ajax security - lac2016
TRANSCRIPT
AJAX and Security Considerations
@irishwonder LAC2016
Why Security Matters
• Hacking on the rise
• Hacked sites lose traffic
• downtime
• security warnings
• A site getting hacked impacts its rankings eventually
What’s Different about AJAX?
• No more or less dangerous per se
• However, extra risks due to higher complexity
• Extra considerations to keep in mind
AJAX Considerations
• AJAX applications will not run with Javascript switched off
• Degrade gracefully
Typical Risks
• User input (XSS or SQL injection)
• User ID or credentials processing by Javascript
• Unauthorised access to files on the server
Typical Victims
• Standalone AJAX applications
• Popular CMS’s with AJAX enhanced functionality
• Wordpress plugins using AJAX
Typical Victims
Typical Victims
More Vulnerable Targets
Typical Scenario• A user is authenticated in the code when the page
is loaded
• A user ID or other credentials are displayed in the URL unencoded, picked up by Javascipt
• Unencoded and unauthenticated credentials sent back to server
• HACKED!
Insecure WP Plugin Showcase
RevSlider
• First discovered in 2014
• Affects versions below 4.2
• Affects themes using it inurl:/wp-admin/admin-ajax.php?action=revslider_ajax_action - to find vulnerable revslider plugins!
The Problem Extent
Security Measures
• Proper authentication and authorisation checks
• User input validation against XSS and SQL injection
• Use HTTPS if transmitting sensitive data
HTTPS
• Implement correctly
• Double check for consistent implementation throughout the site
• Incorrect implementation results in additional security risks and hurts SEO performance
Plugins and Themes
• Know what you use
• Update to the latest (patched) versions
Bonus!• Showcase: RevSlider vulnerability story
http://securityaffairs.co/wordpress/35431/cyber-crime/revslider-plugin-vulnerable.html
• How to update a plugin if it’s included in a theme http://www.themepunch.com/faq/update-plugin-packaged-theme/
• Free website malware and security scannerhttps://sitecheck.sucuri.net/ (WARNING: will not catch all security issues but may be of help)
• Test your HTTPS https://www.ssllabs.com/ssltest/index.html
@irishwonder BAC, Berlin October 2015
Questions? Feel free to get in touch!
• [email protected] • Twitter: @irishwonder • Slideshare:
http://www.slideshare.net/irishwonder/ • LinkedIn: linkedin.com/in/irishwonder • Blogs:
http://www.irishwonder.com/blog/ - general SEOhttp://www.irishwonder.syndk8.co.uk/ - darker areas
#LAC2016