Securing AJAX Applicat ions New Threats and Defenses? Philipp Färber and Moritz Kuhn AdNovum Informatik AG 7560 2 AJAX & Security AJAX (rich & interactive GUI) > Attribute of Web 2.0 applications (user- created content, social networking, mash- ups, …) > Used by web applications which replace typical desktop apps (e.g., e- mail clients) > Now technologies spread to more traditional web applications (e.g., financial institutions) We’ve seen many interesting attacks: 2005: SAMY/ MySpace = XSS+ CSRF - > ‘Payload’ is JS 2006: Yamaner/ Yahoo = Mail/ XSS - > JS via e- mail 2007: Gmail attack(s) = CSRF - > fully dynamic RWA 3 AGENDA > Background – Rich Web Applications Model – Same Origin Policy – XSS & CSRF > Demo: CSRF and XSS in an AJAX > AJAX Security – Architecture Perspective – Server- Side Perspective – Client- Side Perspective – Testing Perspective > Conclusion 4 Rich Web Applications: The AJAX Model Client Server 1 Frame1 JS DOM X env H AJAX: "Asynchronous JavaScript And XML“ R > Presentation using XHTML and CSS Frame2 Server 2 DOM JS > Data interchange in XML > Dynamic display using the Document Object Model > Asynchronous requests using XMLHttpRequest (XHR) > JavaScript binding everything together (Jesse James Garrett, 2005) Umbrella term for several technologies > Does not have to be XML > Term used to describe a category of web applications 5 Same Origin Policy – in Theory Frame1 Server 1 Origin A JS DOM X env H R X X GET, Form POST, Server 2 Frame2 <script> JS Origin B DOM env > Mechanism that governs the ability for JavaScript to access DOM properties and methods across domains > One of the most important security concepts within modern browsers > Quite simple model in theory : If protocol, host name and port number for two interacting pages match, access is granted with no further checks. > Enforced at the window border (window, frame, iframe) 6 Same Origin Policy in Practice: DOM http:/ / code.google.com/ p/ browsersec/ wiki/ Part2 7 Same Origin Policy in Practice: Cookies http:/ / code.google.com/ p/ browsersec/ wiki/ Part2 8 Same Origin Policy in Practice: XHR (1) http:/ / code.google.com/ p/ browsersec/ wiki/ Part2 9 Same Origin Policy in Practice: XHR (2) http:/ / code.google.com/ p/ browsersec/ wiki/ Part2 10 Same Origin Policy – in Practice XMLHttpRequest : > More strict > HTTP requests only to originating site Form post requests: > <FORM ACTION="..."> submit POST and GET requests to remote targets > May be triggered automatically by JavaScript Too strict and inflexible to application developers: “major annoyance and stifling innovation” Too fuzzy and loose to security engineers: “Putting user data at undue risk in case of minor and in practice nearly unavoidable programming errors.”
Description: