the dark side of ajax
play

The Dark Side of Ajax Jacob West Fortify Software Mashup Pink - PowerPoint PPT Presentation

Nov 01, 2022 •459 likes •993 views

The Dark Side of Ajax Jacob West Fortify Software Mashup Pink Floyd AJAX all purpose cleaner Dark Side of the Moon Ajax Fancier and easier-to-use web applications using: A synchronous Web 1.0 J avaScript Server Web page A nd

  1. The Dark Side of Ajax Jacob West Fortify Software

  2. Mashup Pink Floyd AJAX all purpose cleaner Dark Side of the Moon

  3. Ajax � � Fancier and easier-to-use web applications using: A synchronous Web 1.0 J avaScript Server Web page A nd (smart) (dumb) X ML � � Matter of degree, not kind Ajax Server Web page (smart) (smart)

  4. Success is foreseeing failure – Henry Petroski

  5. Cross-Site Scripting <c:if test="${param.sayHello}"> Hello ${param.name}! </c:if> “We never intended the code that's in there to actually be production-ready code.” - Ryan Asleson

  6. Reliving Past Mistakes � � Cross-site scripting looks more and more like buffer overflow Buffer Overflow Cross-site Scripting � � Allows arbitrary code execution � � Allows arbitrary code execution � � Easy mistake to make in C/C++ � � Easy mistake to make � � Exploit is hard to write � � Exploit is easy to write � � Well known problem for decades � � Well known problem for a decade

  7. What’s Wrong with Ajax? � � Today’s rage or tomorrow’s security disaster? � � Could more JavaScript possibly be better? � � Sample of the almost 400 JavaScript CVE entries: CVE-2007-1794: The Javascript engine in Mozilla 1.7 and earlier… can allow remote attackers to execute arbitrary code. CVE-1999-0793 Internet Explorer allows remote attackers to read files by redirecting data to a Javascript applet. CVE-1999-0790 A remote attacker can read from a Netscape user's cache via JS CVE-1999-0347 Internet Explorer 4.01 allows remote attackers to read local files and spoof web pages via a "%01" character in an "about:" Javascript URL, which causes Internet Explorer to use the domain specified

  8. Overview � � Introduction � � Ajax for… � � Developers � � Hackers � � Risks � � Old � � New � � State of the frameworks � � Automated protections � � The future of Ajax

  9. AJAX FOR DEVELOPERS

  10. Ajax From the Programmer’s Perspective � � Increased complexity makes frameworks attractive � � Popular toolkits for Ajax development include: � � Google Web Toolkit (GWT) � � Direct Web Remoting (DWR) � � Microsoft ASP.NET AJAX (Codename Atlas) � � Client-side libraries (e.g. Prototype and Dojo) � � Also popular: ad-hoc Ajax (roll-your-own)

  11. Back-of-the-Napkin Analysis high Ad-hoc Atlas DWR GWT low high

  12. Ajax - The Case of the Vanishing “X” � � XML being replaced by more JavaScript/JSON <book> <title>JavaScript, the Definitive Guide</title> <publisher>O'Reilly</publisher> XML <author>David Flanagan</author> <cover src="/images/cover_defguide.jpg" /> <blurb>elit.</blurb> </book> { "book": { "title":"JavaScript, the Definitive Guide", "publisher":"O'Reilly", "author":"David Flanagan", JSON "cover":"/images/cover_defguide.jpg", "blurb":”elit." } }

  13. AJAX FOR HACKERS

  14. Ajax For Malware � � Exploit writers buy JavaScript books too � � Web 2.0 exploits for Web 1.0 vulnerabilities � � MySpace worm � � Port scanning behind your firewall � � Jikto

  15. MySpace Worm - 1/3 � � MySpace does bad input validation � � Users to post a subset of HTML on their pages � � No <script> tags, no use of the word “javascript”, etc

  16. MySpace Worm - 2/3 � � User “Samy” discovers some holes � � Some browsers allow JavaScript in style attributes � � Some browsers interpret “java\nscript” as “javascript” � � Circumvents MySpace's efforts to prevent JavaScript

  17. MySpace Worm - 3/3 � � Samy adds JavaScript (Ajax) to his page � � Visitors to his page automatically add Samy as a friend and inserts “Samy is my hero” into their profile � � Visitors to a page where Samy is a friend take the same actions � � MySpace goes down

  18. Port Scanning Behind Firewalls - 1/2 Server 1) “show me dancing pigs!” scan Malicious 2) “check this out” Web page scan Browser scan 3) port scan results Firewall

  19. Port Scanning Behind Firewalls - 2/2 � � Request images from internal IPs (<img src=“192.168.0.4:8080”/> � � Use timeout/onerror to determine if hosts respond � � <iframe/> with timer/onload to map web servers � � Fingerprint webapps using known image names

  20. Jikto - 1/2 � � JavaScript vulnerability scanner (Billy Hoffman with credit to pdp for crawler) � � Spreads like worm over XSS vulnerabilities � � Uses Google as proxy to bypass same origin policy � � Same Origin Policy: basis for browser security � � JavaScript can't see content from other domains � � Protects sites from each other

  21. Jikto - 2/2 Target Site attack "Infected" Google page Translate vulnerability scanner Victim Malicious Site

  22. Moral to the Story � � No new vulnerabilities here, just better exploits � � Good offense makes good defense more important � � Good offense is making fast progress

  23. OLD RISKS RECONSIDERED

  24. Defending Ajax: Old Risks Reconsidered New name, same game � � Old vulnerabilities, new programming language � � Input validation � � Exposing the server

  25. Old Vulnerabilities, New Language Cross-site scripting in pure JavaScript: q = location.search.split(“q=“)[1]; q = unescape(q); div.innerHTML = “searching for “ + q;

  26. Old Risks: Input validation - 1/3 Easy to lose track of where validation is performed Server Client

  27. Old Risks: Input validation - 2/3 � � More entry points on the server � � More, smaller, requests � � Decentralized design � � Easy to over-expose

  28. Old Risks: Input validation - 3/3 � � More subtle entry points on the server � � Looks like Web services � � Hard to tell if method call initiated locally (safe) or remotely (dangerous) � � Harder to tell what can be trusted

  29. Old Risk: Exposing Yourself � � Example: DWR <dwr> <allow> ... <create creator=”new” javascript=”ApartmentDAO” class=”dwr.sample.ApartmentDAO”> <exclude method=”countApartments”/> </create> </allow> </dwr>

  30. NEW PROBLEMS

  31. New: Harder to Test � � Dirty-data shooters rely on Web 1.0 conventions � � HTTP � � HTML forms � � 1 parameter = 1 application variable � � Ajax = more complex data structures � � Ajax requires sophisticated browser emulation � � How do you spider an Ajax application? � � Looks much more like testing conventional software

  32. Old: Cross-Site Request Forgery (CSRF) � � Cross-Site Request Forgery � � JavaScript submits HTTP requests on victim's behalf � � Allows attacker to submit commands, but not inspect the response (Same Origin Policy) � � Application is vulnerable if it: � � Relies on user’s identity (e.g. persistent or session cookies) � � Does not have secondary authentication mechanism � � Attack against data integrity

  33. New: JavaScript Hijacking - 1/2 � � Builds on CSRF � � Breaks confidentiality through loophole in SOP � � Vulnerable if: � � Site responds to HTTP GET � � Transmits sensitive data in JavaScript syntax

  34. New: JavaScript Hijacking - 2/2 Ajax Application GET 1) “show me dancing pigs!” Malicious Server JavaScript Mal page { witness code } 2) “check this out” <script src=“...”> Browser 3) confidential data

  35. Defenses Against JavaScript Hijacking � � Prevent CSRF � � Decline malicious requests by requiring unique token … and remember � � Default to POST not enough (Developers add GET so that result can be cached) � � Check for a known HTTP header not enough (Flash CSRF vulnerability) � � Prevent execution of JavaScript � � while(1);, /* ... */, etc … and remember � � calling parseJSON() rather than eval() does not help

  36. STATE OF THE FRAMEWORKS

  37. How 12 Popular Frameworks Stack Up Prevents Framework Summary JavaScript Hijacking? Supports JSON. Defaults to POST when no method is specified, but is easily Prototype No customizable for using either POST or GET. Supports JSON. Provides additional UI controls and uses the Prototype library for Script.aculo.us No generating requests. Dojo Supports JSON. Defaults to POST, but does not explicitly prevent JavaScript Hijacking. No Uses an expanded version of JSON. Does not implement any JavaScript Hijacking DWR 1.1.4 No prevention mechanisms. Moo.fx Supports JSON. Defaults to POST, but can easily be configured to use GET. No jQuery Supports JSON. Defaults to GET. No Yahoo! UI Supports JSON. Responds to GET requests. No Does not currently support JSON, but will in the future. Supports XML as a data transfer Rico N/A format. Defaults to GET. Supports JSON. Uses POST by default, but allows programmers to easily change POST Microsoft Atlas No to GET and encourages doing so for performance and caching. MochiKit Supports JSON. Defaults to GET. No xajax Does not currently support JSON. Supports XML as a data transfer format. N/A Supports JSON. Uses POST by default; however, documentation describes how to make GWT No GET requests instead and does not mention any security ramifications.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ajax &amp; cron jobs Dr. Steven Bitner AJAX (Asynchronous JavaScript and XML) So far in this

Ajax &amp; cron jobs Dr. Steven Bitner AJAX (Asynchronous JavaScript and XML) So far in this

Ajax &amp; cron jobs Dr. Steven Bitner AJAX (Asynchronous JavaScript and XML) So far in this course All of our interactions have been server side or client side AJAX blurs the lines a bit AJAX Change out part of a page Policy

556 views • 17 slides
Ajax and JSF2.x Advanced Web Technologies Ajax 6) Ajax in JSF2.x AJAX Principles AJAX

Ajax and JSF2.x Advanced Web Technologies Ajax 6) Ajax in JSF2.x AJAX Principles AJAX

Ajax and JSF2.x Advanced Web Technologies Ajax 6) Ajax in JSF2.x AJAX Principles AJAX example in PHP (and some other rarities) Ajax in JSF Emmanuel Benoist JSF1.2 vs JSF 2.0 Fall Term 2016-17 The f:ajax tag Berner Fachhochschule

432 views • 8 slides
CSE 510 Web Data Engineering Client-Side Programming Ajax UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming Ajax UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming Ajax UB CSE 510 Web Data Engineering Interactive Applications Using Ajax Ajax is a set of technologies that collectively enable interactive applications Hallmark: Part of a page

812 views • 19 slides
Shining a Light on the Dark Side: How the Global Financial Crisis Exposed the Dark Side of

Shining a Light on the Dark Side: How the Global Financial Crisis Exposed the Dark Side of

Shining a Light on the Dark Side: How the Global Financial Crisis Exposed the Dark Side of Leadership Dr Holly Andrews Worcester Business School Global Business Conference Sibenik 2015 Overview What is the issue? Introducing psychopathy

372 views • 18 slides
Does Ajax need XML? The X in Ajax once stood for XML Now x is more like ? Whatever

Does Ajax need XML? The X in Ajax once stood for XML Now x is more like ? Whatever

JSON Venkat Subramaniam svenkat@cs.uh.edu 1 Does Ajax need XML? The X in Ajax once stood for XML Now x is more like ? Whatever thats appropriate XML has its advantages and disadvantages Very expressive, but too noisy,

458 views • 7 slides
Ajax and Client-Side Evaluation of i-Tasks Workflow Specifications Rinus Plasmeijer Jan

Ajax and Client-Side Evaluation of i-Tasks Workflow Specifications Rinus Plasmeijer Jan

Ajax and Client-Side Evaluation of i-Tasks Workflow Specifications Rinus Plasmeijer Jan Martin Jansen - Peter Achten Pieter Koopman University of Nijmegen - Dutch Defense Academy clean.cs.ru.nl

503 views • 48 slides
Sterile neutrinos: the dark side of the light fermions Sterile neutrino: a well-motivated dark

Sterile neutrinos: the dark side of the light fermions Sterile neutrino: a well-motivated dark

Whats ? Alexander Kusenko (UCLA/IPMU) Sterile neutrinos: the dark side of the light fermions Sterile neutrino: a well-motivated dark matter candidate observed neutrino masses imply the existence of right-handed singlets, which can

1k views • 31 slides
Web client programming JavaScript/AJAX Web requests with JavaScript/AJAX Needed for

Web client programming JavaScript/AJAX Web requests with JavaScript/AJAX Needed for

Web client programming JavaScript/AJAX Web requests with JavaScript/AJAX Needed for reverse-engineering homework site Web request via jQuery JavaScript library jQuery.ajax({ 'type': 'GET', 'url': 'http://vulnerable/ajax.php',

335 views • 22 slides
AJAX KUNG FU ACCESSIBILITY UNIVERSALITY PROGRESSIVE ENHANCEMENT AJAX CONTENT STRUCTURE

AJAX KUNG FU ACCESSIBILITY UNIVERSALITY PROGRESSIVE ENHANCEMENT AJAX CONTENT STRUCTURE

AJAX KUNG FU ACCESSIBILITY UNIVERSALITY PROGRESSIVE ENHANCEMENT AJAX CONTENT STRUCTURE HTML PRESENTATION CSS BEHAVIOR AJAX WHAT IS AJAX THIN CLIENT BROWSER SERVER DISPLAY STORE PROCESS RICH CLIENT AJAX BROWSER SERVER

704 views • 18 slides
Ajax Thierry Sans Ajax - fetching data without refreshing the page id=scACRSm... Ajax anything

Ajax Thierry Sans Ajax - fetching data without refreshing the page id=scACRSm... Ajax anything

Ajax Thierry Sans Ajax - fetching data without refreshing the page id=scACRSm... Ajax anything Javascript Why do we need Ajax? So far, when we wanted to send data to the server or retrieve data from the server we had to refresh

1.01k views • 8 slides
AJAX Andrea Ferracani Client side programming client - server communication

AJAX Andrea Ferracani Client side programming client - server communication

AJAX Andrea Ferracani Client side programming client - server communication andreaferracani@gmail.com luned 6 maggio 2013 DOM - Document Object Model The Document Object Model ( DOM ) is a

824 views • 39 slides
Living in a Parallel World: mirror dark matter, dark gravity, etc. Zurab Berezhiani Universit

Living in a Parallel World: mirror dark matter, dark gravity, etc. Zurab Berezhiani Universit

Living in a Parallel World: mirror dark matter, dark gravity, etc. Zurab Berezhiani Universit di L Aquila and LNGS Gran Sasso, Italy Dark Matter Connection .... , GGI, Florence, 16-20 May 2010 Dark Side as parallel sector, etc ... - p.

796 views • 45 slides
The Universe, and its Dark Side 95% Email: ph116@u.washington.edu Dec 9, 2011 Session 42

The Universe, and its Dark Side 95% Email: ph116@u.washington.edu Dec 9, 2011 Session 42

The Universe, and its Dark Side 95% Email: ph116@u.washington.edu Dec 9, 2011 Session 42 Review Announcements Final exam: Monday 12/12, 2:30-4:20 pm Same length/format as previous exams (but you can have 2 hrs) Kyle Armour is

516 views • 22 slides
Welcome Centre Immigrant Services (Ajax) Hermia Corbette, Ajax Welcome Centre Manager

Welcome Centre Immigrant Services (Ajax) Hermia Corbette, Ajax Welcome Centre Manager

Welcome Centre Immigrant Services (Ajax) Hermia Corbette, Ajax Welcome Centre Manager International Soft-landing Touchdown program May 16, 2016 Ajax Welcome Centre Overview Why Durham Region Welcome Centre Immigrant Services

325 views • 17 slides
THE DARK SIDE TO THE UPSIDE Our Moderator &amp; Panelists Michelle Marquis Tim Cafferty Amy

THE DARK SIDE TO THE UPSIDE Our Moderator &amp; Panelists Michelle Marquis Tim Cafferty Amy

7 Weeks to Vacation Rental Recovery Webinar Series THE DARK SIDE TO THE UPSIDE Our Moderator &amp; Panelists Michelle Marquis Tim Cafferty Amy Gaster Kevney Dugan Lexicon Travel Technologies Outer Banks Blue Realty Services Tybee Vacation

588 views • 26 slides
Set 3: AJAX Basics What can AJAX do? 1 ajax1_1 Inserting a row (1/2) // Inserts &quot;this

Set 3: AJAX Basics What can AJAX do? 1 ajax1_1 Inserting a row (1/2) // Inserts &quot;this

IT452 Advanced Web and Internet Systems Set 3: AJAX Basics What can AJAX do? 1 ajax1_1 Inserting a row (1/2) // Inserts &quot;this is a new row&quot; as a new row in the table function handleQuery() { var elems = [ &quot;this&quot;,

359 views • 6 slides
Conference Call Presentation First Quarter 2019 May 7, 2019 Cautionary Statement Regarding

Conference Call Presentation First Quarter 2019 May 7, 2019 Cautionary Statement Regarding

Conference Call Presentation First Quarter 2019 May 7, 2019 Cautionary Statement Regarding Forward Looking Information This document and the remarks made within this presentation may include, and officers and representatives of American

305 views • 30 slides
Verifying Operational Effectiveness For Physical www.sandia.gov Protection Systems Charlie

Verifying Operational Effectiveness For Physical www.sandia.gov Protection Systems Charlie

Verifying Operational Effectiveness For Physical www.sandia.gov Protection Systems Charlie Nickerson Nuclear Cyber Programs Idaho National Laboratory Janice Leach Physical Security Analysis Sandia National Laboratories November 2017

300 views • 10 slides
Proposed Fire Code Updates January 2020 Dave Winnacker Fire Chief Fire History -Within 2 miles

Proposed Fire Code Updates January 2020 Dave Winnacker Fire Chief Fire History -Within 2 miles

Proposed Fire Code Updates January 2020 Dave Winnacker Fire Chief Fire History -Within 2 miles of the Caldecott Tunnel, 15 major fires have burned since Hwy 24 1923 -Eleven of these fires destroyed 3,542 homes, took 26 lives, and caused

781 views • 13 slides
Presentation to the United States Hum an Space Flight Plans Review Com m ittee Jean-Yves Le

Presentation to the United States Hum an Space Flight Plans Review Com m ittee Jean-Yves Le

Presentation to the United States Hum an Space Flight Plans Review Com m ittee Jean-Yves Le Gall Chairm an &amp; CEO W ashington, D.C. W ednesday, August 5 , 2 0 0 9 1 United States Hum an Space Flight Plans Review Com m ittee August

135 views • 13 slides
Town of Ajax Corporate Asset Management Plan February 13, 2017 General Government Committee

Town of Ajax Corporate Asset Management Plan February 13, 2017 General Government Committee

Town of Ajax Corporate Asset Management Plan February 13, 2017 General Government Committee Prepared By: Infrastructure and Asset Management Operations and Environmental Services Department Current Practices Staff have been managing the

627 views • 18 slides
jQuery: Plugins, AJAX, AHAH David Eads Chicago T echnology Cooperative eads@chicagotech.org

jQuery: Plugins, AJAX, AHAH David Eads Chicago T echnology Cooperative eads@chicagotech.org

jQuery: Plugins, AJAX, AHAH David Eads Chicago T echnology Cooperative eads@chicagotech.org http://chicagotech.org We are very fortunate. A very simple plugin (function($){ $.fn.spliceIn = function(opt) { opt = $.extend({}, { position:

299 views • 10 slides
F10 5/18/2007 11:15:00 AM &quot;C HALLENGES IN P ERFORMANCE T ESTING OF AJAX A PPLICATIONS &quot;

F10 5/18/2007 11:15:00 AM &quot;C HALLENGES IN P ERFORMANCE T ESTING OF AJAX A PPLICATIONS &quot;

BIO PRESENTATION PAPER F10 5/18/2007 11:15:00 AM &quot;C HALLENGES IN P ERFORMANCE T ESTING OF AJAX A PPLICATIONS &quot; Rajendra Gokhale Aztecsoft International Conference On Software Test Analysis And Review May 14-18, 2007 Orlando, FL

542 views • 37 slides
Ajax Cycling Plan Mayor Steve Parish, Town of Ajax (NOTE: All notes added by Summit Organizers)

Ajax Cycling Plan Mayor Steve Parish, Town of Ajax (NOTE: All notes added by Summit Organizers)

Peterborough and the Kawarthas Cycling Summit 2011 PRESENTION: Steve Parish, Mayor of Ajax Slide 1 An inside look at the Ajax Cycling Plan Mayor Steve Parish, Town of Ajax (NOTE: All notes added by Summit Organizers) Mayor Parish s family

106 views • 10 slides

More recommend