{"id":305,"date":"2009-11-12T14:05:00","date_gmt":"2009-11-12T19:05:00","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=305"},"modified":"2009-11-12T16:15:18","modified_gmt":"2009-11-12T21:15:18","slug":"development-issues-within-ajax-applications-how-to-divert-threats","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/development-issues-within-ajax-applications-how-to-divert-threats\/","title":{"rendered":"Development Issues within AJAX Applications: How to Divert Threats"},"content":{"rendered":"<p>This presentation was by Lars Ewe, CTO of Cenzic on AJAX applications and trying to explore the different implications of running AJAX in your environment.\u00a0 My notes are below:<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Agenda<\/strong><\/span><\/p>\n<ul>\n<li>What is AJAX?<\/li>\n<li>AJAX and Web App Security<\/li>\n<li>AJAX and Test Automation<\/li>\n<li>Vulnerability Examples: XSS, CSRF, &amp; JavaScript Hijacking<\/li>\n<li>AJAX Best Security Practices<\/li>\n<li>Demo<\/li>\n<li>Q&amp;A<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>What is AJAX?<\/strong><\/span><\/p>\n<ul>\n<li>Asynchronous JavaScript And XML<\/li>\n<li>AJAX allows for a new generation of more dynamic, more interactive, faster Web 2.0 applications<\/li>\n<li>AJAX leverages existing technologies, such as DHTML, CSS&lt; DOM, JSON, and the (a)synchronous XMLHTTPRequest (XHR)<\/li>\n<li>Not just a set of technologies, but a new Web application development approach and methodology<\/li>\n<li>XHR allows for (a)synchronous server requests without the need for a full page reload<\/li>\n<li>XHR &#8220;downstream&#8221; payload can be\n<ul>\n<li>XML, JSON, HTML\/JavaScript snippets, plain text, serialized data, basically pretty much anything&#8230;<\/li>\n<\/ul>\n<\/li>\n<li>Responses often get further processed using JavaScript and result in dynamic web page content changes through DOM modifications<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>AJAX Code Example<\/strong><\/span><\/p>\n<p><code>xhr = new XMLHttprequest();<br \/>\nxhr.open(\"GET\", AJAX_call?foo-bar, true);<br \/>\nxhr.onreadystatechange = processResponse;<br \/>\nxhr.send(null);<br \/>\nfunction processResponse() {<br \/>\nif (xhr.readyState == 4) {<br \/>\nif (request.status == 200) {<br \/>\nresponse = xhr.responseText;<br \/>\n...<br \/>\n}<br \/>\n}<br \/>\n}<\/code><\/p>\n<p><span style=\"text-decoration: underline;\"><strong>XHR and the Same Origin Policy<\/strong><\/span><\/p>\n<ul>\n<li>Same origin policy is a key browser security mechanism\n<ul>\n<li>To prevent any cross-domain data leakage, etc<\/li>\n<li>With JavaScript it doesn&#8217;t allow JavaScript from origin A to access content\/data from origin B<\/li>\n<li>Origin refers to the domain name, port, and protocol<\/li>\n<\/ul>\n<\/li>\n<li>In the case of XHR, the same origin policy does not allow for any cross-domain XHR requests\n<ul>\n<li>Developers often don&#8217;t like this at all!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Common Cross Domain Workarounds<\/strong><\/span><\/p>\n<p>Cross-domain access is often still implemented by various means, such as:<\/p>\n<ul>\n<li>Open \/ Application (server-based) proxies<\/li>\n<li>Flash &amp; Java Applets (depending on crossdomain.xml)\n<ul>\n<li>Ex: FlashXMLHttpRequest by Julien Couvreur<\/li>\n<\/ul>\n<\/li>\n<li>RESTful web service with JavaScript callback and JSON response\n<ul>\n<li>EX: JSONscriptRequest by Jason Levitt<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>AJAX Frameworks<\/strong><\/span><\/p>\n<ul>\n<li>AJAX frameworks are often categorized as either &#8220;Client&#8221; or &#8220;Proxy\/Server&#8221; framework<\/li>\n<li>&#8220;Proxy\/Server&#8221; frameworks sometimes result in unintended method\/functionality exposure<\/li>\n<li>Beware of any kind of &#8220;Debugging mode&#8221; (Ex: Direct Web Remoting (DWR) debug=true)<\/li>\n<li>Remember: Attackers can easily &#8220;fingerprint&#8221; AJAX frameworks<\/li>\n<li>Beware of JavaScript Hijacking\n<ul>\n<li>Don&#8217;t use HTTP GET for &#8220;upstream&#8221;<\/li>\n<li>Prefix &#8220;downstream&#8221; JavaScript with &#8220;while(1);&#8221;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"padding-left: 30px;\"><span style=\"text-decoration: underline;\"><strong>AJAX and Web App Security<\/strong><\/span><\/p>\n<ul>\n<li>AJAX potentially increases the attack surface\n<ul>\n<li>More &#8220;hidden&#8221; calls mean more potential security holes<\/li>\n<\/ul>\n<\/li>\n<li>AJAX developers sometimes pay less attention to security, due to it&#8217;s &#8220;hidden&#8221; nature\n<ul>\n<li>Basically the old mistake of security by obscurity<\/li>\n<\/ul>\n<\/li>\n<li>AJAX developers sometimes tend to rely on client side validation\n<ul>\n<li>An approach that is just as flawed with or without AJAX<\/li>\n<\/ul>\n<\/li>\n<li>Mash-up calls\/functionality are often less secure by design\n<ul>\n<li>3rd party APIs (Ex: feeds, blogs, search APIs, etc) are often designed with ease of use, not security in mind<\/li>\n<li>Mash-ups often lack clear security boundaries (who validates, who filters, who encodes\/decodes, etc)<\/li>\n<li>Mash-ups often result in untrusted cross-domain access workarounds<\/li>\n<\/ul>\n<\/li>\n<li>AJAX sometimes promotes dynamic code (JavaScript) execution of untrusted response data<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>AJAX \/ Web 2.0 and Test Automation<\/strong><\/span><\/p>\n<ul>\n<li>Spidering is more complex than just processing ANCHOR HREF&#8217;s; various events need to be simulated (Ex: mouseover, keydown, keyup, onclick, onfocus, onblur, etc)<\/li>\n<li>Timer events and dynamic DOM changes need to be observed<\/li>\n<li>Use of non-standard data formats for both requests and responses make injection and detection hard to automate<\/li>\n<li>Page changes after XHR requests can sometimes be delayed<\/li>\n<li>In short, you need to have browser like behavior (JavaScript engine, DOM &amp; event management, etc)<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Cross-Site Scripting (XSS)<\/strong><\/span><\/p>\n<ul>\n<li>AJAX is changing the game a little bit since the script tag may already be there, just need to look for JSON or JavaScript snippets to inject yourself into<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Cross-Site Request Forgery (CSRF)<\/strong><\/span><\/p>\n<ul>\n<li>Want to send a token for AJAX requests as well<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>JavaScript Hijacking<\/strong><\/span><\/p>\n<ul>\n<li>Attacker code (override Array constructor)<\/li>\n<li>Render the JavaScript on the wire useless to anyone who doesn&#8217;t have access to the code itself<\/li>\n<li>The attacker cannot sanitize the JavaScript since they do not have access to the code<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>AJAX Best Security Practices<\/strong><\/span><\/p>\n<p>Pretty much all the usual Web app security best practices apply:<\/p>\n<ul>\n<li>Analyze and know your security boundaries and attack surfaces<\/li>\n<li>Beware of reliance on client-side security measures<\/li>\n<li>Assume the worst case scenario for all 3rd party interations\n<ul>\n<li>3rd parties can inherently not be trusted!<\/li>\n<\/ul>\n<\/li>\n<li>Be extremely careful when circumventing same origin policy<\/li>\n<li>Avoid\/limit the use of dynamic code\/eval()<\/li>\n<li>Beware of JavaScript Hijacking<\/li>\n<li>Implement anti-CSRF defenses<\/li>\n<\/ul>\n<ul>\n<li><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>This presentation was by Lars Ewe, CTO of Cenzic on AJAX applications and trying to explore the different implications of running AJAX in your environment.\u00a0 My notes are below: Agenda What is AJAX? AJAX and Web App Security AJAX and Test Automation Vulnerability Examples: XSS, CSRF, &amp; JavaScript Hijacking AJAX Best Security Practices Demo Q&amp;A [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[307,4],"tags":[53,319,173,316,320,622,317,318,321],"class_list":["post-305","post","type-post","status-publish","format-standard","hentry","category-owasp-appsec-dc-2009","category-web-app-sec","tag-ajax","tag-asynchronous","tag-development","tag-issues","tag-javascript","tag-security","tag-threats","tag-vulnerabilities","tag-xml"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-4V","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/305","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=305"}],"version-history":[{"count":2,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/305\/revisions"}],"predecessor-version":[{"id":316,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/305\/revisions\/316"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=305"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=305"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=305"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}