download ppt

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

AJAX – New TechnologiesNew Threats

Dr. David MovshovitzIDC – School of Computer Science [email protected]

14-09-2008

2OWASP

Lecture Agenda

Browser Technology Overview

What is AJAX

The XHR Object

AJAX Advantages

Web Application Architecture

JavaScript Browser Security

“Same Domain Policy”

AJAX Bridging

AJAX & Application Security - What’s new in Web 2.0

Exposure of Internal Details

Input Validation

Intranet Hacking

3OWASP

AJAX Security is a Real Problem

4OWASP

Browser Technology Evolution

Static HTML documents, one site at a time

Data content from different sites (images, frames)

Programmability with DOM (JavaScript)

Dynamic HTML (JavaScript)

AJAX & client-side mashup applications



OWASP


What is AJAX

6OWASP

What is AJAX?

AJAX (Asynchronous JavaScript + XML) is a combination of web browser technologies that allows web page content to be updated “on-the-fly” without the user moving from page to page.

Coined by Jesse James Garrett of Adaptive Path

Not a language!

Uses JavaScript on the client and any Language on the Server

Ajax is the latest inheritor of the Dynamic HTML mantle, and allows for the development of feature rich and practical web applications.

Dynamic HTML - a DHTML webpage is any webpage in which client-side scripting changes variables of the presentation definition language, which in turn affects the look and function of otherwise "static" HTML page content, after the page has been fully loaded and during the viewing process.

AJAX is commonly used along with DHTML to provide enhanced user interface.

AJAX and DHTML are two separate things

7OWASP

What is AJAX? (cont.)

In the background of an AJAX-enabled web page, data is transferred to and from the web server.

The mechanism for performing asynchronous data transfers is a software library embedded in all modern web browsers called XMLHttpRequest (XHR) .

AJAX web application uses an XHR JavaScript object to poll data from a remote web server and then manipulate this data to output to a web page utilizing the DOM

“Ajax Engine” - the XMLHttpRequest (XHR) Object

Allows us to send information to the server without post backs

Makes the request and receives the data back

Can be asynchronous or synchronous

XHR is the key to a website earning the “AJAX” moniker. Otherwise, it’s just fancy JavaScript.

8OWASP

Adaptive Path’s Original Diagram



OWASP


The XHR Object

10OWASP

XHR Object Methods

Method Description

abort() Stops the current request

getAllResponseHeaders() Returns all header (labels/value) sets

getResponseHeader("headerLabel") Returns value of a specified header label

open("method", "URL"[, asyncFlag[, "userName"[, "password"]]])

The heart and soul! Sets destination URL, method, and other optional attributes

send(content) Transmits the request

setRequestHeader("label", "value") Assigns header to be sent with a request

11OWASP

XHR Object Properties

Property Description

onreadystatechange Event handler for an event that fires at every state change

readyState Object status integer

responseText String version of data returned from server process

responseXML DOM-compatible document object of data returned from server process

status Numeric code returned by server, such as 404 for "Not Found" or 200 for "OK"

statusText String message accompanying the status code

12OWASP

The XHR Object

The XHR open() - open("method", "URL", asyncFlag);

method = GET or POST

URL = Page to request

asyncFlag = True or False

The XHR Send parameters – send(content)

Send is like clicking the submit button on a form.

The parameters should be set to null or empty string if you are not posting any information.

If you are posting, the name/value pairs should look like a query-string without the question mark, i.e. req.send("foo=bar&ajax=123");

If you are using GET, append the values to the URL in the open method

13OWASP

XHR Object Properties

Onreadystatechange - The objects only event handler.

It is fired only when in asynchronous mode (3rd parameter is set to true in the open method)

It is fired a total of 4 times.

We can assign a reference to a function or build a anonymous function to it

req.onreadystatechange = functionName;

req.onreadystatechange = function(){ //statements }

readyState values

0 – Uninitialized; The initial value when new reference to Object is created

1 – Open; The open() method has been successfully called.

2 - Sent ; The request made it, but no data has yet been received.

3 – Receiving; All HTTP headers have been received.

4 – Loaded; The data transfer has been completed. We can now play with the data!

14OWASP

Example of XHR Object

var request = new XMLHttpRequest();

request.onreadystatechange = myFunction;

request.open("GET", "http://myserver.com/data.xml", true);

...

function myFunction() { if (req.readyState == 4) { doSomethingWith(req.responseXML); } else if (req.readyState == 3) { showProgressIndicator(); }}

Web applications uses the XmlHttpRequest object for

Dynamically load XML or JSON formatted data files Use DHTML to alter the page based on the data

15OWASP

Basic Example of Request code

AJAX POST

var req = GetXHRObject();

req.open("POST", "secure.php", true);

req.onreadystatechange = finishRequest;

req.send("foo=bar&ajax=123");

Regular Form POST

<form action="secure.php" method="POST">

<input type="text" name="foo" value="bar">

<input type="hidden" name="ajax" value="123">

<input type="submit" name="sub1">

</form>

Simple Scripted Attacks On A Server

var req = new Array();

for(var i = 0; i<1000; i++){

req[i] = GetXHRObject();

req[i].open("POST", "secure.aspx", true);

req[i].onreadystatechange = function(){};

req[i].send("foo=" + i);

}



OWASP


AJAX Advantages

17OWASP

What is AJAX used for?

Data retrieval

Send data to the server for processing.

Form Validation

Anything you might load a new page for.

It is possible to build “One Page” Ajax Applications.

18OWASP

AJAX Advantages

Rich applications in modern browsers

Rich UI experience in a Web page

AJAX technology makes website interactivity smoother and more responsive

No more dreaded page refreshes

Very user-visible effect

In the case of Gmail, new email messages are displayed as they arrive automatically.

No issues with installation

Portable across browsers

All advantages of zero-install Web app

Built upon existing infrastructure – TCP/IP, XML, HTTP, SSL, etc.



OWASP


Web Application Architecture

20OWASP

The Browser is the new “OS”

The browser has become a homogeneous execution platform

JavaScript is much more powerful

Object Oriented

Extendable: String.prototype.foo = function() {…}

Dynamic code execution

Regular Expressions

Very rich interface to/from browser/plugins

If JavaScript can’t do it, Flash/Java can

21OWASP21

Web 1.0 to Web 2.0 Conversion

22OWASP

Architecture of Traditional Web Applications

Browser — A thin client

Most of the Application logic resides almost exclusively on server

Flow/business logic

Presentation logic

Client acts as a dumb terminal sending actions to the server

Server does all the processing and returns whole new page

23OWASP

Attacks Against Traditional Web Applications

Attacks involve:

Sending malicious data

Sending code as data

Trying to access unauthorized data

Malicious input/command hits edge cases in application design

Countermeasures:

Validate input parameters

Use proper authentication

Use proper authorization

24OWASP

Architecture of an AJAX Application

Browser—Rich/thick-client application

Application logic resides both on client and server

JavaScript™ technology takes on a bigger role

Uses XmlHttpRequest object

Fetch any kind of resource

HTML, GIF (view centric)

XML, JSON (data centric)

JavaScript technology (code centric)

Client DOM tree is being manipulated

25OWASP

Attacks Against AJAX Applications

Traditional web application attacks still apply

Attacker is inside your application

Knowledge increases

Larger attack surface

Data serialization from unknown/untrusted sources

Companies migrate to AJAX without much thought to security

In the case of mashups, attacking 3rd-party servers



OWASP


JavaScript Browser Security“Same Domain Policy”

27OWASP

JavaScript Security in the Browser

“Mobile code” = potential security risk

Browsers execute JavaScript code in a sandbox

Restrictions on JavaScript code in the sandbox

Cannot read/write files from/to the local system

Cannot execute any other programs

Cannot read the history of the browser

Cannot close a window that mobile code did not open

Cannot open a window that is too small

28OWASP

Browser’s “Same Origin” Policy

Also called “Server of Origin” Policy

“Origin” = (protocol + host + port) parts of the URL

Restriction limits interaction between frames, iframes, and script tags from different origins

Prevents client-side JavaScript from making requests to any server other than the server from which it was downloaded

Restriction has been extended to include XMLHttpRequest

XHR has security protections built-in, preventing a user’s browser on Website A from making connections to Website B, to protect users from malicious websites

Can only load XML from originating server

Different browser vendors implement this security somewhat differently

29OWASP

“Same Origin” Policy for AJAX

30OWASP

More “Same Origin” Policy Cases

31OWASP

Proxy Remote Services

Also called “AJAX Bridging” or “Server-Side Proxy”

3rd-party proxy such as Apache mod proxy or custom proxy

Has performance / security limitations

32OWASP

The Remote Proxy Solution

Developers often create a local HTTP proxy on the host web server.

To have the client pull in data from a third-party website, they’ll direct an XHR request through the local proxy pointing to the intended destination.

Consider the following example request generated by the web browser:

http://websiteA/proxy?url=http://websitesB/

Website A takes the incoming request, and sends a request to Website B designated by the “URL” parameter value.

The security issue is that Website A is hosting an unrestricted HTTP proxy, and attackers love open proxies because they can initiate attacks that cannot be traced to their origin.

The capabilities of the proxy should be carefully controlled and restricted with regard to which websites it will connect to and how.

33OWASP

Security Issues with AJAX Bridges

An Ajax-enabled online book store called spibooks.com wants to access some of the Web services that majorbookstore.com provides, such as an author search or genre recommendation service.

While anyone can sign up for a free account to access majorbookstore.com’s Web services, these free accounts have very limited privileges:

The number of unique queries,

The number of simultaneous queries,

The number of hits per second will be set very low.

A formal partner agreement between the two companies allows spibooks.com to access majorbookstore.com with fewer restrictions.

34OWASP


If the attacker wants to copy the entire author database from majorbookstore.com,

he or she can simply issue thousands of queries to the Ajax bridge running on spibooks.com.

The relationship between the two Web sites allows the attacker to extract more data by going through spibooks.com than if he or she had used a free account directly from majorbookstore.com.

It is common in these situations for spibooks.com to limit the number of queries it has to make, reduce bandwidth, and improve performance for its users by caching the results it receives from majorbookstore.com.

Since the attacker’s query may already be in the cache, the attacker may be able to extract data faster by using spibooks.com.

35OWASP


An attacker can also send malicious requests through the Ajax bridge from spibooks.com to majorbookstore.com using the bridge is another layer for the attacker to hide behind.

An attacker, may cause a Denial of Service attack against all spibooks.com users.

if an IPS at majorbookstore.com detects the malicious requests coming from spibooks.com’s IP address, and then automatically blocks all requests from spibooks.com.

It is possible that majorbookstore.com will not detect the attack being relayed through the Ajax bridge.

if majorbookstore.com does not scrutinize the requests it receives from spibooks.com for malicious content as closely as the requests it receives from others.

This is common practice, since the two parties have an agreement to help each other and there is an immense amount of traffic coming in from spibooks.com.



OWASP


AJAX & Application Securityor What’s New in Web 2.0

37OWASP

Major Cause Of Security Concernswith AJAX based Applications

Anyone CAN View the Source

Anyone can see the page that it is requesting from the JavaScript code!

Anyone can see the parameters being sent!

Anyone can see the validation!

Anyone can see the Business Logic!

XHR Object can be used to make requests without the users knowledge.

Attacker can also use images, iframes, frames, popup windows.

AJAX model uses WebServices

More Ajax Functionality = More WebServices = More places to attack (Just need to forget one thing to make a new hole)

AJAX Adds More Attack Vectors

38OWASP

Exposure of Internal Details – What’s new in Web 2.0?

Better tools to analyze client-side code

Firebug (view DOM tree, put breakpoints, alter values)

Watir - Ruby-based tool

Selenium - Java technology based Tool

Much more client-side code for hacker to view and dissect

Potentially more client-side comments for hacker to view

Better social community (blogs, newsgroups, forums)

39OWASP

Exposure of Internal Details – What’s new in Web 2.0?

Hackers’ knowledge has increased

Application architecture/design details

Program business/logic flow details

Function names, variable names, return types

Helps build a footprint of the web application

Direct API access

Developers encouraged to expose more web services

Attacker calls your backend functions directly

Bypasses logic in the client side

Calls functions out of order

40OWASP

Exposure of Internal Details - Countermeasures

Do not give out unnecessary information

Remove comments from HTML/JavaScript technology code

Developer names, design details, notes, build numbers

Use build-time tools to remove comments

Turn off WSDL for your web services

Many tools auto generate WSDLs — turn them off

No need to expose all services, inputs, and types to users

Is AJAX the appropriate technology?

Use traditional web-application technology where security is a high priority

Obfuscate your JavaScript technology code

41OWASP

JavaScript Code Obfuscation

Obfuscation is not fool-proof Obfuscation can make maintenance, debugging, and code

review harder which degrades security

42OWASP

Input Validation What’s new in Web 2.0?

Validation confusion

Where is the validation done (client/server/both)?

With Sophisticated drag and drop IDEs, validation details are hidden

Complexity of data has increased

Lack of good toolkits/regular expressions available to validate these types of input

What input gets validated?

Developers usually validate GET/POST parameters

Developers often forget about HTTP Headers

Developers forget about file input (images, audio, video)

Trusting data from B2B partners

Mashups are bringing data from non-validated sources

43OWASP

Improper Validation Countermeasures

Never trust the client!

Validate all input data to the application

Use strong validation techniques

Correctness, type, format, length, range, and context

Use white-listing instead of Black-listing

Escaping input if possible

Always validate on the server side

Server-side validation = data integrity and security

Client-side validation as a subset of server side

Client-side validation = usability and performance

For mashups, never trust the external server

44OWASP

Client Validation for AJAX Response

Developers usually forget that the AJAX response is not perfect

Developers doesn’t validate the AJAX response

Usability and Security issues

Solution:

Make sure the data is what you expect it to be!

Validate your data

Use regular expressions to check for patterns

Look for key parts of the expression

Look for things that do not belong



OWASP


Intranet Hacking

46OWASP

Intranet Hacking

We tend to believe that while surfing the Web we are protected by firewalls and isolated through private network address translated Internet Protocol (IP) addresses.

With this understanding we assume the soft security of intranet Web sites and the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, and so forth, even if left unpatched

Nothing is capable of directly connecting in from the outside world. Right?

Web browsers can be completely controlled by any Web page, enabling them to become launching points to attack internal network resources.

The Web browser of every user on an enterprise network becomes a stepping-stone for intruders.

47OWASP

Exploit Procedures

A victim visits a malicious Web page or clicks a nefarious link; embedded JavaScript malware then assumes control over their Web browser.

JavaScript malware loads a Java applet revealing the victim’s internal NAT IP address.

Then, using the victim’s Web browser as an attack platform, the JavaScript malware identifies and fingerprints Web servers on the internal network.

Attacks are initiated against internal or external Web sites, and compromised information is sent outside the network for collection.

48OWASP

Port Scanning Behind your Firewall

JavaScript can:

Request images from internal IP addresses, e.g.<img src=“192.168.0.4:8080”/>

Use timeout/onerror to determine success/failure

Fingerprint webapps using known image names

Server

MaliciousWeb page

Firewall

1) “show me dancing pigs!”

2) “check this out”

Browser

scan

scan

scan3) port scan results

download ppt

Documents

server ajax

ajax web application

ajax security

xhr javascript object

ajaxenabled web page

ajax asynchronous javascript

ajax moniker

xmlhttprequest xhr object