Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
AJAX – New TechnologiesNew Threats
Dr. David MovshovitzIDC – School of Computer Science [email protected]
14-09-2008
2OWASP
Lecture Agenda
Browser Technology Overview
What is AJAX
The XHR Object
AJAX Advantages
Web Application Architecture
JavaScript Browser Security
“Same Domain Policy”
AJAX Bridging
AJAX & Application Security - What’s new in Web 2.0
Exposure of Internal Details
Input Validation
Intranet Hacking
3OWASP
AJAX Security is a Real Problem
4OWASP
Browser Technology Evolution
Static HTML documents, one site at a time
Data content from different sites (images, frames)
Programmability with DOM (JavaScript)
Dynamic HTML (JavaScript)
AJAX & client-side mashup applications
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
What is AJAX
6OWASP
What is AJAX?
AJAX (Asynchronous JavaScript + XML) is a combination of web browser technologies that allows web page content to be updated “on-the-fly” without the user moving from page to page.
Coined by Jesse James Garrett of Adaptive Path
Not a language!
Uses JavaScript on the client and any Language on the Server
Ajax is the latest inheritor of the Dynamic HTML mantle, and allows for the development of feature rich and practical web applications.
Dynamic HTML - a DHTML webpage is any webpage in which client-side scripting changes variables of the presentation definition language, which in turn affects the look and function of otherwise "static" HTML page content, after the page has been fully loaded and during the viewing process.
AJAX is commonly used along with DHTML to provide enhanced user interface.
AJAX and DHTML are two separate things
7OWASP
What is AJAX? (cont.)
In the background of an AJAX-enabled web page, data is transferred to and from the web server.
The mechanism for performing asynchronous data transfers is a software library embedded in all modern web browsers called XMLHttpRequest (XHR) .
AJAX web application uses an XHR JavaScript object to poll data from a remote web server and then manipulate this data to output to a web page utilizing the DOM
“Ajax Engine” - the XMLHttpRequest (XHR) Object
Allows us to send information to the server without post backs
Makes the request and receives the data back
Can be asynchronous or synchronous
XHR is the key to a website earning the “AJAX” moniker. Otherwise, it’s just fancy JavaScript.
8OWASP
Adaptive Path’s Original Diagram
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
The XHR Object
10OWASP
XHR Object Methods
Method Description
abort() Stops the current request
getAllResponseHeaders() Returns all header (labels/value) sets
getResponseHeader("headerLabel") Returns value of a specified header label
open("method", "URL"[, asyncFlag[, "userName"[, "password"]]])
The heart and soul! Sets destination URL, method, and other optional attributes
send(content) Transmits the request
setRequestHeader("label", "value") Assigns header to be sent with a request
11OWASP
XHR Object Properties
Property Description
onreadystatechange Event handler for an event that fires at every state change
readyState Object status integer
responseText String version of data returned from server process
responseXML DOM-compatible document object of data returned from server process
status Numeric code returned by server, such as 404 for "Not Found" or 200 for "OK"
statusText String message accompanying the status code
12OWASP
The XHR Object
The XHR open() - open("method", "URL", asyncFlag);
method = GET or POST
URL = Page to request
asyncFlag = True or False
The XHR Send parameters – send(content)
Send is like clicking the submit button on a form.
The parameters should be set to null or empty string if you are not posting any information.
If you are posting, the name/value pairs should look like a query-string without the question mark, i.e. req.send("foo=bar&ajax=123");
If you are using GET, append the values to the URL in the open method
13OWASP
XHR Object Properties
Onreadystatechange - The objects only event handler.
It is fired only when in asynchronous mode (3rd parameter is set to true in the open method)
It is fired a total of 4 times.
We can assign a reference to a function or build a anonymous function to it
req.onreadystatechange = functionName;
req.onreadystatechange = function(){ //statements }
readyState values
0 – Uninitialized; The initial value when new reference to Object is created
1 – Open; The open() method has been successfully called.
2 - Sent ; The request made it, but no data has yet been received.
3 – Receiving; All HTTP headers have been received.
4 – Loaded; The data transfer has been completed. We can now play with the data!
14OWASP
Example of XHR Object
var request = new XMLHttpRequest();
request.onreadystatechange = myFunction;
request.open("GET", "http://myserver.com/data.xml", true);
...
function myFunction() { if (req.readyState == 4) { doSomethingWith(req.responseXML); } else if (req.readyState == 3) { showProgressIndicator(); }}
Web applications uses the XmlHttpRequest object for
Dynamically load XML or JSON formatted data files Use DHTML to alter the page based on the data
15OWASP
Basic Example of Request code
AJAX POST
var req = GetXHRObject();
req.open("POST", "secure.php", true);
req.onreadystatechange = finishRequest;
req.send("foo=bar&ajax=123");
Regular Form POST
<form action="secure.php" method="POST">
<input type="text" name="foo" value="bar">
<input type="hidden" name="ajax" value="123">
<input type="submit" name="sub1">
</form>
Simple Scripted Attacks On A Server
var req = new Array();
for(var i = 0; i<1000; i++){
req[i] = GetXHRObject();
req[i].open("POST", "secure.aspx", true);
req[i].onreadystatechange = function(){};
req[i].send("foo=" + i);
}
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
AJAX Advantages
17OWASP
What is AJAX used for?
Data retrieval
Send data to the server for processing.
Form Validation
Anything you might load a new page for.
It is possible to build “One Page” Ajax Applications.
18OWASP
AJAX Advantages
Rich applications in modern browsers
Rich UI experience in a Web page
AJAX technology makes website interactivity smoother and more responsive
No more dreaded page refreshes
Very user-visible effect
In the case of Gmail, new email messages are displayed as they arrive automatically.
No issues with installation
Portable across browsers
All advantages of zero-install Web app
Built upon existing infrastructure – TCP/IP, XML, HTTP, SSL, etc.
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Web Application Architecture
20OWASP
The Browser is the new “OS”
The browser has become a homogeneous execution platform
JavaScript is much more powerful
Object Oriented
Extendable: String.prototype.foo = function() {…}
Dynamic code execution
Regular Expressions
Very rich interface to/from browser/plugins
If JavaScript can’t do it, Flash/Java can
21OWASP21
Web 1.0 to Web 2.0 Conversion
22OWASP
Architecture of Traditional Web Applications
Browser — A thin client
Most of the Application logic resides almost exclusively on server
Flow/business logic
Presentation logic
Client acts as a dumb terminal sending actions to the server
Server does all the processing and returns whole new page
23OWASP
Attacks Against Traditional Web Applications
Attacks involve:
Sending malicious data
Sending code as data
Trying to access unauthorized data
Malicious input/command hits edge cases in application design
Countermeasures:
Validate input parameters
Use proper authentication
Use proper authorization
24OWASP
Architecture of an AJAX Application
Browser—Rich/thick-client application
Application logic resides both on client and server
JavaScript™ technology takes on a bigger role
Uses XmlHttpRequest object
Fetch any kind of resource
HTML, GIF (view centric)
XML, JSON (data centric)
JavaScript technology (code centric)
Client DOM tree is being manipulated
25OWASP
Attacks Against AJAX Applications
Traditional web application attacks still apply
Attacker is inside your application
Knowledge increases
Larger attack surface
Data serialization from unknown/untrusted sources
Companies migrate to AJAX without much thought to security
In the case of mashups, attacking 3rd-party servers
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
JavaScript Browser Security“Same Domain Policy”
27OWASP
JavaScript Security in the Browser
“Mobile code” = potential security risk
Browsers execute JavaScript code in a sandbox
Restrictions on JavaScript code in the sandbox
Cannot read/write files from/to the local system
Cannot execute any other programs
Cannot read the history of the browser
Cannot close a window that mobile code did not open
Cannot open a window that is too small
28OWASP
Browser’s “Same Origin” Policy
Also called “Server of Origin” Policy
“Origin” = (protocol + host + port) parts of the URL
Restriction limits interaction between frames, iframes, and script tags from different origins
Prevents client-side JavaScript from making requests to any server other than the server from which it was downloaded
Restriction has been extended to include XMLHttpRequest
XHR has security protections built-in, preventing a user’s browser on Website A from making connections to Website B, to protect users from malicious websites
Can only load XML from originating server
Different browser vendors implement this security somewhat differently
29OWASP
“Same Origin” Policy for AJAX
30OWASP
More “Same Origin” Policy Cases
31OWASP
Proxy Remote Services
Also called “AJAX Bridging” or “Server-Side Proxy”
3rd-party proxy such as Apache mod proxy or custom proxy
Has performance / security limitations
32OWASP
The Remote Proxy Solution
Developers often create a local HTTP proxy on the host web server.
To have the client pull in data from a third-party website, they’ll direct an XHR request through the local proxy pointing to the intended destination.
Consider the following example request generated by the web browser:
http://websiteA/proxy?url=http://websitesB/
Website A takes the incoming request, and sends a request to Website B designated by the “URL” parameter value.
The security issue is that Website A is hosting an unrestricted HTTP proxy, and attackers love open proxies because they can initiate attacks that cannot be traced to their origin.
The capabilities of the proxy should be carefully controlled and restricted with regard to which websites it will connect to and how.
33OWASP
Security Issues with AJAX Bridges
An Ajax-enabled online book store called spibooks.com wants to access some of the Web services that majorbookstore.com provides, such as an author search or genre recommendation service.
While anyone can sign up for a free account to access majorbookstore.com’s Web services, these free accounts have very limited privileges:
The number of unique queries,
The number of simultaneous queries,
The number of hits per second will be set very low.
A formal partner agreement between the two companies allows spibooks.com to access majorbookstore.com with fewer restrictions.
34OWASP
Security Issues with AJAX Bridges
If the attacker wants to copy the entire author database from majorbookstore.com,
he or she can simply issue thousands of queries to the Ajax bridge running on spibooks.com.
The relationship between the two Web sites allows the attacker to extract more data by going through spibooks.com than if he or she had used a free account directly from majorbookstore.com.
It is common in these situations for spibooks.com to limit the number of queries it has to make, reduce bandwidth, and improve performance for its users by caching the results it receives from majorbookstore.com.
Since the attacker’s query may already be in the cache, the attacker may be able to extract data faster by using spibooks.com.
35OWASP
Security Issues with AJAX Bridges
An attacker can also send malicious requests through the Ajax bridge from spibooks.com to majorbookstore.com using the bridge is another layer for the attacker to hide behind.
An attacker, may cause a Denial of Service attack against all spibooks.com users.
if an IPS at majorbookstore.com detects the malicious requests coming from spibooks.com’s IP address, and then automatically blocks all requests from spibooks.com.
It is possible that majorbookstore.com will not detect the attack being relayed through the Ajax bridge.
if majorbookstore.com does not scrutinize the requests it receives from spibooks.com for malicious content as closely as the requests it receives from others.
This is common practice, since the two parties have an agreement to help each other and there is an immense amount of traffic coming in from spibooks.com.
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
AJAX & Application Securityor What’s New in Web 2.0
37OWASP
Major Cause Of Security Concernswith AJAX based Applications
Anyone CAN View the Source
Anyone can see the page that it is requesting from the JavaScript code!
Anyone can see the parameters being sent!
Anyone can see the validation!
Anyone can see the Business Logic!
XHR Object can be used to make requests without the users knowledge.
Attacker can also use images, iframes, frames, popup windows.
AJAX model uses WebServices
More Ajax Functionality = More WebServices = More places to attack (Just need to forget one thing to make a new hole)
AJAX Adds More Attack Vectors
38OWASP
Exposure of Internal Details – What’s new in Web 2.0?
Better tools to analyze client-side code
Firebug (view DOM tree, put breakpoints, alter values)
Watir - Ruby-based tool
Selenium - Java technology based Tool
Much more client-side code for hacker to view and dissect
Potentially more client-side comments for hacker to view
Better social community (blogs, newsgroups, forums)
39OWASP
Exposure of Internal Details – What’s new in Web 2.0?
Hackers’ knowledge has increased
Application architecture/design details
Program business/logic flow details
Function names, variable names, return types
Helps build a footprint of the web application
Direct API access
Developers encouraged to expose more web services
Attacker calls your backend functions directly
Bypasses logic in the client side
Calls functions out of order
40OWASP
Exposure of Internal Details - Countermeasures
Do not give out unnecessary information
Remove comments from HTML/JavaScript technology code
Developer names, design details, notes, build numbers
Use build-time tools to remove comments
Turn off WSDL for your web services
Many tools auto generate WSDLs — turn them off
No need to expose all services, inputs, and types to users
Is AJAX the appropriate technology?
Use traditional web-application technology where security is a high priority
Obfuscate your JavaScript technology code
41OWASP
JavaScript Code Obfuscation
Obfuscation is not fool-proof Obfuscation can make maintenance, debugging, and code
review harder which degrades security
42OWASP
Input Validation What’s new in Web 2.0?
Validation confusion
Where is the validation done (client/server/both)?
With Sophisticated drag and drop IDEs, validation details are hidden
Complexity of data has increased
Lack of good toolkits/regular expressions available to validate these types of input
What input gets validated?
Developers usually validate GET/POST parameters
Developers often forget about HTTP Headers
Developers forget about file input (images, audio, video)
Trusting data from B2B partners
Mashups are bringing data from non-validated sources
43OWASP
Improper Validation Countermeasures
Never trust the client!
Validate all input data to the application
Use strong validation techniques
Correctness, type, format, length, range, and context
Use white-listing instead of Black-listing
Escaping input if possible
Always validate on the server side
Server-side validation = data integrity and security
Client-side validation as a subset of server side
Client-side validation = usability and performance
For mashups, never trust the external server
44OWASP
Client Validation for AJAX Response
Developers usually forget that the AJAX response is not perfect
Developers doesn’t validate the AJAX response
Usability and Security issues
Solution:
Make sure the data is what you expect it to be!
Validate your data
Use regular expressions to check for patterns
Look for key parts of the expression
Look for things that do not belong
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Intranet Hacking
46OWASP
Intranet Hacking
We tend to believe that while surfing the Web we are protected by firewalls and isolated through private network address translated Internet Protocol (IP) addresses.
With this understanding we assume the soft security of intranet Web sites and the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, and so forth, even if left unpatched
Nothing is capable of directly connecting in from the outside world. Right?
Web browsers can be completely controlled by any Web page, enabling them to become launching points to attack internal network resources.
The Web browser of every user on an enterprise network becomes a stepping-stone for intruders.
47OWASP
Exploit Procedures
A victim visits a malicious Web page or clicks a nefarious link; embedded JavaScript malware then assumes control over their Web browser.
JavaScript malware loads a Java applet revealing the victim’s internal NAT IP address.
Then, using the victim’s Web browser as an attack platform, the JavaScript malware identifies and fingerprints Web servers on the internal network.
Attacks are initiated against internal or external Web sites, and compromised information is sent outside the network for collection.
48OWASP
Port Scanning Behind your Firewall
JavaScript can:
Request images from internal IP addresses, e.g.<img src=“192.168.0.4:8080”/>
Use timeout/onerror to determine success/failure
Fingerprint webapps using known image names
Server
MaliciousWeb page
Firewall
1) “show me dancing pigs!”
2) “check this out”
Browser
scan
scan
scan3) port scan results