Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ajax Security Douglas Crockford Yahoo! javascript.crockford.com/security.ppt.

Published byBrian Lopez Modified over 10 years ago

Similar presentations

Presentation on theme: "Ajax Security Douglas Crockford Yahoo! javascript.crockford.com/security.ppt."— Presentation transcript:

1 Ajax Security Douglas Crockford Yahoo! javascript.crockford.com/security.ppt

2 Security The number 1 biggest problem with the whole World Wide Web.

3 The browser is not a safe programming environment. It is inherently insecure.

4 What can an attacker do if he gets some script into your page?

5 An attacker can request additional scripts from any server in the world. Once it gets a foothold, it can obtain all of the scripts it needs.

6 An attacker can make requests of your server. Your server cannot detect that the request did not originate with your application.

7 An attacker can read the document. The attacker can see everything the user sees.

8 An attacker has control over the display and can request information from the user. The user cannot detect that the request did not originate with your application.

9 An attacker can send information to servers anywhere in the world.

10 The browser does not prevent any of these. That's why they happen.

11 The consequences of a successful attack are horrible. Harm to customers. Loss of trust. Legal liabilities. Possible criminal penalties.

12 This is not a Web 2.0 problem. All of these problems came with Netscape 2 in 1995.

13 The Turducken Problem Many Languages: HTTP, HTML, URL, CSS, JavaScript, XML, JSON, plaintext, SQL... Each language has different quoting and commenting conventions. The languages can be nested inside each other.

14 A text that is benign in one context might be dangerous in another. Sloppy encoding allows injection of evil scripts

15 A Simple Attack http://yourdomain.com/ alert("XSS"); File not found: alert("XSS"); The script runs with the authority of your site.

16 A Simple Attack http://yourdomain.com/ alert("XSS"); File not found: <script>alert("XSS");</script> Proper escapement provides some safety.

17 Another Example Bad text " + alert("XSS") + " Bad encoding {"json": "" + alert("XSS") + ""} Good encoding {"json": "\" + alert(\"XSS\") + \""}

18 Coding hygiene is critical for avoiding turducken attacks. Use good encoders. json.org/json2.js Do not use simple concatenation. Never trust the browser. Validate all input.

19 Cross Site Data Access It is extremely useful to obtain data from other sites and mash it up.

20 Same Origin Policy Prevents useful things. Allows dangerous things.

21 Script Tag Hack Scripts (strangely) are exempt from Same Origin Policy. A dynamic script tag can make a GET request from a server. receiver(jsontext); Extremely dangerous. It is impossible to assure that the server did not send an evil script.

22 JavaScript's Global Object The root cause of XSS attacks. All scripts run with the same authority.

23 JavaScript is an insecure language. The ES4 Proposal is even worse. It should be abandoned.

24 Document Object Model All nodes are linked to all other nodes and to the network.

25 Cookies Ambient authority leads to confusion and impersonation (XSRF)

26 Remedy: Crumbs An explicit secret should be sent with the ambient cookie. Frustrates XSRF attacks. Not effective against XSS attacks.

27 Excellent Code Quality If code is clean and readable, it is less likely to contain insecurities.

28 JSLint JSLint defines a professional subset of JavaScript. It imposes a programming discipline that makes me much more confident in a dynamic, loosely-typed environment. http://www.JSLint.com/

29 W arning! JSLint will hurt your feelings.

30 If the web as been totally screwed up from the beginning, why should we worry about it now? 1. Escalating legal penalties 2. Mashups 3. Competition

31 Mashups The most interesting innovation in software development in 20 years.

32 Mashups are insecure. Mashups must not have access to any confidential information.

33 If there is script from two or more sources, the application is not secure. Period.

34 Advertising is a mashup.

35 Competition to displace the web. Silverlight. AIR. JavaFX.

36 That wouldn't be the end of the world. It would just be the end of the WWW.

37 A Three Prong Strategy to Fix the Web 1.Safe JavaScript subsets. 2.Small browser improvements. 3.Massive browser improvements. This could take a while, so we should proceed on all three immediately.

38 1. Safe JavaScript Subsets. The easiest way to improve JavaScript is to make it smaller.

39 ADsafe A JSLint option. It defines a safe HTML/JavaScript subset. Removes from JavaScript all features that are unsafe or suspect. Allows foreign ads and widgets to safely interact.

40 ADsafe No global variables or functions may be defined. No global variables or functions can be accessed except the ADSAFE object. The [] subscript operator may not be used. These words cannot be used: apply call callee caller constructor eval new prototype this watch Words starting with _ cannot be used.

41 Dangers There may still be undiscovered weaknesses in ECMAScript and its many implementations. Browser implementations are changing, introducing new weaknesses. The DOM wrappers must be flawless. We are still subject to XSS attacks.

42 2. Add Simple Features to the Browsers. Even simple improvements can take a long time to distribute.

43 JSONRequest for safe data interchange.

44 Vats Communicating computational containment vessels

45 HTML Provides No Modules It was conceived to be a document format. We are using it as an application format. Applications requires modules. Modules protect their contents. Modules communicate by exposing clean interfaces.

46 Vats Adapting Google's Gears or Adobe's AIR to provide communicating containment. Provides cooperation under mutual suspicion. Heavyweight. Distribution is difficult. Still subject to XSS attacks.

47 3. We need to replace JavaScript and the DOM. As long as we are using insecure languages, we will be subject to XSS attacks.

48 Start with the ADsafe subset, and then carefully add features to enhance expressiveness.

49 A is an Object. Object A has state and behavior.

50 Object A has a reference to Object B. An object can have references to other objects. has-a

51 ...because it has a reference to Object B. Object A can communicate with Object B...

52 Object B provides an interface that constrains access to its own state and references. Every object is a micro vat.

53 Object A does not have a reference to Object C, so Object A cannot communicate with Object C. In an Object Capability System, an object can only communicate with objects that it has references to.

54 An Object Capability System is produced by constraining the ways that references are obtained. A reference cannot be obtained simply by knowing the name of a global variable or a public class.

55 There are exactly three ways to obtain a reference. 1.By Creation. 2.By Construction. 3.By Introduction.

56 1. By Creation If a function creates an object, it gets a reference to that object.

57 2. By Construction An object may be endowed by its constructor with references. This can include references in the constructor's context and inherited references.

58 3. By Introduction A has a references to B and C. B has no references, so it cannot communicate with A or C. C has no references, so it cannot communicate with A or B.

59 3. By Introduction A calls B, passing a reference to C.

60 3. By Introduction B is now able to communicate with C. It has the capability.

61 Weaknesses to avoid include 1.Arrogation. 2.Corruption. 3.Confusion. 4.Collusion.

62 There is no security in obscurity Tricks and puzzles are not effective. Speed bumps are not effective.

63 False security increases the danger. Ineffective measures make things worse.

64 The security problems are not new. The problems are getting harder to ignore.

65 Ultimately We need to replace JavaScript with a secure language. The current ES4 proposal is not that language. We need to replace HTML and the DOM with a secure application delivery system. The current HTML5 proposal is not that either.

66 Ultimately Secure programming language to replace JavaScript. A modular application framework to replace the DOM and CSS. A common text representation and protocol to replace HTTP and the Ajax stack. Otherwise, the web may fall to newer proprietary systems.

67 Meanwhile Never trust the browser. Formally validate everything you receive from the browser. Properly encode everything you send to the browser or database. Do not circumvent what little security the browser offers. Never put data on the wire unless you want it to be delivered. Don't take ineffective measures.

68 Be Rigorous Sloppiness aids the Enemy. Neatness counts. Use good encoders. Avoid concatenation. Be paranoid.

69 Turducken

Download ppt "Ajax Security Douglas Crockford Yahoo! javascript.crockford.com/security.ppt."

Similar presentations

Web 2.0 Programming 1 © Tongji University, Computer Science and Technology. Web Web Programming Technology 2012.

Web 2.0 Programming 1 © Tongji University, Computer Science and Technology. Web Web Programming Technology 2012.
JavaScript: A Language of Many Contrasts

JavaScript: A Language of Many Contrasts
Secure ECMAScript Name Subject To Change

Secure ECMAScript Name Subject To Change
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
Douglas Crockford Principles Security of. White hats vs. black hats. Security is not hats.

Douglas Crockford Principles Security of. White hats vs. black hats. Security is not hats.
Standards and Increasing Maintainability on Web- based Systems James Eaton SE4112/16/2006.

Standards and Increasing Maintainability on Web- based Systems James Eaton SE4112/16/2006.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
JSON, ADsafe, and Misty Douglas Crockford Yahoo!.

JSON, ADsafe, and Misty Douglas Crockford Yahoo!.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
SERVER web page repository WEB PAGE instructions stores information and instructions BROWSER retrieves web page and follows instructions Server Web Server.

SERVER web page repository WEB PAGE instructions stores information and instructions BROWSER retrieves web page and follows instructions Server Web Server.
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Cloud Computing Lecture #7 Introduction to Ajax Jimmy Lin The iSchool University of Maryland Wednesday, October 15, 2008 This work is licensed under a.

Cloud Computing Lecture #7 Introduction to Ajax Jimmy Lin The iSchool University of Maryland Wednesday, October 15, 2008 This work is licensed under a.
Web Page Behavior IS 373—Web Standards Todd Will.

Web Page Behavior IS 373—Web Standards Todd Will.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.

COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.
Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.

Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.

Similar presentations

Ads by Google