Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

1/7 ITApplications XML Module Session 8: Introduction to Programming with XML.

Lecture 11 Server Side Interaction

Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.

EECS 354 Network Security Cross Site Scripting (XSS)

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.

INTRODUCTION The Group WEB BROWSER FOR RELATION Goals.

Cloud Computing Lecture #7 Introduction to Ajax Jimmy Lin The iSchool University of Maryland Wednesday, October 15, 2008 This work is licensed under a.

Multiple Tiers in Action

Introduction to Web Based Application. Web-based application TCP/IP (HTTP) protocol Using WWW technology & software Distributed environment.

Does Ajax suck? CS575 Spring 2007 Chanwit Suebsureekul.

Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.

ITM352 Javascript and Dynamic Web Pages: Client Side Processing.

Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.

Chris Pinski.  History  What is Ajax  Who uses Ajax  Underlying Technologies  SE Aspect  Common Problems  Conclusion.

CGI and AJAX CS-260 Dick Steflik.

Prevent Cross-Site Scripting (XSS) attack

Lecture 12 – AJAX SFDV3011 – Advanced Web Development Reference: 1.

GIS technologies and Web Mapping Services

ASP.NET + Ajax Jesper Tørresø ITNET2 F08. Ajax Ajax (Asynchronous JavaScript and XML) A group of interrelated web development techniques used for creating.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

 2008 Pearson Education, Inc. All rights reserved Ajax-Enabled Rich Internet Applications.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

AJAX Making Dynamic Web pages more Dynamic Jim Hendricks April 25th, 2006.

Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.

Instructor, Dr. Khalili Bahram Jeevan Kumar Gogineni.

Client side web programming Introduction Jaana Holvikivi, DSc. School of ICT.

OWL Jan How Websites Work. “The Internet” vs. “The Web”?

Cross Site Integration “mashups” cross site scripting.

Building Rich Web Applications with Ajax Linda Dailey Paulson IEEE – Computer, October 05 (Vol.38, No.10) Presented by Jingming Zhang.

The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.

Cross Site Scripting and its Issues By Odion Oisamoje.

JSON and A Comparison of Scripts. JSON: JavaScript Object Notation Based on a subset of the JavaScript Programming Language provides a standardized data.

Asynchronous Javascript And XML AJAX : an introduction UFCEUS-20-2 : Web Programming.

Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.

Ajax for Dynamic Web Development Gregory McChesney.

Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.

 Previous lessons have focused on client-side scripts  Programs embedded in the page’s HTML code  Can also execute scripts on the server  Server-side.

 AJAX – Asynchronous JavaScript and XML  Ajax is used to develop fast dynamic web applications  Allows web pages to be updated asynchronously by transferring.

JSON – Java Script Object Notation. What is JSON JSON is a data interchange format Interactive Web 2.0 applications, no more use page replacement. Data.

 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.

Event Handling & AJAX IT210 Web Systems. Question How do we enable users to dynamically interact with a website? Answer: Use mouse and keyboard to trigger.

What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

JavaScript & Introduction to AJAX

Introduction to AJAX Sue Brandreth. What is Ajax?

AJAX CS456 Fall Examples Where is AJAX used? Why do we care?

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

JQuery, JSON, AJAX. AJAX: Async JavaScript & XML In traditional Web coding, to get information from a database or a file on the server –make an HTML form.

Ajax & Client-side Dynamic Web Gunwoo Park (Undergraduate)

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

An Introduction to Web Application Security

JavaScript and Ajax (Ajax Tutorial)

Section 6.3 Server-side Scripting

World Wide Web policy.

+ A Look at CFAjax Stephen Rittler CounterMarch Systems

Asynchronous Java script And XML Technology

IS 360 Course Introduction

Ajax and JSON (jQuery part 2)

Introduction to AJAX and the migration toward applications

Introduction to AJAX Sue Brandreth.

Introduction to AJAX and JSON

AJAX CS-422 Dick Steflik.

DR. JOHN ABRAHAM PROFESSOR UTPA

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems

Exploring DOM-Based Cross Site Attacks

Presentation transcript:

Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani

Agenda Introduction Background What is Ajax? Security Vulnerabilities

History - What is “web application”? - Client side scripts. - Common Gateway Interface (CGI). - Servlets. - ASP, PHP …etc. - AJAX.

AJAX - What’s AJAX? Asynchronous Javascript And XML - Is AJAX a technology by itself? - The XMLHttpRequest Object Base object for AJAX Allows your javascript code…… Available in most browsers ThroughThe XMLHttpRequest object you can :

- Country : - State : - Country : - City : - State : Server Database USA CO Denver - City : - State : CO Denver - City : - State : - City : Before AJAX

- Country : - City : - State : Server Database USA CO Denver After AJAX

General Technique

Ajax vulnerabilities There are many vulnerabilities Our concentration are the security holes A list of these security holes included in our research JS Array poisoning Flash-based cross domain access Malformed JS Object serialization JSON pair injection Manipulated XML stream Script injection in DOM

JS Array poisoning popular object for serialization Easy and effective Poisoning a JS array spoils the DOM context. A JS array can be exploited with simple cross-site scripting in the browser. example new Array(“Android”, “iphone”, “Tmobile”, “900$”, “28 years”)

Flash-based cross domain access It is possible to make GET and POST requests from JavaScripts within a browser by using a Flash plugin’s Ajax interface. This also enables cross-domain calls to be made from any particular domain. Example

Malformed JS Object serialization JavaScript supports (OOP). Allows the user to create an object using "New Object()“. Object can be serialized using Ajax and used by JavaScript code. Attacker can sends a malicious “subject” line embedded with script then it makes the receiver a victim of XSS. [3]

JSON pair injection JavaScript Object Notation (JSON) is a simple data exchange format which can contain object. Attacker can inject a malicious script in either "Link" or "Desc" (XSS). Another way to serialize malicious content to the user. [3]

REFERENCES [1] [2] [3] Ajax Security Holes and Driving Factors [4] SC Magazine, Article: Hot or not: AJAX vulnerabilities, [5] What is AJAX? [6] Article: AJAX Vulnerabilities: How Big the Threat?,