ebook img

Securing AJAX Applications PDF

38 Pages·2009·0.47 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Securing AJAX Applications

Securing AJAX Applicat ions New Threats and Defenses? Philipp Färber and Moritz Kuhn AdNovum Informatik AG 7560 2 AJAX & Security AJAX (rich & interactive GUI) > Attribute of Web 2.0 applications (user- created content, social networking, mash- ups, …) > Used by web applications which replace typical desktop apps (e.g., e- mail clients) > Now technologies spread to more traditional web applications (e.g., financial institutions) We’ve seen many interesting attacks: 2005: SAMY/ MySpace = XSS+ CSRF - > ‘Payload’ is JS 2006: Yamaner/ Yahoo = Mail/ XSS - > JS via e- mail 2007: Gmail attack(s) = CSRF - > fully dynamic RWA 3 AGENDA > Background – Rich Web Applications Model – Same Origin Policy – XSS & CSRF > Demo: CSRF and XSS in an AJAX > AJAX Security – Architecture Perspective – Server- Side Perspective – Client- Side Perspective – Testing Perspective > Conclusion 4 Rich Web Applications: The AJAX Model Client Server 1 Frame1 JS DOM X env H AJAX: "Asynchronous JavaScript And XML“ R > Presentation using XHTML and CSS Frame2 Server 2 DOM JS > Data interchange in XML > Dynamic display using the Document Object Model > Asynchronous requests using XMLHttpRequest (XHR) > JavaScript binding everything together (Jesse James Garrett, 2005) Umbrella term for several technologies > Does not have to be XML > Term used to describe a category of web applications 5 Same Origin Policy – in Theory Frame1 Server 1 Origin A JS DOM X env H R X X GET, Form POST, Server 2 Frame2 <script> JS Origin B DOM env > Mechanism that governs the ability for JavaScript to access DOM properties and methods across domains > One of the most important security concepts within modern browsers > Quite simple model in theory : If protocol, host name and port number for two interacting pages match, access is granted with no further checks. > Enforced at the window border (window, frame, iframe) 6 Same Origin Policy in Practice: DOM http:/ / code.google.com/ p/ browsersec/ wiki/ Part2 7 Same Origin Policy in Practice: Cookies http:/ / code.google.com/ p/ browsersec/ wiki/ Part2 8 Same Origin Policy in Practice: XHR (1) http:/ / code.google.com/ p/ browsersec/ wiki/ Part2 9 Same Origin Policy in Practice: XHR (2) http:/ / code.google.com/ p/ browsersec/ wiki/ Part2 10 Same Origin Policy – in Practice XMLHttpRequest : > More strict > HTTP requests only to originating site Form post requests: > <FORM ACTION="..."> submit POST and GET requests to remote targets > May be triggered automatically by JavaScript Too strict and inflexible to application developers: “major annoyance and stifling innovation” Too fuzzy and loose to security engineers: “Putting user data at undue risk in case of minor and in practice nearly unavoidable programming errors.”

Description:
(user- created content, social networking, mash- ups, …) > Used by web AJAX: "Asynchronous JavaScript And XML“. > Presentation using XHTML and CSS. > Data interchange in XML The attacker's web page makes the victim's browser send a request ..
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.