Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.

Published byGodwin Boyd Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani."— Presentation transcript:

1 Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani

2 Agenda Introduction Background What is Ajax? Security Vulnerabilities

3 History - What is “web application”? - Client side scripts. - Common Gateway Interface (CGI). - Servlets. - ASP, PHP …etc. - AJAX.

4 AJAX - What’s AJAX? Asynchronous Javascript And XML - Is AJAX a technology by itself? - The XMLHttpRequest Object Base object for AJAX Allows your javascript code…… Available in most browsers ThroughThe XMLHttpRequest object you can :

5 - Country : - State : - Country : - City : - State : Server Database USA CO Denver - City : - State : CO Denver - City : - State : - City : Before AJAX

6 - Country : - City : - State : Server Database USA CO Denver After AJAX

7 General Technique

8 Ajax vulnerabilities There are many vulnerabilities Our concentration are the security holes A list of these security holes included in our research JS Array poisoning Flash-based cross domain access Malformed JS Object serialization JSON pair injection Manipulated XML stream Script injection in DOM

9 JS Array poisoning popular object for serialization Easy and effective Poisoning a JS array spoils the DOM context. A JS array can be exploited with simple cross-site scripting in the browser. example new Array(“Android”, “iphone”, “Tmobile”, “900$”, “28 years”)

10 Flash-based cross domain access It is possible to make GET and POST requests from JavaScripts within a browser by using a Flash plugin’s Ajax interface. This also enables cross-domain calls to be made from any particular domain. Example

11 Malformed JS Object serialization JavaScript supports (OOP). Allows the user to create an object using "New Object()“. Object can be serialized using Ajax and used by JavaScript code. Attacker can sends a malicious “subject” line embedded with script then it makes the receiver a victim of XSS. [3]

12 JSON pair injection JavaScript Object Notation (JSON) is a simple data exchange format which can contain object. Attacker can inject a malicious script in either "Link" or "Desc" (XSS). Another way to serialize malicious content to the user. [3]

13

14 REFERENCES [1] http://www.asp.net/ajax.http://www.asp.net/ajax [2] http://www.w3schools.com/ajax/ajax_intro.asp.http://www.w3schools.com/ajax/ajax_intro.asp [3] Ajax Security Holes and Driving Factors http://www.net-security.org.http://www.net-security.org [4] SC Magazine, Article: Hot or not: AJAX vulnerabilities, http://www.scmagazine.com http://www.scmagazine.com [5] What is AJAX? http://www.youtube.com/watch?v=tJXLRLDWjn4http://www.youtube.com/watch?v=tJXLRLDWjn4 [6] Article: AJAX Vulnerabilities: How Big the Threat?, http://www.about.comhttp://www.about.com

Download ppt "Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
1/7 ITApplications XML Module Session 8: Introduction to Programming with XML.

1/7 ITApplications XML Module Session 8: Introduction to Programming with XML.
Lecture 11 Server Side Interaction

Lecture 11 Server Side Interaction
Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.

Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.
IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.

IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.
INTRODUCTION The Group WEB BROWSER FOR RELATION Goals.

INTRODUCTION The Group WEB BROWSER FOR RELATION Goals.
Cloud Computing Lecture #7 Introduction to Ajax Jimmy Lin The iSchool University of Maryland Wednesday, October 15, 2008 This work is licensed under a.

Cloud Computing Lecture #7 Introduction to Ajax Jimmy Lin The iSchool University of Maryland Wednesday, October 15, 2008 This work is licensed under a.
Multiple Tiers in Action

Multiple Tiers in Action
Introduction to Web Based Application. Web-based application TCP/IP (HTTP) protocol Using WWW technology & software Distributed environment.

Introduction to Web Based Application. Web-based application TCP/IP (HTTP) protocol Using WWW technology & software Distributed environment.
Does Ajax suck? CS575 Spring 2007 Chanwit Suebsureekul.

Does Ajax suck? CS575 Spring 2007 Chanwit Suebsureekul.
Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.

Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.
ITM352 Javascript and Dynamic Web Pages: Client Side Processing.

ITM352 Javascript and Dynamic Web Pages: Client Side Processing.
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.

Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
Chris Pinski.  History  What is Ajax  Who uses Ajax  Underlying Technologies  SE Aspect  Common Problems  Conclusion.

Chris Pinski.  History  What is Ajax  Who uses Ajax  Underlying Technologies  SE Aspect  Common Problems  Conclusion.
CGI and AJAX CS-260 Dick Steflik.

CGI and AJAX CS-260 Dick Steflik.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
Lecture 12 – AJAX SFDV3011 – Advanced Web Development Reference: 1.

Lecture 12 – AJAX SFDV3011 – Advanced Web Development Reference: 1.

Similar presentations

Ads by Google