Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 498 trang
THÔNG TIN TÀI LIỆU
Cấu trúc
Ajax security
Contents
Preface
Preface (The Real One)
Chapter 1 Introduction to Ajax Security
An Ajax Primer
What Is Ajax?
Asynchronous
JavaScript
XML
Dynamic HTML (DHTML)
The Ajax Architecture Shift
Thick-Client Architecture
Thin-Client Architecture
Ajax: The Goldilocks of Architecture
A Security Perspective: Thick-Client Applications
A Security Perspective: Thin-Client Applications
A Security Perspective: Ajax Applications
A Perfect Storm of Vulnerabilities
Increased Complexity, Transparency, and Size
Sociological Issues
Ajax Applications: Attractive and Strategic Targets
Conclusions
Chapter 2 The Heist
Eve
Hacking HighTechVacations.net
Hacking the Coupon System
Attacking Client-Side Data Binding
Attacking the Ajax API
A Theft in the Night
Chapter 3 Web Attacks
The Basic Attack Categories
Resource Enumeration
Parameter Manipulation
Other Attacks
Cross-Site Request Forgery (CSRF)
Phishing
Denial-of-Service (DoS)
Protecting Web Applications from Resource Enumeration and Parameter Manipulation
Secure Sockets Layer
Conclusions
Chapter 4 Ajax Attack Surface
Understanding the Attack Surface
Traditional Web Application Attack Surface
Form Inputs
Cookies
Headers
Hidden Form Inputs
Query Parameters
Uploaded Files
Traditional Web Application Attacks: A Report Card
Web Service Attack Surface
Web Service Methods
Web Service Definitions
Ajax Application Attack Surface
The Origin of the Ajax Application Attack Surface
Best of Both Worlds—for the Hacker
Proper Input Validation
The Problem with Blacklisting and Other Specific Fixes
Treating the Symptoms Instead of the Disease
Whitelist Input Validation
Regular Expressions
Additional Thoughts on Input Validation
Validating Rich User Input
Validating Markup Languages
Validating Binary Files
Validating JavaScript Source Code
Validating Serialized Data
The Myth of User-Supplied Content
Conclusion
Chapter 5 Ajax Code Complexity
Multiple Languages and Architectures
Array Indexing
String Operations
Code Comments
Someone Else’s Problem
JavaScript Quirks
Interpreted, Not Compiled
Weakly Typed
Asynchronicity
Race Conditions
Deadlocks and the Dining Philosophers Problem
Client-Side Synchronization
Be Careful Whose Advice You Take
Conclusions
Chapter 6 Transparency in Ajax Applications
Black Boxes Versus White Boxes
Example: MyLocalWeatherForecast.com
Example: MyLocalWeatherForecast.com “Ajaxified”
Comparison Conclusions
The Web Application as an API
Data Types and Method Signatures
Specific Security Mistakes
Improper Authorization
Overly Granular Server API
Session State Stored in JavaScript
Sensitive Data Revealed to Users
Comments and Documentation Included in Client-Side Code
Data Transformation Performed on the Client
Security through Obscurity
Obfuscation
Conclusions
Chapter 7 Hijacking Ajax Applications
Hijacking Ajax Frameworks
Accidental Function Clobbering
Function Clobbering for Fun and Profit
Hijacking On-Demand Ajax
Hijacking JSON APIs
Hijacking Object Literals
Root of JSON Hijacking
Defending Against JSON Hijacking
Conclusions
Chapter 8 Attacking Client-Side Storage
Overview of Client-Side Storage Systems
General Client-Side Storage Security
HTTP Cookies
Cookie Access Control Rules
Storage Capacity of HTTP Cookies
Lifetime of Cookies
Additional Cookie Storage Security Notes
Cookie Storage Summary
Flash Local Shared Objects
Flash Local Shared Objects Summary
DOM Storage
Session Storage
Global Storage
The Devilish Details of DOM Storage
DOM Storage Security
DOM Storage Summary
Internet Explorer userData
Security Summary
General Client-Side Storage Attacks and Defenses
Cross-Domain Attacks
Cross-Directory Attacks
Cross-Port Attacks
Conclusions
Chapter 9 Offline Ajax Applications
Offline Ajax Applications
Google Gears
Native Security Features and Shortcomings of Google Gears
Exploiting WorkerPool
LocalServer Data Disclosure and Poisoning
Directly Accessing the Google Gears Database
SQL Injection and Google Gears
How Dangerous Is Client-Side SQL Injection?
Dojo.Offline
Keeping the Key Safe
Keeping the Data Safe
Good Passwords Make for Good Keys
Client-Side Input Validation Becomes Relevant
Other Approaches to Offline Applications
Conclusions
Chapter 10 Request Origin Issues
Robots, Spiders, Browsers, and Other Creepy Crawlers
“Hello! My Name Is Firefox. I Enjoy Chunked Encoding, PDFs, and Long Walks on the Beach.”
Request Origin Uncertainty and JavaScript
Ajax Requests from the Web Server’s Point of View
Yourself, or Someone Like You
Sending HTTP Requests with JavaScript
JavaScript HTTP Attacks in a Pre-Ajax World
Hunting Content with XMLHttpRequest
Combination XSS/XHR Attacks in Action
Defenses
Conclusions
Chapter 11 Web Mashups and Aggregators
Machine-Consumable Data on the Internet
Early 90’s: Dawn of the Human Web
Mid 90s: The Birth of the Machine Web
2000s: The Machine Web Matures
Publicly Available Web Services
Mashups: Frankenstein on the Web
ChicagoCrime.org
HousingMaps.com
Other Mashups
Constructing Mashups
Mashups and Ajax
Bridges, Proxies, and Gateways—Oh My!
Ajax Proxy Alternatives
Attacking Ajax Proxies
Et Tu, HousingMaps.com?
Input Validation in Mashups
Aggregate Sites
Degraded Security and Trust
Conclusions
Chapter 12 Attacking the Presentation Layer
A Pinch of Presentation Makes the Content Go Down
Attacking the Presentation Layer
Data Mining Cascading Style Sheets
Look and Feel Hacks
Advanced Look and Feel Hacks
Embedded Program Logic
Cascading Style Sheets Vectors
Modifying the Browser Cache
Preventing Presentation Layer Attacks
Conclusion
Chapter 13 JavaScript Worms
Overview of JavaScript Worms
Traditional Computer Viruses
JavaScript Worms
JavaScript Worm Construction
JavaScript Limitations
Propagating JavaScript Worms
JavaScript Worm Payloads
Putting It All Together
Case Study: Samy Worm
How It Worked
The Virus’ Payload
Conclusions About the Samy Worm
Case Study: Yamanner Worm (JS/Yamanner-A)
How It Worked
The Virus’ Payload
Conclusions About the Yamanner Worm
Lessons Learned from Real JavaScript Worms
Conclusions
Chapter 14 Testing Ajax Applications
Black Magic
Not Everyone Uses a Web Browser to Browse the Web
Catch-22
Security Testing Tools—or Why Real Life Is Not Like Hollywood
Site Cataloging
Vulnerability Detection
Analysis Tool: Sprajax
Analysis Tool: Paros Proxy
Analysis Tool: LAPSE (Lightweight Analysis for Program Security in Eclipse)
Analysis Tool:WebInspect™
Additional Thoughts on Security Testing
Chapter 15 Analysis of Ajax Frameworks
ASP.NET
ASP.NET AJAX (formerly Atlas)
ScriptService
Security Showdown: UpdatePanel Versus ScriptService
ASP.NET AJAX and WSDL
ValidateRequest
ViewStateUserKey
ASP.NET Configuration and Debugging
PHP
Sajax
Sajax and Cross-Site Request Forgery
Java EE
Direct Web Remoting (DWR)
JavaScript Frameworks
A Warning About Client-Side Code
Prototype
Conclusions
Appendix A: Samy Source Code
Appendix B: Source Code for Yamanner Worm
Index
A
B
C
D
E
F
G
H
I
J
K–L
M
N–O
P
Q–R
S
T
U
V
W
X
Y–Z
Nội dung
[...]... attacks and create a truly secure and trustworthy Ajax application AN AJAX PRIMER Before we delve into the particulars of Ajax security, it is worthwhile for us to briefly review the basics of Ajax technology If you’re confident that you have a solid grasp of Ajax fundamentals, feel free to proceed to the next section, “The Ajax Architecture Shift.” WHAT IS AJAX? Normally, when a browser makes a request... limitation The Web may allow us to write an application once and use it anywhere, but Ajax allows us to write a practical and effective application once and use it anywhere 1 CHAPTER 1 INTRODUCTION TO AJAX SECURITY Unfortunately, there is one huge buzzing, stinging fly in the Ajax ointment: security From a security perspective, Ajax applications are more difficult to design, develop, and test than traditional... security over a round or two xxvi 1 Introduction to AjaxSecurity Myth: Ajax applications are just Web pages with extra bells and whistles Ajax Asynchronous JavaScript and XML—is taking the World Wide Web by storm It is not at all an overstatement to say that Ajax has the potential to revolutionize the way we use the Internet—and even computers in general Ajax is a fundamental component of Web 2.0, a complete... Security Testing 391 396 398 399 400 401 403 406 Analysis of Ajax Frameworks 413 ASP.NET ASP.NET AJAX (formerly Atlas) ScriptService Security Showdown: UpdatePanel Versus ScriptService ASP.NET AJAX and WSDL ValidateRequest ViewStateUserKey ASP.NET Configuration and Debugging 413 414 417 419 420 424 425 426 408 409 411 xv CONTENTS PHP Sajax Sajax and Cross-Site Request Forgery Java EE Direct Web Remoting... wait to discover, such as the analysis of specific Ajax frameworks for security issues (which can be found in Chapter 15, “Analysis of Ajax Frameworks”), feel free to skip ahead or read out of order Ajax provides an exciting new philosophy for creating Web applications This book is by no means an attempt to dismiss Ajax as silly or infeasible from a security perspective Instead, we hope to provide a... simplified Ajax- based SQL Injection method, which requires only two requests to extract the entire backend database This is not a book for learning Ajax or Web programming—we expect you to have a pretty good handle on that already Instead, we will focus on the mistakes and problems with the design and creation of Ajax applications that create security vulnerabilities and provide advice on how to develop Ajax. .. Chapter 15 Testing Ajax Applications 391 Black Magic Not Everyone Uses a Web Browser to Browse the Web Catch-22 Security Testing Tools—or Why Real Life Is Not Like Hollywood Site Cataloging Vulnerability Detection Analysis Tool: Sprajax Analysis Tool: Paros Proxy Analysis Tool: LAPSE (Lightweight Analysis for Program Security in Eclipse) Analysis Tool: WebInspect™ Additional Thoughts on Security Testing... focused on the Internet security software industry Prior to HP, Bryan was a security researcher for SPI Dynamics, a leading Web application security company acquired by HP in August 2007 While at SPI, he created the DevInspect product, which analyzes Web applications for security vulnerabilities during development Bryan is a frequent speaker at industry events, most recently AjaxWorld, Black Hat, and... Storage Session Storage Global Storage The Devilish Details of DOM Storage DOM Storage Security DOM Storage Summary Internet Explorer userData Security Summary Chapter 8 Hijacking Ajax Applications Hijacking Ajax Frameworks Accidental Function Clobbering Function Clobbering for Fun and Profit Hijacking On-Demand Ajax Hijacking JSON APIs Hijacking Object Literals Root of JSON Hijacking Defending Against... bypassed authentication mechanisms Ajax may have the inherent usability strengths of both desktop and Web applications, but it also has both of their inherent security weaknesses Still, security seems to be an afterthought for most developers xix PREFACE We hope to change that perspective We wrote this book for the Ajax developer who wants to implement the latest and greatest Ajax features in their applications, . 1980- Ajax security / Billy Hoffman and Bryan Sullivan. p. cm. ISBN 0-321-49193-9 (pbk. : alk. paper) 1. Ajax (Web site development technology) 2. Computer networks Security measures. 3. Computer security. . Real One) xvix Chapter 1 Introduction to Ajax Security 1 An Ajax Primer 2 What Is Ajax? 2 Asynchronous 3 JavaScript 6 XML 11 Dynamic HTML (DHTML) 11 The Ajax Architecture Shift 11 Thick-Client. Architecture 13 Ajax: The Goldilocks of Architecture 15 A Security Perspective: Thick-Client Applications 16 A Security Perspective: Thin-Client Applications 17 A Security Perspective: Ajax Applications