Hilton GiesenowSoftware ArchitectConseQuent Software Development
Improving end-user perception and usability
New functionality
Improving network/bandwidth usage
Improving approach to scripting
(at least from a security perspective)Be prepared! AJAX has some security issues...
AJAX
AJAX is more difficult to secure!More complex
C#, HTML, CSS, Javascript, JSON, Web Services, ...
More complexityAPI is more open & more fine-grained
Larger attack surface (at various levels)More transparent
Uses XmlHttpRequest (XHR)
object
Sends ANY http methodSimple: GET, POST, HEADWebDav: COPY, DELETE
Fetch any kind of resourceXML, HTML, plain text, JSONImages, Flash, Media, SilverlightScript...
Limited to source domain“Same Origin Policy”
function loadXMLDoc(url){ req = new XMLHttpRequest(); req.onreadystatechange =
processResult; req.open(“GET”, url, true); req.send(null);}
function processResult(){ if (req.readyState == 4) { if (req.status == 200) { // process response } else { // handle error } }}
Attacks involve sending malformed commands
html tags submittedMalformed imageSQL InjectionViewProduct.aspx?id=-1Unsecured pages...
These tend to be ‘edge’ cases
Attacker is now ‘inside’ your application!
Increased knowledgeFunction names, parameters, return types, etc.Entire API is visible
Larger attack surface“what we do” vs. “how we do it”
DoSGoogle Suggest
Application Logic
What can we do?Reduce transparency
ObfuscateUncomment(These also reduce file size )
Validate correctly and effectivelyReduce Granularity
ExposedBusiness
Rules
ExposedBusiness
Rules
Exposed API – Web Service exploits!WSDL exploits
So just disable the WSDL?
XML /JSON Hijacking
More options for parameter manipulationNever trust the client
Never assume the client is a browserCareful what logic gets pushed to clientNever trust *any* client input
‘100
%’ S
ecur
e
‘100
%’ S
ecur
e
Be careful of your partners and what you exposeLikewise in the other direction
Mashups
SQL Injection
Actual code from a live ASP.NET AJAX Site
SQL InjectionPrototype Attacks
Javascript is a “prototype” languageOverwrite what XmlHttpRequest itself does!
Cross-Site Scripting and Request Hijacking
http://blah.com/page1.asp?name=Hilton
<html>...<h1>Welcome back, Hilton</h1>...
</html>
<html>...<h1>Welcome back, Hilton</h1>...
</html>
http://blah.com/page1.asp?name=<script>bad!</script><html>
...<h1>Welcome back, <script>bad!</script></h1>...
</html>
<html>...<h1>Welcome back, <script>bad!</script></h1>...
</html>
Pre-AJAXInjection:
Inject script into HTML textInject script into fields written into tag attributesCSS Injection
Blind requests, cannot see response
With AJAXInjection: JSONSelf propagation!
New to AJAXNothing to do with your site’s AJAX / non-AJAXInjecting script (like XSS)Injecting script that invokes XmlHttpRequestAJAX requests look & function like normal requests
Browser can’t tell the differenceHTTP/HTTPS, Cookies, etc.
VictimVictim
Online Bankingsite
Online Bankingsite
Logs in
Cookie
Malicious / Infected website
Malicious / Infected website
Browse
xmlHttpRequestxmlHttpRequest Bank Transfer (authenticated)
Very similar conceptuallyXSS is more about harvesting infoXSRF is more about doing things under the user’s account
October 2005 – 5th largest domain on the Internet infectedXSS exploit allowed <script> to be injected into user’s profilePropagated via infected pagePayload: Used AJAX to redirect users and add ‘Samy’ to their friends listAdded ‘Samy is my hero’ to profile
Sample:<DIV id=“myCode” expr=“alert(‘HelloWorld’);” style=“background(‘javascript:eval(document.myCode.expr))>
See http://namb.lab/popular/tech.html for all the details (from Samy himself)
GmailNetFlixYahooMany others...
Lots of Hype (“Bubble 2.0”)But lots of value, too (did you come to the earlier session?)
AJAX can dramatically improve your site’s user experience
But how do we secure it?
MySpace - $400mYouTube - $XmWritely.com -> GoogleDel.icio.us - $50m (Yahoo)Facebook No to $700m
My site is for sale...
HTTP GET disabled by default
Avoids XSS via <script src=""> includes
Content-Type headers
ASP.NET *always requires* the Content-Type header set to application/json
UpdatePanel vs. Web & Page Servicesmore bytes, but more security!
AJAX is as ‘clean’ as you make it“AJAX” security = “software” security
Never trust user input!Validation – data types, ranges, canonicalization, black AND white listUser != browser
Reduce the attack surfaceMinimize exposed logicMinimize exposed endpoints
Microsoft ASP.NET AJAX Security Videoshttp://msdn2.microsoft.com/en-us/security/aa570424.aspx
ASP.NET AJAX sitehttp://ajax.asp.net/
Team Blogshttp://blogs.msdn.com/
SPIDynamicshttp://www.spidynamics.com/
Open Web Application Security Projecthttp://www.owasp.org/
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED
OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.