1 / 17

Ajax Applications : A Blueprint for Disaster

Ajax Applications : A Blueprint for Disaster. Bryan Sullivan, Security Program Manager Microsoft Originally developed with Billy Hoffman, Hewlett Packard. General Ajax Security Issues. Increased attack surface Direct API access Easier to reverse-engineer Amplifies web attacks

veata
Download Presentation

Ajax Applications : A Blueprint for Disaster

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ajax Applications : A Blueprint for Disaster Bryan Sullivan, Security Program Manager Microsoft Originally developed with Billy Hoffman, Hewlett Packard

  2. General Ajax Security Issues • Increased attack surface • Direct API access • Easier to reverse-engineer • Amplifies web attacks • Offline attacks …in theory…

  3. Theory put to the test • Ajax application built using “expert” advice • Books • Blogs • Conferences

  4. Hacker Vacations Demonstration

  5. Lessons learned • You cannot control client-side code • Don’t store secrets in client-side code • Don’t let client-side code perform authentication/authorization functions 4. Don’t expose admin functionality • Remember web application security basics • Exercise caution when converting data to HTML on the client

  6. Ajax Security Patterns and Antipatterns

  7. Antipattern 1: Domino Effect

  8. PerformLongOp • GetStatus Pattern 1: Polling Status Calls

  9. Antipattern 2: Holding Critical State on Client • Script variables • Flash/Silverlight variables • Offline storage mechanisms • Local Shared Objects ie “Flash cookies” • Silverlight Isolated Storage • Hidden form fields • Cookies

  10. Pattern 2: Hold Critical State on Server • Keep session state just like Web 1.0

  11. Antipattern 3: Single-call Authorization Check authorization here

  12. Pattern 3: Every-call Authorization Check authorization here …and here …and here

  13. Antipattern 4: Exposing Admin Libraries

  14. Pattern 4: Segregate Admin Libraries

  15. Use with care: Client-side Data Binding

  16. Conclusion With great power comes great responsibility

  17. More resources My blog: http://blogs.msdn.com/sdl/ My alias: bryansul

More Related