Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.

Slides:

Advertisements

Similar presentations

Copyright © Steven W. Johnson

Advertisements

1/7 ITApplications XML Module Session 8: Introduction to Programming with XML.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Hands on Demonstration for Testing Security in Web Applications

EECS 354 Network Security Cross Site Scripting (XSS)

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.

WHAT IS AJAX? Zack Sheppard [zts2101] WHIM April 19, 2011.

Cloud Computing Lecture #7 Introduction to Ajax Jimmy Lin The iSchool University of Maryland Wednesday, October 15, 2008 This work is licensed under a.

AJAX (Asynchronous JavaScript and XML) Amit Jain CS 590 – Winter 2008.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Security and JavaScript. Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by JavaScript’s same-origin security.

Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.

Chris Pinski.  History  What is Ajax  Who uses Ajax  Underlying Technologies  SE Aspect  Common Problems  Conclusion.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Prevent Cross-Site Scripting (XSS) attack

Lecture 12 – AJAX SFDV3011 – Advanced Web Development Reference: 1.

ASP.NET + Ajax Jesper Tørresø ITNET2 F08. Ajax Ajax (Asynchronous JavaScript and XML) A group of interrelated web development techniques used for creating.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

JavaScript, Fourth Edition Chapter 12 Updating Web Pages with AJAX.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

 2008 Pearson Education, Inc. All rights reserved Ajax-Enabled Rich Internet Applications.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.

Instructor, Dr. Khalili Bahram Jeevan Kumar Gogineni.

Weekend MS CS Program Internet and Web Technologies COT 5930 Web Project Development - Ajax Dr. Roy Levow, Associate Chair & Professor

Cross Site Integration “mashups” cross site scripting.

Building Rich Web Applications with Ajax Linda Dailey Paulson IEEE – Computer, October 05 (Vol.38, No.10) Presented by Jingming Zhang.

The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.

Lecture 9: AJAX, Javascript review..  AJAX  Synchronous vs. asynchronous browsing.  Refreshing only “part of a page” from a URL.  Frameworks: Prototype,

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Cross Site Scripting and its Issues By Odion Oisamoje.

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

Ajax for Dynamic Web Development Gregory McChesney.

Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

AJAX James Kahng. Congrats Jack Guo for Angular entryentry This week’s coding challenge at end of talk.

ICM – API Server Gary Ratcliffe. 2 Agenda Webinar Programme API Server Overview JSON-RPC iCM API Service API Server and Forms New services under.

JSON – Java Script Object Notation. What is JSON JSON is a data interchange format Interactive Web 2.0 applications, no more use page replacement. Data.

 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.

CHAPTER 13 COMMUNICATING WITH AJAX. LEARNING OBJECTIVES AJAX, which stands for Asynchronous JavaScript and XMLprovides a way for a browser to send and.

Event Handling & AJAX IT210 Web Systems. Question How do we enable users to dynamically interact with a website? Answer: Use mouse and keyboard to trigger.

What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.

AJAX CS456 Fall Examples Where is AJAX used? Why do we care?

Introduction to AJAX MIS 3502, Spring 2016 Jeremy Shafer Department of MIS Fox School of Business Temple University 2/4/2016.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.

NCCUCS 軟體工程概論 Lecture 5: Ajax, Mashups April 29, 2014.

JQuery, JSON, AJAX. AJAX: Async JavaScript & XML In traditional Web coding, to get information from a database or a file on the server –make an HTML form.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Javascript worms By Benjamin Mossé SecPro

Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory

An Introduction to Web Application Security

JavaScript and Ajax (Ajax Tutorial)

World Wide Web policy.

Asynchronous Java script And XML Technology

Session V HTML5 APIs - AJAX & JSON

IS 360 Course Introduction

Introduction to AJAX and the migration toward applications

HTML Level II (CyberAdvantage)

HTML5 AJAX & JSON APIs

JavaScript & jQuery AJAX.

MIS JavaScript and API Workshop (Part 3)

Introduction to AJAX and JSON

Ajax and JSON Jeremy Shafer Department of MIS Fox School of Business

Ajax and JSON Jeremy Shafer Department of MIS Fox School of Business

Exploring DOM-Based Cross Site Attacks

Security and JavaScript

Presentation transcript:

Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani

Agenda Introduction to Ajax General Techniques used by Ajax? Ajax Security Vulnerabilities JS Array poisoning Flash-based cross domain access Malformed JS Object serialization JSON pair injection Manipulated XML stream Script injection in DOM April 30, 2012AJAX/Faris Kateb, Mohammed Abdulaziz & Omar Alzahrani 2

- Country : - State : - Country : - City : - State : Server Database USA CO Denver - City : - State : CO Denver - City : - State : - City : Before AJAX April 30, 2012AJAX/Faris Kateb, Mohammed Abdulaziz & Omar Alzahrani 3

- Country : - City : - State : Server Database USA CO Denver After AJAX April 30, 2012AJAX/Faris Kateb, Mohammed Abdulaziz & Omar Alzahrani 4

AJAX - What’s AJAX? Asynchronous Javascript And XML E.g., Google Search String Matching/Suggestions - How it achieve that? - The XMLHttpRequest Object Base object for AJAX Available in most browsers ThroughThe XMLHttpRequest object you can : April 30, 2012AJAX/Faris Kateb, Mohammed Abdulaziz & Omar Alzahrani 5

General Technique April 30, 2012AJAX/Faris Kateb, Mohammed Abdulaziz & Omar Alzahrani 6

Ajax vulnerabilities There are many vulnerabilities Our concentration are on the security holes A list of some security holes included in our research JS Array poisoning Flash-based cross domain access Malformed JS Object serialization JSON pair injection Manipulated XML stream Script injection in DOM April 30, 2012AJAX/Faris Kateb, Mohammed Abdulaziz & Omar Alzahrani 7

JS Array poisoning Popular object for serialization Easy and effective Poisoning a JS array spoils the DOM context. A JS array can be exploited with simple cross-site scripting in the browser. Example: auction site for a used mobile new Array(“Android”, “nexus s”, “Tmobile”, “500$”, “1 years”) user can inject a script in the last field alert(’Array has length ' + a2.length + ' and its element is also ' + a2[5]); April 30, 2012AJAX/Faris Kateb, Mohammed Abdulaziz & Omar Alzahrani 8

Flash-based cross domain access It is possible to make GET and POST requests from JavaScripts within a browser by using a Flash plugin’s Ajax interface. This also enables cross-domain calls to be made from any particular domain. The page code Attackers link to swf April 30, 2012AJAX/Faris Kateb, Mohammed Abdulaziz & Omar Alzahrani 9 firm('Session%20Information%20Sent%20to%20Hacker');//

April 30, 2012AJAX/Faris Kateb, Mohammed Abdulaziz & Omar Alzahrani 10

REFERENCES [1] [2] [3] Ajax Security Holes and Driving Factors [4] SC Magazine, Article: Hot or not: AJAX vulnerabilities, [5] [6] Article: AJAX Vulnerabilities: How Big the Threat?, April 30, 2012AJAX/Faris Kateb, Mohammed Abdulaziz & Omar Alzahrani 11

Malformed JS Object serialization JavaScript supports (OOP). Allows the user to create an object using "New Object()“. Object can be serialized using Ajax and used by JavaScript code. Attacker can sends a malicious “subject” line embedded with script then it makes the receiver a victim of XSS. [3] April 30, 2012AJAX/Faris Kateb, Mohammed Abdulaziz & Omar Alzahrani 12

JSON pair injection JavaScript Object Notation (JSON) is a simple data exchange format which can contain object. Attacker can inject a malicious script in either "Link" or "Desc" (XSS). Another way to serialize malicious content to the user. [3] April 30, 2012AJAX/Faris Kateb, Mohammed Abdulaziz & Omar Alzahrani 13