Download - Using Sprajax to Test AJAX Security
-
8/14/2019 Using Sprajax to Test AJAX Security
1/26
Copyright 2006 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the Creative Commons Attribution-ShareAlike 2.5License. To view this license, visithttp://creativecommons.org/licenses/by-sa/2.5/
The OWASPFoundation
OWAS
PAppSec
Seattle
Oct 2006 http://www.owasp.org/
Using Sprajax to Test AJAXSecurity
Dan Cornell, OWASP San AntonioLeaderPrincipal, Denim Group, [email protected](210) 572-4400
-
8/14/2019 Using Sprajax to Test AJAX Security
2/26
2OWASP AppSec Seattle 2006
-
8/14/2019 Using Sprajax to Test AJAX Security
3/26
3OWASP AppSec Seattle 2006
Agenda
IntroductionAJAX Security BasicsCurrent Black Box Scanners
Issues with Current Scanners
How Sprajax is DifferentDemonstrationSprajax Approach and Architecture
Example: Microsoft Atlas SupportNext StepsQuestions
-
8/14/2019 Using Sprajax to Test AJAX Security
4/26
4OWASP AppSec Seattle 2006
Introduction
Dan CornellPrincipal of Denim Group, Ltd.MCSD, Java 2 Certified Programmer
-
8/14/2019 Using Sprajax to Test AJAX Security
5/26
5OWASP AppSec Seattle 2006
AJAX Security Basics
Shares many principles with normal webapplication securityRisks are poorly understoodAJAX increases an applications attack surfaceSame problems as before:
SQL injectionParameter tamperingAuthentication/Authorization issues
-
8/14/2019 Using Sprajax to Test AJAX Security
6/26
6OWASP AppSec Seattle 2006
Why Sprajax?
Deal with the issue of increased attacksurfaceDeal with the issue of multiple AJAXframeworks
-
8/14/2019 Using Sprajax to Test AJAX Security
7/26
7OWASP AppSec Seattle 2006
Current Black Box Scanners
Current scanners are good at scanningtraditional web applications
Pages, forms, parametersNormal HTTP request are easy to craft
Current scanners have limited AJAXabilities
Scan JavaScript for URLs
Parse/execute JavaScript to find endpoints
-
8/14/2019 Using Sprajax to Test AJAX Security
8/26
8OWASP AppSec Seattle 2006
Issues with Current Scanners
AJAX applications often use frameworks that build ontop of raw XMLHttpRequestFrameworks do not necessarily use plain HTTP requests
JSON for AtlasSerialized Java for Google Web Toolkit
And so onNormal HTTP POST data:
key=Zen+and+the+Art+of+Motorcycle+Maintenance&key=Cryptonomicon
JSON HTTP POST data:[Zen and the Art of Motorcycle Maintenance, Cryptonomicon]
If the AJAX framework expects JSON (or something else)it will never see normally-formatted requests
-
8/14/2019 Using Sprajax to Test AJAX Security
9/26
9OWASP AppSec Seattle 2006
Normal HTTP Request Sent to Web Application
Web Server ApplicationServer
-
8/14/2019 Using Sprajax to Test AJAX Security
10/26
10OWASP AppSec Seattle 2006
Normal HTTP Requests Sent to AJAXFramework
Web Server ApplicationServer AJAX
Framework
-
8/14/2019 Using Sprajax to Test AJAX Security
11/26
11OWASP AppSec Seattle 2006
How Sprajax Is Different
Spiders web applications as currentscanners doDetects AJAX frameworks in useDetects AJAX-specific endpoints for theframeworks in useFuzzes endpoints using framework-appropriate HTTP requests
-
8/14/2019 Using Sprajax to Test AJAX Security
12/26
12OWASP AppSec Seattle 2006
AJAX Web Request Sent to AJAXFramework
Web Server ApplicationServer AJAX
Framework
-
8/14/2019 Using Sprajax to Test AJAX Security
13/26
13OWASP AppSec Seattle 2006
Types of Vulnerabilities
Technical VulnerabilitiesSurface due to insecure programming techniques Typically due to poor input handling, input validation and outputhandling and escapingMost scanner tools primarily find technical vulnerabilities
Remediation: coding changesLogical Vulnerabilities
Surface due to insecure program logic Typically due to poor decisions about trustMost scanner tools are powerless to find logical vulnerabilities
Most scanner tools are powerless to find logicalvulnerabilitiesRemediation: architecture and design changes
-
8/14/2019 Using Sprajax to Test AJAX Security
14/26
14OWASP AppSec Seattle 2006
Sprajax Limitations
Should actually be limitations of automated black-box testingCan find technical application flaws
SQL injection
Cross site scripting (XSS)Bad error handling
Cant find logical application flawsMany parameter and cookie tampering flawsAuthentication/authorization
Not a limitation of the tool, but a limitationof the approach
-
8/14/2019 Using Sprajax to Test AJAX Security
15/26
15OWASP AppSec Seattle 2006
Demonstration
Simple Sprajax demonstration on aMicrosoft Atlas siteSimple Sprajax demonstration on a GoogleWeb Toolkit site
Footprinting and fuzzing are in-progress
-
8/14/2019 Using Sprajax to Test AJAX Security
16/26
16OWASP AppSec Seattle 2006
Sprajax Approach and Architecture
NOTE: Included Open Source packages do notnecessarily endorse SprajaxSpider the web site
Uses Jeff Heatons C# spider ( www.jeffheaton.com )Determine what frameworks are in use
Look at included JavaScript filesEnumerate AJAX endpointsPlugin architecture watches pages and tags throughthe course of the spideringImplement DocumentWorkerListener interface
Fuzz the endpoints with framework-appropriaterequestsMicrosoft Atlas uses SOAP web services with JSONUses DynWSLib for dynamic SOAP client creation (www.thinktecture.com )
http://www.jeffheaton.com/http://www.thinktecture.com/http://www.thinktecture.com/http://www.jeffheaton.com/ -
8/14/2019 Using Sprajax to Test AJAX Security
17/26
17OWASP AppSec Seattle 2006
Sprajax Fuzzing
Use a list of interesting values forvarious data types:String: string.Empty, JUNK, JUNK and so onInteger: int.MinValue, -1025, -1024, -1023, -1,0, 1 and so onSingle Float: float.MinValue, float.MaxValue,float.NaN, float.NegativeInfinity,float.PositiveInfinity, 0.0 and so on
-
8/14/2019 Using Sprajax to Test AJAX Security
18/26
18OWASP AppSec Seattle 2006
Sprajax Fuzzing
Fuzzing creates an n-dimensional search spacebased on lists of primitivesStrings: currently 6Integers: currently 25Single Floats: currently 9Double Floats: currently 9
MyMethod(int) 1D - 25 callsMyMethod2(int, string) 2D 150 calls
MyMethod3(int, int, string) 3D 3750 callsAdding multi-threading will be key going forward
-
8/14/2019 Using Sprajax to Test AJAX Security
19/26
19OWASP AppSec Seattle 2006
Example: Microsoft Atlas Support
Included files that are an indicatorAtlas.js (older versions)WebResource.axd
Web Service endpoints indicated by:
-
8/14/2019 Using Sprajax to Test AJAX Security
20/26
20OWASP AppSec Seattle 2006
Next Steps
More modular persistence supportAdd support for more AJAX frameworksIncrease sophistication of testing
Improve fuzzingBreak out into individual tools
-
8/14/2019 Using Sprajax to Test AJAX Security
21/26
21OWASP AppSec Seattle 2006
Next Steps: More Modular PersistenceSupport
Right now SQL Server 2005 is requiredNot really necessary how many people needto compare results across scans at the currenttime
People have requested MySQL supportSide note: Run using Mono?
Replace current implementation with aProvider model
Support for SQL Server, MySQL (perhaps) andin-memory
-
8/14/2019 Using Sprajax to Test AJAX Security
22/26
22OWASP AppSec Seattle 2006
Next Steps: More AJAX Frameworks
Google Web Toolkit (GWT)Detection already worksFinding endpoints is more complicated but notimpossibleRequests appear to send serialized Java objects
Direct Web Remoting (DWR)And so on at least detect all majorframeworks and fuzz test the most popular
Next release will have more modulardesign so that the plugins can bedeveloped and maintained separately
-
8/14/2019 Using Sprajax to Test AJAX Security
23/26
23OWASP AppSec Seattle 2006
Next Steps: Increase Sophistication of Testing
Current: Only looking for error responsesSOAP errorsCan tag inputs as being associated with avulnerability type (SQL injection, Cross Site Scripting,etc)Can flag suspicious text in error messages
ODBCSQL
Test for injection attacks that might not result in
errorsCould also add tests for flawed versions of AJAXframeworks
More like what you would see from Nessus
-
8/14/2019 Using Sprajax to Test AJAX Security
24/26
24OWASP AppSec Seattle 2006
Next Steps: Improve Fuzzing
Multi-threading will be keyCurrent only methods with primitiveparameters are supportedAdd support for objects with properties astheir own n-dimensional spaces to betraversedWill eventually need to get smart about
which combinations are selectedSelectively choose input patternsData mine the results
-
8/14/2019 Using Sprajax to Test AJAX Security
25/26
25OWASP AppSec Seattle 2006
Next Steps: Break Out Into IndividualTools
This would assist in manual vulnerabilitytestingSOAP Web Services FuzzerGWT Request Crafter
JSON ConsoleAnd so on
-
8/14/2019 Using Sprajax to Test AJAX Security
26/26
26OWASP AppSec Seattle 2006
Questions
Dan [email protected](210) 572-4400
Sprajax Site: www.owasp.org/index.php/SprajaxSprajax Mailing List: [email protected]
Denim Group Website: www.denimgroup.comDenim Group Blog: denimgroup.typepad.com
mailto:[email protected]://www.owasp.org/index.php/Sprajaxmailto:[email protected]://www.denimgroup.com/http://denimgroup.typepad.com/http://denimgroup.typepad.com/http://www.denimgroup.com/mailto:[email protected]://www.owasp.org/index.php/Sprajaxmailto:[email protected]