“Ajax Security is a remarkably rigorous and thorough examination of an underexplored subject. Every Ajax engineer needs to have the knowledge contained in this book—or be able to explain why they don’t.” Jesse James Garrett “Finally, a book that collects and presents the various Ajax security concerns in an understandable format! So many people have hopped onto the Ajax bandwagon without considering the secu- rity ramifications; now those people need to read this book and revisit their applications to address the various security short- comings pointed out by the authors.” Jeff Forristal “If you are writing or reviewing Ajax code, you need this book. Billy and Bryan have done a stellar job in a nascent area of our field, and deserve success. Go buy this book. I can’t wait for it to come out.” Andrew van der Stock, Executive Director, OWASP “Web technologies like Ajax are creating new networked business structures that remove the sources of friction in the new econ- omy. Regrettably, hackers work to compromise this evolution by capitalizing on the weaknesses in this technology and those who develop it. Until now, few books told the whole Ajax security story, educating those using or planning to use this technology. This one does.” Managing Partner, Trellum Technologies This page intentionally left blank Ajax Security This page intentionally left blank Ajax Security Billy Hoffman and Bryan Sullivan Upper Saddle River, NJ • Boston • Indianapolis • San Francisco New York • Toronto • Montreal • London • Munich • Paris • Madrid Cape Town • Sydney • Tokyo • Singapore • Mexico City Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was Editor-in-Chief aware of a trademark claim, the designations have been printed with initial capital letters or Karen Gettman in all capitals. Acquisitions Editor The authors and publisher have taken care in the preparation of this book, but make no Jessica Goldstein expressed or implied warranty of any kind and assume no responsibility for errors or Development Editor omissions. No liability is assumed for incidental or consequential damages in connection Sheri Cain with or arising out of the use of the information or programs contained herein. Managing Editor The publisher offers excellent discounts on this book when ordered in quantity for bulk Gina Kanouse purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. Project Editor For more information, please contact: Chelsey Marti U.S. Corporate and Government Sales Copy Editor (800) 382-3419 Harrison Ridge [email protected] Editorial Services For sales outside the United States please contact: Indexer Lisa Stumpf International Sales [email protected] Proofreader Kathy Ruiz Technical Reviewers Trellum Technologies, Inc. Jeff Forristal Joe Stagner Vinnie Liu Editorial Assistant Romny French Cover Designer Alan Clements Composition Jake McFarland Visit us on the Web: www.prenhallprofessional.com Library of Congress Cataloging-in-Publication Data: Hoffman, Billy, 1980- Ajax security / Billy Hoffman and Bryan Sullivan. p. cm. ISBN 0-321-49193-9 (pbk. : alk. paper) 1. Ajax (Web site development technology) 2. Computer networks—Security measures. 3. Computer security. I. Sullivan, Bryan, 1974- II. Title. TK5105.8885.A52H62 2007 005.8—dc22 2007037191 Copyright © 2008 Pearson Education, Inc. All rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, write to: Pearson Education, Inc Rights and Contracts Department 501 Boylston Street, Suite 900 Boston, MA 02116 Fax (617) 671 3447 ISBN-13: 978-0-321-49193-0 ISBN-10: 0-321-49193-9 Text printed in the United States on recycled paper at R.R. Donnelly in Crawfordsville, IN. First printing December 2007 This book is dedicated to my wife Jill. I am lucky beyond words to be married to such an intelligent, beautiful, and caring woman. Love you Sexy. For Amy. I can’t imagine living without your love and support. This page intentionally left blank Contents Preface xvii Preface (The Real One) xvix Chapter 1 Introduction to Ajax Security 1 An Ajax Primer 2 What Is Ajax? 2 Asynchronous 3 JavaScript 6 XML 11 Dynamic HTML (DHTML) 11 The Ajax Architecture Shift 11 Thick-Client Architecture 12 Thin-Client Architecture 13 Ajax: The Goldilocks of Architecture 15 A Security Perspective: Thick-Client Applications 16 A Security Perspective: Thin-Client Applications 17 A Security Perspective: Ajax Applications 18 A Perfect Storm of Vulnerabilities 19 Increased Complexity, Transparency, and Size 19 Sociological Issues 22 Ajax Applications: Attractive and Strategic Targets 23 Conclusions 24 Chapter 2 The Heist 25 Eve 25 Hacking HighTechVacations.net 26 ix CONTENTS Hacking the Coupon System 26 Attacking Client-Side Data Binding 32 Attacking the Ajax API 36 A Theft in the Night 42 Chapter 3 Web Attacks 45 The Basic Attack Categories 45 Resource Enumeration 46 Parameter Manipulation 50 Other Attacks 75 Cross-Site Request Forgery (CSRF) 75 Phishing 76 Denial-of-Service (DoS) 77 Protecting Web Applications from Resource Enumeration and Parameter Manipulation 77 Secure Sockets Layer 78 Conclusions 78 Chapter 4 Ajax Attack Surface 81 Understanding the Attack Surface 81 Traditional Web Application Attack Surface 83 Form Inputs 83 Cookies 84 Headers 85 Hidden Form Inputs 86 Query Parameters 86 Uploaded Files 89 Traditional Web Application Attacks: A Report Card 90 Web Service Attack Surface 92 Web Service Methods 92 Web Service Definitions 94 Ajax Application Attack Surface 94 The Origin of the Ajax Application Attack Surface 96 Best of Both Worlds—for the Hacker 98 Proper Input Validation 98 The Problem with Blacklisting and Other Specific Fixes 99 Treating the Symptoms Instead of the Disease 102 Whitelist Input Validation 105 x CONTENTS Regular Expressions 109 Additional Thoughts on Input Validation 109 Validating Rich User Input 111 Validating Markup Languages 111 Validating Binary Files 113 Validating JavaScript Source Code 114 Validating Serialized Data 120 The Myth of User-Supplied Content 122 Conclusion 123 Chapter 5 Ajax Code Complexity 125 Multiple Languages and Architectures 125 Array Indexing 126 String Operations 128 Code Comments 129 Someone Else’s Problem 130 JavaScript Quirks 132 Interpreted, Not Compiled 132 Weakly Typed 133 Asynchronicity 135 Race Conditions 135 Deadlocks and the Dining Philosophers Problem 139 Client-Side Synchronization 144 Be Careful Whose Advice You Take 144 Conclusions 145 Chapter 6 Transparency in Ajax Applications 147 Black Boxes Versus White Boxes 147 Example: MyLocalWeatherForecast.com 150 Example: MyLocalWeatherForecast.com “Ajaxified” 152 Comparison Conclusions 156 The Web Application as an API 156 Data Types and Method Signatures 158 Specific Security Mistakes 158 Improper Authorization 159 Overly Granular Server API 161 Session State Stored in JavaScript 164 Sensitive Data Revealed to Users 165 xi CONTENTS Comments and Documentation Included in Client-Side Code 166 Data Transformation Performed on the Client 167 Security through Obscurity 172 Obfuscation 173 Conclusions 174 Chapter 7 Hijacking Ajax Applications 175 Hijacking Ajax Frameworks 176 Accidental Function Clobbering 176 Function Clobbering for Fun and Profit 178 Hijacking On-Demand Ajax 184 Hijacking JSON APIs 190 Hijacking Object Literals 195 Root of JSON Hijacking 195 Defending Against JSON Hijacking 196 Conclusions 199 Chapter 8 Attacking Client-Side Storage 201 Overview of Client-Side Storage Systems 201 General Client-Side Storage Security 202 HTTP Cookies 204 Cookie Access Control Rules 206 Storage Capacity of HTTP Cookies 211 Lifetime of Cookies 215 Additional Cookie Storage Security Notes 216 Cookie Storage Summary 216 Flash Local Shared Objects 218 Flash Local Shared Objects Summary 225 DOM Storage 226 Session Storage 227 Global Storage 229 The Devilish Details of DOM Storage 231 DOM Storage Security 233 DOM Storage Summary 234 Internet Explorer userData 235 Security Summary 240 xii CONTENTS General Client-Side Storage Attacks and Defenses 240 Cross-Domain Attacks 241 Cross-Directory Attacks 242 Cross-Port Attacks 243 Conclusions 243 Chapter 9 Offline Ajax Applications 245 Offline Ajax Applications 245 Google Gears 247 Native Security Features and Shortcomings of Google Gears 248 Exploiting WorkerPool 251 LocalServer Data Disclosure and Poisoning 253 Directly Accessing the Google Gears Database 257 SQL Injection and Google Gears 258 How Dangerous Is Client-Side SQL Injection? 262 Dojo.Offline 264 Keeping the Key Safe 265 Keeping the Data Safe 266 Good Passwords Make for Good Keys 267 Client-Side Input Validation Becomes Relevant 268 Other Approaches to Offline Applications 270 Conclusions 270 Chapter 10 Request Origin Issues 273 Robots, Spiders, Browsers, and Other Creepy Crawlers 273 “Hello! My Name Is Firefox. I Enjoy Chunked Encoding, PDFs, and Long Walks on the Beach.” 275 Request Origin Uncertainty and JavaScript 276 Ajax Requests from the Web Server’s Point of View 276 Yourself, or Someone Like You 280 Sending HTTP Requests with JavaScript
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages498 Page
-
File Size-