using sprajax to test ajax security

8/14/2019 Using Sprajax to Test AJAX Security

1/26

Copyright 2006 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the Creative Commons Attribution-ShareAlike 2.5License. To view this license, visithttp://creativecommons.org/licenses/by-sa/2.5/

The OWASPFoundation

OWAS

PAppSec

Seattle

Oct 2006 http://www.owasp.org/

Using Sprajax to Test AJAXSecurity

Dan Cornell, OWASP San AntonioLeaderPrincipal, Denim Group, [email protected](210) 572-4400


2/26

2OWASP AppSec Seattle 2006


3/26


Agenda

IntroductionAJAX Security BasicsCurrent Black Box Scanners

Issues with Current Scanners

How Sprajax is DifferentDemonstrationSprajax Approach and Architecture

Example: Microsoft Atlas SupportNext StepsQuestions


4/26


Introduction

Dan CornellPrincipal of Denim Group, Ltd.MCSD, Java 2 Certified Programmer


5/26


AJAX Security Basics

Shares many principles with normal webapplication securityRisks are poorly understoodAJAX increases an applications attack surfaceSame problems as before:

SQL injectionParameter tamperingAuthentication/Authorization issues


6/26


Why Sprajax?

Deal with the issue of increased attacksurfaceDeal with the issue of multiple AJAXframeworks


7/26


Current Black Box Scanners

Current scanners are good at scanningtraditional web applications

Pages, forms, parametersNormal HTTP request are easy to craft

Current scanners have limited AJAXabilities

Scan JavaScript for URLs

Parse/execute JavaScript to find endpoints


8/26


Issues with Current Scanners

AJAX applications often use frameworks that build ontop of raw XMLHttpRequestFrameworks do not necessarily use plain HTTP requests

JSON for AtlasSerialized Java for Google Web Toolkit

And so onNormal HTTP POST data:

key=Zen+and+the+Art+of+Motorcycle+Maintenance&key=Cryptonomicon

JSON HTTP POST data:[Zen and the Art of Motorcycle Maintenance, Cryptonomicon]

If the AJAX framework expects JSON (or something else)it will never see normally-formatted requests


9/26


Normal HTTP Request Sent to Web Application

Web Server ApplicationServer


10/26


Normal HTTP Requests Sent to AJAXFramework

Web Server ApplicationServer AJAX

Framework


11/26


How Sprajax Is Different

Spiders web applications as currentscanners doDetects AJAX frameworks in useDetects AJAX-specific endpoints for theframeworks in useFuzzes endpoints using framework-appropriate HTTP requests


12/26


AJAX Web Request Sent to AJAXFramework

Web Server ApplicationServer AJAX

Framework


13/26


Types of Vulnerabilities

Technical VulnerabilitiesSurface due to insecure programming techniques Typically due to poor input handling, input validation and outputhandling and escapingMost scanner tools primarily find technical vulnerabilities

Remediation: coding changesLogical Vulnerabilities

Surface due to insecure program logic Typically due to poor decisions about trustMost scanner tools are powerless to find logical vulnerabilities

Most scanner tools are powerless to find logicalvulnerabilitiesRemediation: architecture and design changes


14/26


Sprajax Limitations

Should actually be limitations of automated black-box testingCan find technical application flaws

SQL injection

Cross site scripting (XSS)Bad error handling

Cant find logical application flawsMany parameter and cookie tampering flawsAuthentication/authorization

Not a limitation of the tool, but a limitationof the approach


15/26


Demonstration

Simple Sprajax demonstration on aMicrosoft Atlas siteSimple Sprajax demonstration on a GoogleWeb Toolkit site

Footprinting and fuzzing are in-progress


16/26


Sprajax Approach and Architecture

NOTE: Included Open Source packages do notnecessarily endorse SprajaxSpider the web site

Uses Jeff Heatons C# spider ( www.jeffheaton.com )Determine what frameworks are in use

Look at included JavaScript filesEnumerate AJAX endpointsPlugin architecture watches pages and tags throughthe course of the spideringImplement DocumentWorkerListener interface

Fuzz the endpoints with framework-appropriaterequestsMicrosoft Atlas uses SOAP web services with JSONUses DynWSLib for dynamic SOAP client creation (www.thinktecture.com )
http://www.jeffheaton.com/http://www.thinktecture.com/http://www.thinktecture.com/http://www.jeffheaton.com/


17/26


Sprajax Fuzzing

Use a list of interesting values forvarious data types:String: string.Empty, JUNK, JUNK and so onInteger: int.MinValue, -1025, -1024, -1023, -1,0, 1 and so onSingle Float: float.MinValue, float.MaxValue,float.NaN, float.NegativeInfinity,float.PositiveInfinity, 0.0 and so on


18/26


Sprajax Fuzzing

Fuzzing creates an n-dimensional search spacebased on lists of primitivesStrings: currently 6Integers: currently 25Single Floats: currently 9Double Floats: currently 9

MyMethod(int) 1D - 25 callsMyMethod2(int, string) 2D 150 calls

MyMethod3(int, int, string) 3D 3750 callsAdding multi-threading will be key going forward


19/26


Example: Microsoft Atlas Support

Included files that are an indicatorAtlas.js (older versions)WebResource.axd

Web Service endpoints indicated by:


20/26


Next Steps

More modular persistence supportAdd support for more AJAX frameworksIncrease sophistication of testing

Improve fuzzingBreak out into individual tools


21/26


Next Steps: More Modular PersistenceSupport

Right now SQL Server 2005 is requiredNot really necessary how many people needto compare results across scans at the currenttime

People have requested MySQL supportSide note: Run using Mono?

Replace current implementation with aProvider model

Support for SQL Server, MySQL (perhaps) andin-memory


22/26


Next Steps: More AJAX Frameworks

Google Web Toolkit (GWT)Detection already worksFinding endpoints is more complicated but notimpossibleRequests appear to send serialized Java objects

Direct Web Remoting (DWR)And so on at least detect all majorframeworks and fuzz test the most popular

Next release will have more modulardesign so that the plugins can bedeveloped and maintained separately


23/26


Next Steps: Increase Sophistication of Testing

Current: Only looking for error responsesSOAP errorsCan tag inputs as being associated with avulnerability type (SQL injection, Cross Site Scripting,etc)Can flag suspicious text in error messages

ODBCSQL

Test for injection attacks that might not result in

errorsCould also add tests for flawed versions of AJAXframeworks

More like what you would see from Nessus


24/26


Next Steps: Improve Fuzzing

Multi-threading will be keyCurrent only methods with primitiveparameters are supportedAdd support for objects with properties astheir own n-dimensional spaces to betraversedWill eventually need to get smart about

which combinations are selectedSelectively choose input patternsData mine the results


25/26


Next Steps: Break Out Into IndividualTools

This would assist in manual vulnerabilitytestingSOAP Web Services FuzzerGWT Request Crafter

JSON ConsoleAnd so on


26/26


Questions

Dan [email protected](210) 572-4400

Sprajax Site: www.owasp.org/index.php/SprajaxSprajax Mailing List: [email protected]

Denim Group Website: www.denimgroup.comDenim Group Blog: denimgroup.typepad.com
mailto:[email protected]://www.owasp.org/index.php/Sprajaxmailto:[email protected]://www.denimgroup.com/http://denimgroup.typepad.com/http://denimgroup.typepad.com/http://www.denimgroup.com/mailto:[email protected]://www.owasp.org/index.php/Sprajaxmailto:[email protected]

using sprajax to test ajax security

Documents