor>Liz Davison</donor> <subject>Beach</subject> </memory> </memories>
to create by hand – use an XML
Parser! X Difficult
to validate properly without first acting on the data
X XML
injection possible
Page 55 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Data Formats: ATOM and RSS
Page 56 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Data Formats: JSON JavaScript Object Notation X Used
widely by Ajax toolkits to interchange data
X Can
be used to serialize / de-serialize JavaScript objects
{"books":[{"book": { "title":"JavaScript Guide", "publisher":"O'Reilly", "author":"David Flanagan", "cover":"/images/cover_defguide.jpg", "blurb":"Lorem ipsum." } }, ... var data = eval('(' + req.responseText + ')');
Very lightweight – Can be as simple to use as
eval(jsondata);
// Dangerous!
JSON Injection X JSON
makes it difficult to keep data and code separate
X Including
user input in JSON data may allow arbitrary code to execute in browser or arbitrary data to be sent to browser
Page 57 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
JavaScript Proxy Services Some sites try to get around the
same same origin policy by using a JavaScript proxy service
Site A (running proxy)
Risks X Dangerous
if Server B can be arbitrarily chosen
X Cross-domain X Information
remote code execution
Site B
disclosure
X Potential
for cross-site scripting and request forgery
Page 58 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Ajax and the Application Attack Surface Ajax applications nearly
always increase the attack surface X New
services
X New
data structures
X New
protocols
X New
client-side code
Page 59 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Consider Common Vulnerabilities Ajax requires a (slightly) different architecture X Use X Fix
the Ajax-enabling process to revisit old flaws
the really bad ones
Most of the old issues still exist X First
steps: Look for the OWASP Top 10 2007
X Long
term: Use the OWASP Guide to build secure software
New issues exist with Ajax X Client
side storage (offline persistence)
X JSON
and XPath injections
X Client-side
data issues (DOM, no secure strings, and so on)
X Cross-domain X Mash-ups
requests
and Privacy
Page 60 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
How Attackers See Ajax Apps 3rd Party Service Sniffing Interception Tampering
Service (server-side)
Application (client-side) Chained Attacks on Other Services or Other Clients Attacks on Local Hosts and Networks
3rd Party Service
Attacks on Client
Attacks on Server
Page 61 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Conclusion Ajax attack surface is complex and very new
Pros X Allows
sites to be responsive and rich
X Develop
new kinds of applications (e.g. iPhone apps)
Pitfalls X Old
Web 1.0 security issues have not gone away
X New
Ajax issues
» Increased attack surface and architectural issues » New injection issues – XML, JSON, XPath, and more » More code on the client X The
rich toolkits have arrived (Adobe AIR, Silverlight, JavaFX)
» The security of these toolkits not yet understood
Page 62 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Key Ajax Security Controls
2008-Q401 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Authentication - Roadmap
Page 64 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Using SSL OWASP Top 10: Insecure Communications Secure Sockets Layer (SSL) X Use
SSL v3 or later or Transport Layer Security (TLS) 1.0 or later
X Must X Do
use SSL everywhere - login form to logout confirmation
not support non-SSL requests
X Add
the 'secure' flag to cookies to ensure their secrecy
Benefits X Provides
confidentiality to TCP/IP communications
X Protects
requests in transit
» GET URLs still exposed in server web server logs, browser history,
bookmarks, cache, etc
Certificates are low-to-no cost X Avoid
self-signed certificates
Page 65 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Implementing Ajax Authentication Client-side authentication with Ajax is challenging compared to
using simple form based authentication
Steps X Gather
credentials from user – may involve flashy Ajax components
X Store
credentials in DOM – may happen automatically
X Send
credentials to server – exposed in XmlHttpRequest
X Handle
callback – attacker may be able to change their status in client
Should your client-side Ajax code have a “logged in” state?
Page 66 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Best Practice: Authenticate on Server Best practices X Use
AUTOCOMPLETE=“off” in forms
X Use
POSTs, not GETs with XmlHttpRequest
» Prevents browser caching » Prevents stray logs X Avoid
the DOM
» Don't store username and passwords X Do
not encrypt on the client (use SSL instead!)
X Do
not use predictive username searches
Page 67 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Best Practice: Session Management Use only the standard SESSIONID from the server X Use
the HttpOnly and secure cookie flags to prevent session ID access from scripts and sniffing
Do not use a separate session identifier for Ajax calls X Custom
session schemes are unnecessary and dangerous
Page 68 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Access Control - Roadmap
Page 69 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Implementing Ajax Access Control Ajax access control X Must
be enforced on the server (like Web 1.0)
X Frequently
overlooked for XHR communications
Best practices X Always X Never
perform access control on the server
trust information from the client in authorization decisions
X Ensure
every server interface is protected
Challenges X Including X Forced X Direct
any authorization checks at all
browsing of Ajax calls and endpoints
object references
Page 70 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Spot the Bug: AJAX Access Control Weaknesses Client: var isAdmin = false; // Modified by logging into the system function do_update_user() { document.getElementById("admin").innerHTML = "Processing form"; x_do_update_user(isAdmin); } Server: function do_update_user($isAdmin) { if ($isAdmin) { mysql->query("UPDATE user SET admin=1"); return "User updated"; } else { return "Not authorized"; } }
Page 71 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
How to Avoid Exposing Privileged Functions in Client Side Code Privileged functions include X Admin X Role
interfaces
based interfaces (initiator, approver)
X Limits
based interfaces (buyOver10k, buyOver10m)
Only send code that the user is authorized for X Don’t X Use
send unused client-side code which calls privileged functions
proxy façades to manage API exposure
Always enforce access control on the server X Use
complete mediation to ensure that even if the API is reverse engineered, nothing bad happens
Page 72 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Creating Separate Applications By Role Create separate client Ajax
applications for each role XPrevents
leaking the admin interface to ordinary users
Consider for initiator
approver for highest risk applications
Create a separate server
application for administrators XCan
be restricted by firewall rules to internal, authorized users
XIf
anything goes wrong, far fewer users
Page 73 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Principle: Minimize Attack Surface Ajax frameworks encourage moving code to client X Moving
too much increases your attack surface
X Reduce
amount of JSON delivered as opposed to XML
X Can’t
inject “code” directly into XML – not true with JSON
Attack surface reduction best practices X Consider
using Ajax client libraries but building your own server components
X Architect
your application to run primarily on the server with minimal Ajax client side helpers
X If
you use a large framework or library, only include those elements you actually use
X Choose
well known, robust frameworks which have fixed their security issues promptly, and/or have few issues despite being well known
Page 74 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Increased Exposure of Services Before, attackers could only attack through the inputs passed to the backend services…
Now attackers can directly talk to what was the backend service, opening up the attack surface!
POST /UserContentAjaxServlet HTTP/1.1 Accept: */* Referer: http://maps.google.com/ Accept-Language: en-us Proxy-Connection: Keep-Alive User-Agent: Mozilla/4.0(compatible;MSIE 6.0) Host: maps.google.com Cookie: PREF=ID=8e2690:TB=2:TM=1142526213; uid=101&pwd=101test&s1=yes&msg=Error+85
Your firewall is no longer protecting your critical services!
Page 75 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Preventing Force Browsing OWASP Top 10: Failure to Restrict URL Access Force browsing is a simple attack: X www.mysite.com/users/getAccount X www.mysite.com/admin/getAccount
Not all requests come from a “browser” X Attackers
can easily generate unwanted GET and POST requests
Preventing forced browsing requires X All
access points must be access controlled
X Access
control rules from secure business requirements
X Session
with trustable server-side controls
NOTE: Authorized users will always be able to force browse
Page 76 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Preventing Direct Object References OWASP Top 10: "Insecure Direct Object Reference" Direct object references refer to real things, like accounts Easy to attack: simply tamper with the direct object reference X From » http://example.com/showAccount=1234 » http://example.com/showPayslip=dave_wichers_1007.pdf X To » http://example.com/showAccount=1235 » http://example.com/showPayslip=jeff_williams_0907.pdf
Eliminating direct object references X Use
an indirect object reference map
» For account 1234 on the server, map to “1” on the client X If
only one account or report, do not send ANYTHING to the client at all – store in server-side session
X Use
data layer access control
» SELECT * FROM accounts WHERE acctID = “1234” AND userID = “example”
Page 77 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Principle: Don’t Reveal Proprietary Logic Proprietary business logic can be a competitive advantage X Exposing
all your secrets may help competitors
Examples of applications that contain proprietary algorithms X Anti-fraud
controls
X Insurance
quotes
X Stock
trading tools
X Commission
calculator
Code should be written as though it will be disclosed X Externalize
configuration data
X Externalize
and encrypt credentials, certificates, and private keys
X Isolate
items which are unique to your site
Page 78 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Protecting Sensitive Data - Roadmap
Page 79 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Principle: Protect Sensitive Data on the Client Client-side data may include X Personally
identifiable information (PII)
X Contractually
or legally protected data
Such data should X Not
be on the client unless absolutely necessary
X Not
be cached (use no-cache headers)
X Not
remain on the client for longer than absolutely necessary
The DOM is similar to “hidden” form fields X Do
not trust security through obscurity
X Use X Do
integrity checks to determine if client side tampering has occurred
not accept data from the client which should not change
Page 80 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
State Management With the DOM, there are no secrets X Minimize
amount of information held in the DOM
X Minimize
amount of time information is held in the DOM
Handling credentials in the DOM and XHR X No
“secure” strings in JavaScript
X Do
not encrypt credentials or keep keys in the DOM
Consider the history of browser weaknesses X All
browsers have had problems implementing cross-site protection
X Browser
plugins can ignore security rules
X Keeping
different sites segregated is an extremely difficult problem
Page 81 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Sending Too Much Data to the Client Some Ajax frameworks
encourage sending data to the client and then selecting nodes via XPath queries X This
is Wrong™
Sending too much data to the
client
X Makes
disclosure attacks trivial
X Stresses
server CPU, disk, memory, and network
Send only rows the user: X Is
authorized to access
X Has
an immediate need to see
<customer> <name>Bill Lumbergh</name> <cc>123413248769</cc> </customer> <customer> <name>Peter Gibbons</name> <cc>555543129832</cc> </customer> <customer> <name>Milton Waddams</name> <cc>6547823788473</cc> </customer> <customer> <name>Michael Bolton</name> <cc>6547823788473</cc> </customer>
Page 82 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Exercise: Client Side Filtering
Page 83 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Client-Side Storage Options Client Side Storage Options X “Offline”
mode
X Persistence X None
of preferences, saved drafts, and so on
of these are safe against data extraction
Old technologies X Cookies X DOM
– useful for 2 kb of persistent storage
– page scope lifetime, limited by browser memory
New technologies: X Flash
cookies – provides up to 1 MB of client-side storage
X Google
Gears – provides unlimited local storage via the use of a client-side web server, database and browser integration. Dojo Offline – Sits atop Google Gears
X HTML
5 Local Storage – uses a SQL like engine. Supported by Safari 3
Page 84 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
LAB: Insecure Client Storage
Page 85 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Using Encryption for Privacy Local storage is not safe as attackers can get at the contents
Encryption may be a solution X Safe
transport of key?
X Using
a per user or per session key?
X Impossible
to prevent misuse of the key
Using encryption for access control suffers from same issues: X Replay
attacks
» Attacker supplies a known key, can read contents X Once
the key is on the client, so is the attacker
» Attacker uses the existing key, can read contents
Page 86 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Validation - Roadmap
Page 87 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
The Mashup Security Challenge Mashups X Data
from multiple sources combined
X Either
on server or within the client
Security Problem X Data X Any
from any of the sources may contain code of the participants have full control of application and all data
Alternative Approaches X Do
not perform mashups with uncontrolled entities
X Mashups X Know
must be governed by contractual terms and conditions
how the other parties handle data before entering into any contracts
» Use and correction » Retention and deletion Page 88 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Mashups Example: Zillow.com Financial Data
Map Images
Page 89 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Widgets
Page 90 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Validating Rich Input HTML is the worst mixture of code and data
… ever
X Violates
separation of data and code by design
X Browsers
cannot distinguish data and code
Other Markup Languages - RSS Feeds X RSS
and other feeds are used for temporal notifications, such as blog posts, weather Twitter
X Nothing
particularly trustworthy with this data
X Validate
data prior to storage and use
X Output
encoding
Similarly, do not trust other data feeds X XML
Web Services and SOA
X FTP
and batch files
Page 91 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
OWASP AntiSamy 窶的nput Validation AntiSamy X Uses
a positive security model for rich input validation
X High
assurance mechanism against XSS (and phishing) attacks
X Originally
in Java, .NET port almost done, Python version in works
(samy) http://www.owasp.org/index.php/AntiSamy
Page 92 ツゥ
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Prevent Cross-Site Request Forgery (CSRF) OWASP Top 10: Cross Site Request Forgery (CSRF) Cross-site request forgery (CSRF) is an attack X Nearly
all applications are at risk (at least 99.9%)
X Victim
blindly performs actions on behalf of the attacker
bank.com
https://bank.com/fn?param=1 JSESSIONID=AC934234…
investorsblog.net Page 93 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
CSRF and Ajax Defending against CSRF X Many
anti-CSRF mechanisms use random tokens
Attackers can use Stored XSS to bypass token-based defenses X Attacks X Then
provide JavaScript that looks for these tokens
they use the tokens in their forged requests
Only solution is to prevent all XSS X Very
difficult in traditional applications
X Even
more difficult in Ajax applications
Page 94 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Using CSRF to Attack Internal Pages
attacker.com Internal user’s browser
CSRF
TAG
Internal Site Allowed!
internal.mybank.com
95
Page 95 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Demonstration: CSRF Attack
Page 96 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
The Dangers of Evaluating Input Many Ajax toolkits use JavaScript’s eval() X JSON
requires it
JSON has several formats X Most
common is array format
X Most
dangerous is array format
Avoid Code in Data by prefixing with “safe” code X Surround
in comments /* { ‘data’ : ‘foo’ } */
X Create
a DoS while(1); { ‘data’ : ‘foo’ }
X Throw
an error: throw new Error("message"); { ‘data’ : ‘foo’ }
X Once
received, trim the “safe” code out prior to eval
Various toolkits use one of these methods to prevent accidental or
malicious eval() of JSON data
Page 97 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Lab: Dangerous Use of Eval
Page 98 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
DOM Based Cross Site Scripting An overlooked flavor of XSS (according to Amit Klein, Jul 2005) X http://www.webappsec.org/projects/articles/071105.shtml
Similar to reflected XSS, except completely within the browser X http://vulnerable.com/index.html#name=<script>alert(document.cookie)<script> X Notice
the number sign (#) right after the file name?
X Attack
payload not sent to server, but accessible by JavaScript
For example <HTML><TITLE>Welcome!</TITLE> Hi <SCRIPT>var pos=document.URL.indexOf("name=")+5; document.write(document.URL.substring(pos,document.URL.length)); </SCRIPT> <BR>Welcome to our system …</BR> </HTML> Page 99 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
DOM Based Cross Site Scripting – cont. Primary offending DOM access commands X document.URL X document.URLUnencoded X document.location
(and many of its properties)
X document.referrer X window.location
(and many of its properties)
X document.write() X document.writeln() X window.open()
Have now seen many such attacks in the wild X Google
Desktop
X Evite X Non-public
apps
Page 100 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
DOM Based Cross Site Scripting Defenses Primary X Simply
avoid client side document rewriting, redirection, or other sensitive actions, using client side data
X Most
of these actions can be achieved by using dynamic pages (server side)
Secondary X If
you must use such dangerous calls, perform client side validation of such parameters before using them, e.g.,
<SCRIPT> var pos=document.URL.indexOf("name=")+5; var name=document.URL.substring(pos,document.URL.length); if (name.match(/^[a-zA-Z0-9]$/)) { document.write(name); }
else
{
window.alert("Security error"); } </SCRIPT> Page 101 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Lab: DOM Based Cross Site Scripting
Page 102 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Protecting Against JSON Injection JavaScript Object Notation is interpreted by using eval() X eval()
can run arbitrary Javascript like XSS
X Injection
into JSON coming to browser is extremely dangerous
Many frameworks use XML to move data X Attackers X If
can inject XML fragments
commands are sent in XML, attackers can change behavior
X Bad
XML can break parsers or include XSS
Need to protect DOM from injection X Include
a secret in the request to make it harder to find the resources
X Force
pre-eval processing of JSON data
X Force
POST requests
http://getahead.org/blog/joe/2007/04/04/how_to_protect_a_json_or_javascript_service.html
Page 103 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Clobbering Functions, Arrays, and Objects JavaScript is objected-oriented X Allows
overriding over previous definitions
X Attack
is known as “clobbering”
Clobbering Functions X Replaces
normal function() with attacker’s evil function() (think keylogger)
X Allows
your classes and functions to be obviated
No solutions to prevent this attack – except to stop all XSS! X Minimize
data sent to the browser via JSON
X Minimize
data kept by the browser in the DOM
Page 104 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Clobbering Arrays and Object Clobbering Array() and Object() X JavaScript X Allows
native data type can be overridden
contents of arrays and objects to be stolen
Like rootkits for the browser
Redefine the Array constructor:
function Array() { alert("hi"); }
Page 105 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Clobbering Cascading Style Sheets Changing CSS via DOM / XSS is easy to do X Allows
attackers to replace your username / password DIV with theirs » Commonly used by phishers to make their attacks look more believable
X Overwrite
warning messages with opaque blocks
Prevention X Include
the real style sheet just prior to </body>
X Validate X Output
data that gets shown on screen
encode all data to prevent XSS or presentation layer attacks
Page 106 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Browser Vulnerability: Clickjacking Attack uses multiple layers Page to be attacked put in a transparent layer Transparent layer then put on top of a bogus page When user tries to click on the bogus page, they actually click on
transparent layer
Example: X User
clicks on button for "free iPod" but instead unknowingly clicks on "delete all messages" in an invisible layer
Defenses: X <script>if
(top!=self) top.location.href=self.location.href</script>
X X-FRAME-OPTIONS
Header (IE8 Only)
Page 107 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Conclusion Ajax applications can be secured
Page 108 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Process: Ajax Development Best Practices
2008-Q401 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Ensure Framework and Widgets Don’t Have Flaws Frameworks are like any other piece of software X Badly X Well
written code: 1 defect per 10-100 lines of code
written code: 1 defect per 1000 lines of code
X Some
defects are security issues
Frameworks usually have a lot of code X Therefore,
frameworks will always have security defects
Ask the framework vendor X For
the source – or choose an open source toolkit
X For
any security reviews - or look at their security pages
Penetration test the framework X Create X Do
a simple application using common controls
not do any encoding or validation
X Determine
if the code has XSS or other issues
Page 110 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Don’t Assume Security Is Properly Implemented Most Ajax toolkits were developed when… X Very
little security advice was available until late 2007
X Most
Ajax books and websites still have unsafe snippets and examples
Most Ajax toolkits seem determined to violate security: X Violate
same origin policy, which has protected us for nearly 12 years
X Implement X Avoid
unsafe constructs
implementing any security mechanisms
Assume that there is NO security in your toolkit X Determine X Perform
what is there and what you need
a risk assessment to determine if you can use the toolkit as is
Page 111 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Create Guidelines Hardening guideline for the framework X Minimize X Set
the code you're using
all security relevant configurations
X Choose
one framework if possible
Coding guideline for developers X Specify X Define X Be
how all security controls should be used
secure coding patterns
sure to encourage "whitelist" or "positive" approaches
Guidelines should cover X All
the security areas covered in this course
Page 112 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Ajax Security Testing AJAX security testing is difficult today X Very
few tools
X Automated X Limited X Use
tools are extremely poor at detecting Ajax issues
knowledge on what to look for
Firebug and intercepting proxy with your application
Test your application against your guidelines (this course) X Work
out what the key assets are and go after them
X Tamper
with the DOM and XmlHttpRequest data
X Test
authentication and sessions carefully
X Test
authorization - forced browsing and direct object references
X Test
data protection - especially client side
X Inspect
the DOM - try to become an admin via simple tampering
Page 113 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Conclusion Securing Ajax is relatively difficult today X Many
business requirements are anti-security patterns
Choose a framework wisely X Based X Risk
upon your needs – some toolkits are feature overkill
management – some toolkits are pretty but dangerous
Implement a framework hardening guide X Ensure
developers are adhering to the guide
X Incorporate
improvements as understanding of the framework improves
Revisit design decisions which place too much information on the
client X Minimize
client side storage and duration of sensitive or classified data
Page 114 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
References
2008-Q401 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Ajax Security References Ajax Security, Hoffman and
Sullivan
X Addison
Wesley
X Published X ISBN
Dec 2007
0321491939
OWASP Ajax Project X http://www.owasp.org/index.ph
p/Category:OWASP_AJAX_Sec urity_Project
Page 116 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
OWASP The Open Web Application Security Project Accessible at http://www.owasp.org Local Chapters Conferences Presentations Projects OWASP Top 10 Guide to
Building Secure Applications Testing Guide Code Review Guide (forthcoming) OWASP Top 10 for Web Services under development! Page 117 Š
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
OWASP ESAPI The OWASP Enterprise Security API (ESAPI) X http://www.owasp.org/index.php/ESAPI X Developed
by Jeff Williams of Aspect Security, and donated to OWASP
Page 118 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS
Thank You Any Questions?
Please fill out your Course Evaluation Forms
If you’ve changed any of your laptop’s configuration, please
change it back, thank you.
For class machines, please shutdown.
Feel free to contact us with any application security questions X See
the cover page or about Aspect slide at the beginning of the booklet for our contact information
Page 119 ©
A S P E C T S E C U R I T Y, I N C.
APPLICATION SECURITY SPECIALISTS
ANALYSIS
|
TRAINING
|
PROCESS