hilton giesenow software architect consequent software development hiltonwork@giesenow.com

Download Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com

Post on 13-Jan-2016

215 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Hilton GiesenowSoftware ArchitectConseQuent Software Development

    hiltonwork@giesenow.com

  • Improving end-user perception and usability

    New functionality

    Improving network/bandwidth usage

    Improving approach to scripting

  • (at least from a security perspective)Be prepared! AJAX has some security issues...

  • AJAX

  • AJAX is more difficult to secure!More complexC#, HTML, CSS, Javascript, JSON, Web Services, ...More complexityAPI is more open & more fine-grainedLarger attack surface (at various levels)More transparent

  • Uses XmlHttpRequest (XHR) objectSends ANY http methodSimple: GET, POST, HEADWebDav: COPY, DELETEFetch any kind of resourceXML, HTML, plain text, JSONImages, Flash, Media, SilverlightScript...Limited to source domainSame Origin Policy

    function loadXMLDoc(url){ req = new XMLHttpRequest(); req.onreadystatechange = processResult; req.open(GET, url, true); req.send(null);}

    function processResult(){ if (req.readyState == 4) { if (req.status == 200) { // process response } else { // handle error } }}

  • Attacks involve sending malformed commandshtml tags submittedMalformed imageSQL InjectionViewProduct.aspx?id=-1Unsecured pages...

    These tend to be edge cases

  • Attacker is now inside your application!

    Increased knowledgeFunction names, parameters, return types, etc.Entire API is visible

  • Larger attack surfacewhat we do vs. how we do itDoSGoogle SuggestApplication Logic

  • What can we do?Reduce transparencyObfuscateUncomment(These also reduce file size )Validate correctly and effectivelyReduce Granularity

  • Exposed Business RulesExposed Business Rules

  • Exposed API Web Service exploits!WSDL exploitsSo just disable the WSDL?XML /JSON HijackingMore options for parameter manipulationNever trust the clientNever assume the client is a browserCareful what logic gets pushed to clientNever trust *any* client input

  • 100% Secure

  • Be careful of your partners and what you exposeLikewise in the other directionMashups

  • SQL InjectionActual code from a live ASP.NET AJAX Site

  • SQL InjectionPrototype AttacksJavascript is a prototype languageOverwrite what XmlHttpRequest itself does!Cross-Site Scripting and Request Hijacking

  • http://blah.com/page1.asp?name=Hilton

    ...Welcome back, Hilton...

    http://blah.com/page1.asp?name=bad!

    ...Welcome back, bad!...

  • Pre-AJAXInjection:Inject script into HTML textInject script into fields written into tag attributesCSS InjectionBlind requests, cannot see responseWith AJAXInjection: JSONSelf propagation!

  • New to AJAXNothing to do with your sites AJAX / non-AJAXInjecting script (like XSS)Injecting script that invokes XmlHttpRequestAJAX requests look & function like normal requestsBrowser cant tell the differenceHTTP/HTTPS, Cookies, etc.

  • VictimOnline BankingsiteLogs inCookieMalicious / Infected websiteBrowsexmlHttpRequestBank Transfer (authenticated)

  • Very similar conceptuallyXSS is more about harvesting infoXSRF is more about doing things under the users account

  • October 2005 5th largest domain on the Internet infectedXSS exploit allowed to be injected into users profilePropagated via infected pagePayload: Used AJAX to redirect users and add Samy to their friends listAdded Samy is my hero to profile

  • Sample:

    See http://namb.lab/popular/tech.html for all the details (from Samy himself)

  • GmailNetFlixYahooMany others...

  • Lots of Hype (Bubble 2.0)But lots of value, too (did you come to the earlier session?)

    AJAX can dramatically improve your sites user experience

    But how do we secure it?MySpace - $400mYouTube - $XmWritely.com -> GoogleDel.icio.us - $50m (Yahoo)Facebook No to $700m

    My site is for sale...

  • Lots of Hype (Bubble 2.0)But lots of value, too (did you come to the earlier session?)

    AJAX can dramatically improve your sites user experience

    But how do we secure it?MySpace - $400mYouTube - $XmWritely.com -> GoogleDel.icio.us - $50m (Yahoo)Facebook No to $700m

    My site is for sale...

  • HTTP GET disabled by default

    Avoids XSS via includes

  • Content-Type headers

    ASP.NET *always requires* the Content-Type header set to application/json

  • UpdatePanel vs. Web & Page Servicesmore bytes, but more security!

  • AJAX is as clean as you make itAJAX security = software securityNever trust user input!Validation data types, ranges, canonicalization, black AND white listUser != browserReduce the attack surfaceMinimize exposed logicMinimize exposed endpoints

  • Microsoft ASP.NET AJAX Security Videoshttp://msdn2.microsoft.com/en-us/security/aa570424.aspx

    ASP.NET AJAX sitehttp://ajax.asp.net/

    Team Blogshttp://blogs.msdn.com/

    SPIDynamicshttp://www.spidynamics.com/

    Open Web Application Security Projecthttp://www.owasp.org/

    2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

    *Quick overview as this is a summary from the previous talk. Dont focus on the points, just cover that we saw that AJAX has a lot of value to offer*MICROSOFT CONFIDENTIAL 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.*Be prepared - Like every other technology, it brings its own barrelfuls (n.b. to use this term see later slide) of security issues. In this session, we will look at some of the big existing issues and how they tie to ajax, then look at some of the new ones it brings**AJAX Security is an oxymoron*Traditional: Single large calls in each direction, the small calls to specific features or services are all sequential internally** html tags e.g. Script tags Malformed image e.g.: Jpg overflow (small actual pic, but dimensions in header set to 9 000 000 X 9 000 000) buffer overflow exif metadata Flickr displays whatever it finds, so if location = bad filename = bad

    ASP.NET: Circa 2001...Gartner: 70% of attacks are through the application layerBugTraq etc. are swamped with postsAsp/php/... Exploit of the weekWere doing a poor job already!

    *What we do -> How we do it!

    **Show traffic to Google Suggest for any garbage evenShow Email address already exists, i.e. this email actually exists in the world, so farm it. DONT show / mention username already exists - this comes up later.

    *"Validate correctly and effectively" - More to come on this...Reduce Granularity - ditto*So Captcha would also be useless*Show bypassing email already exists page using fiddlerShow wsdl, show /js file, show HelloWorldShow JSON hack - iSEC-Attacking_AJAX_Applications.BH2006.pdf pg 39Show username already exists*Described by jsEspecially when GET is supported. POST is not more secure, but more effort requiredJs describes what WSDL would have

    **This is a continuation of the previous slide just split to make the animation easier*The demo demonstrates how hacking via a bridge has many advantages*Be careful of your partners and what you expose this email must be safe, its from my brother/sister/mother/uncle/whateverMashups so pull them on the server rather? But what about scalability? leave question open*yes, Ive even done the flaky event on purpose, for emphasis!**Self Propagation - Can send multiple requests, using complex HTTP methods to propagatePropagates blindlySounds like a virus, doesnt itIt is!

    *Browser cant tell the difference -> therefore Server cannot explicitly repudiate AJAX traffic*

    **MySpace had some very intense filtering!Blocked , onreadystatechanged, innerHtml, special charactersUsed Blacklist only!

    ***But how do we secure it?1) What can my framework do for me2) What do I need to do?*GET requests are not recommended for method calls that modify data on the server or that expose critical information. In GET requests, the message is encoded by the browser into the URL and is therefore an easier target for tampering. For both GET and POST requests, you should follow security guidelines to protect sensitive data.

    More on URL tampering, etc.

    Explain how these includes will issue GET HTTP commands

    Note: the ASP.NET AJAX "UpdatePanel" control, as well as the other server controls that ship with ASP.NET AJAX 1.0, do not use HTTP GET and instead use HTTP POSTs when doing asynchronous postbacks.*Note that even though the above is a GET request, the client-side ASP.NET AJAX JSON

Recommended

View more >