| By Brian J. Dillard |
Article Rating: |
|
| February 2, 2008 06:00 AM EST |
Reads: |
12,354 |
Web aggregators and SSL
This is probably a great big "duh" to some developers, but web aggregators such as iGoogle and NetVibes often compromise the security of otherwise SSL-encrypted web applications when funneling content from them to your personalized homepage:
Now, consider what happens when you use a Gmail widget on an aggregate site like NetVibes. Sharp-eyed readers will notice the URL for NetVibes ... is http://www.netvibes.com. This is not an encrypted connection! NetVibes sends user data in the clear from the aggregate to the user.... NetVibes makes an SSL connection to Gmail, and then NetVibes degrades the level of security by transmitting the data over an unencrypted connection. Our attacker ... can steal the data much more easily now. NetVibes is not providing the same level of security that a user would receive if he accessed Gmail directly. This situation is not unique to NetVibes and Gmail.... At the time of publication, every major aggregate Web site the authors examined downgraded security on data from secure sources. [emphasis theirs]
Offline applications and client-side validation
Security experts, including Hoffman and Sullivan, have long trumpeted the danger of relying on client-side input validation without parallel server-side validation. But with offline applications, they argue, client-side validation becomes absolutely necessary:
[O]ffline Ajax frameworks increase the client's role in business logic. In fact, offline Ajax applications strive to make the concept of online or offline completely transparent to the user.... [T]his means the user is interacting with client-side code, which stores everything the user is doing and synchronizes the data with the Web server when the client connects to the Internet. If no client-side input validation occurs, then the client-side logic is vulnerable to all kinds of parameter manipulation attacks.... Ajax applications already push more of a Web application to the client, and offline Ajax applications do push even more logic to the client. Just as we perform whitelist input validation on the server for security purposes, developers must perform client-side validation to ensure the security of their offline Ajax applications.
Ajax frameworks and function clobbering
When an attacker gains access to a web server and appends JavaScript code to a running Ajax application, it's much easier to inflict damage on apps that employ well-known JavaScript frameworks:
[T]his works with any framework and almost any JavaScript function.... Consider Dojo.Storage, which provides an abstraction layer to the various mechanisms for client-side storage.... Ironically, most of the functions to access client-side storage methods cannot be hooked because of how they are implemented. We cannot, for example, clobber the ActionScript functions exposed by a Flash object from browsers that we can clobber. Thus we cannot hook read and writes on the document.cookie object (at least we can't for all browsers). However, by hijacking the abstraction function in Dojo.Storage, attackers can intercept all data as it moves in and out of client-side storage, regardless of where the data is actually stored on the client. Essentially, certain browser functionality cannot be shimmed directly for all browsers, but frameworks that abstract this functionality can, themselves, be shimmed, accomplishing the same thing. Even worse ... shim code that hijacks frameworks isn't Web site or domain specific. The same playload can be used against multiple Web sites.
The book itself, of course, documents dozens more specific security vulnerabilities - as well as best practices for protecting your application against them. As my effusive praise should have made clear by now, I can't recommend "Ajax Security" highly enough. It's available from Amazon and Safari Books Online.
Article contents adapted from entries in the Agile Ajax blog. Copyright © 2008 Pathfinder Development.
All-New at AJAXWorld 2008 East at The Roosevelt Hotel in midtown Manhattan !
All-New at AJAXWorld 2008 East at The Roosevelt Hotel in midtown Manhattan !
Being held for the first time on March 18, 2008 at the historic Roosevelt Hotel in New York City,
AJAXWorld Security Bootcamp is a compelling, intensive, one-day, hands-on training program that will teach Web developers, Web designers, and other Web professionals how to build secure AJAX applications and demonstrate what the best practices are to mitigate security problems in AJAX apps.
It is led by one of the world's foremost AJAX security experts and popular teachers, Billy Hoffman.
Click Here to Register Now and Save!When: Monday, March 18, 2008: 8:30AM-5:30PM
Where: The Roosevelt Hotel on 45th and Madiscon, New York City
Who: AJAX Security Bootcamp is led by:
Billy Hoffman is a lead security researcher for SPI Dynamics (www.spidynamics.com), which was purchased by Hewlett-Packard on 01 August 2007. At SPI Dynamics, he focuses on automated discovery of Web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O'Reilly's Emerging Technology Conference, The 5th Hope, and several other conferences. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. In addition, Billy is a reviewer of white papers for the Web Application Security Consortium (WASC), and is a creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects and writes articles under the handle Acidus.
Billy was a featured speaker at AJAXWorld Conference & Expo 2007 West.
Join Billy and your fellow Bootcamp delegates at the AJAXWorld Security Bootcamp on March 18. We'll see you in New York City...
Click Here to Register Now and Save!
Subscribe to JAVA Developer's Journal Email News Alerts
Subscribe via RSS
