Hilton Giesenow Software Architect ConseQuent Software Development hiltonwork@giesenow.com

Hilton GiesenowSoftware ArchitectConseQuent Software Development

hiltonwork@giesenow.com

Improving end-user perception and usability

New functionality

Improving network/bandwidth usage

Improving approach to scripting

(at least from a security perspective)Be prepared! AJAX has some security issues...

AJAX

AJAX is more difficult to secure!More complex

C#, HTML, CSS, Javascript, JSON, Web Services, ...

More complexityAPI is more open & more fine-grained

Larger attack surface (at various levels)More transparent

Uses XmlHttpRequest (XHR)

object

Sends ANY http methodSimple: GET, POST, HEADWebDav: COPY, DELETE

Fetch any kind of resourceXML, HTML, plain text, JSONImages, Flash, Media, SilverlightScript...

Limited to source domain“Same Origin Policy”

function loadXMLDoc(url){ req = new XMLHttpRequest(); req.onreadystatechange =

processResult; req.open(“GET”, url, true); req.send(null);}

function processResult(){ if (req.readyState == 4) { if (req.status == 200) { // process response } else { // handle error } }}

Attacks involve sending malformed commands

html tags submittedMalformed imageSQL InjectionViewProduct.aspx?id=-1Unsecured pages...

These tend to be ‘edge’ cases

Attacker is now ‘inside’ your application!

Increased knowledgeFunction names, parameters, return types, etc.Entire API is visible

Larger attack surface“what we do” vs. “how we do it”

DoSGoogle Suggest

Application Logic

What can we do?Reduce transparency

ObfuscateUncomment(These also reduce file size )

Validate correctly and effectivelyReduce Granularity

ExposedBusiness

Rules

ExposedBusiness

Rules

Exposed API – Web Service exploits!WSDL exploits

So just disable the WSDL?

XML /JSON Hijacking

More options for parameter manipulationNever trust the client

Never assume the client is a browserCareful what logic gets pushed to clientNever trust *any* client input

‘100

%’ S

ecur

e

‘100

%’ S

ecur

e

Be careful of your partners and what you exposeLikewise in the other direction

Mashups

SQL Injection

Actual code from a live ASP.NET AJAX Site

SQL InjectionPrototype Attacks

Javascript is a “prototype” languageOverwrite what XmlHttpRequest itself does!

Cross-Site Scripting and Request Hijacking

http://blah.com/page1.asp?name=Hilton

<html>...<h1>Welcome back, Hilton</h1>...

</html>

<html>...<h1>Welcome back, Hilton</h1>...

</html>

http://blah.com/page1.asp?name=<script>bad!</script><html>

...<h1>Welcome back, <script>bad!</script></h1>...

</html>

<html>...<h1>Welcome back, <script>bad!</script></h1>...

</html>

Pre-AJAXInjection:

Inject script into HTML textInject script into fields written into tag attributesCSS Injection

Blind requests, cannot see response

With AJAXInjection: JSONSelf propagation!

New to AJAXNothing to do with your site’s AJAX / non-AJAXInjecting script (like XSS)Injecting script that invokes XmlHttpRequestAJAX requests look & function like normal requests

Browser can’t tell the differenceHTTP/HTTPS, Cookies, etc.

VictimVictim

Online Bankingsite

Online Bankingsite

Logs in

Cookie

Malicious / Infected website

Malicious / Infected website

Browse

xmlHttpRequestxmlHttpRequest Bank Transfer (authenticated)

Very similar conceptuallyXSS is more about harvesting infoXSRF is more about doing things under the user’s account

October 2005 – 5th largest domain on the Internet infectedXSS exploit allowed <script> to be injected into user’s profilePropagated via infected pagePayload: Used AJAX to redirect users and add ‘Samy’ to their friends listAdded ‘Samy is my hero’ to profile

Sample:<DIV id=“myCode” expr=“alert(‘HelloWorld’);” style=“background(‘javascript:eval(document.myCode.expr))>

See http://namb.lab/popular/tech.html for all the details (from Samy himself)

GmailNetFlixYahooMany others...

Lots of Hype (“Bubble 2.0”)But lots of value, too (did you come to the earlier session?)

AJAX can dramatically improve your site’s user experience

But how do we secure it?

MySpace - $400mYouTube - $XmWritely.com -> GoogleDel.icio.us - $50m (Yahoo)Facebook No to $700m

My site is for sale...

HTTP GET disabled by default

Avoids XSS via <script src=""> includes

Content-Type headers

ASP.NET *always requires* the Content-Type header set to application/json

UpdatePanel vs. Web & Page Servicesmore bytes, but more security!

AJAX is as ‘clean’ as you make it“AJAX” security = “software” security

Never trust user input!Validation – data types, ranges, canonicalization, black AND white listUser != browser

Reduce the attack surfaceMinimize exposed logicMinimize exposed endpoints

Microsoft ASP.NET AJAX Security Videoshttp://msdn2.microsoft.com/en-us/security/aa570424.aspx

ASP.NET AJAX sitehttp://ajax.asp.net/

Team Blogshttp://blogs.msdn.com/

SPIDynamicshttp://www.spidynamics.com/

Open Web Application Security Projecthttp://www.owasp.org/

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED

OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.