Post on 13-Jan-2016
Ajax Applications : A Blueprint for Disaster
Bryan Sullivan, Security Program Manager
Microsoft
Originally developed with Billy Hoffman, Hewlett Packard
2
General Ajax Security Issues
• Increased attack surface• Direct API access• Easier to reverse-engineer• Amplifies web attacks• Offline attacks
…in theory…
Theory put to the test
• Ajax application built using “expert” advice
• Books• Blogs• Conferences
3
DEMONSTRATIONHacker Vacations
4
Lessons learned
1. You cannot control client-side code
2. Don’t store secrets in client-side code
3. Don’t let client-side code perform authentication/authorization functions
4. Don’t expose admin functionality
5. Remember web application security basics
6. Exercise caution when converting data to HTML on the client
5
PATTERNS AND ANTIPATTERNSAjax Security
6
Antipattern 1: Domino Effect
holdSeat
makeOffer
chargeAccount
bookSeat
7
Pattern 1: Polling Status Calls
8
PerformLongOp
GetStatus
Antipattern 2: Holding Critical State on Client
• Script variables• Flash/Silverlight variables• Offline storage mechanisms• Local Shared Objects ie “Flash cookies”• Silverlight Isolated Storage• Hidden form fields• Cookies
9
Pattern 2: Hold Critical State on Server
• Keep session state just like Web 1.0
10
Antipattern 3: Single-call Authorization
11
holdSeat
makeOffer
chargeAccount
Check authorization here
Pattern 3: Every-call Authorization
12
holdSeat
makeOffer
chargeAccount
Check authorization here
…and here
…and here
Antipattern 4: Exposing Admin Libraries
13
Pattern 4: Segregate Admin Libraries
14
Use with care: Client-side Data Binding
15
Conclusion
With great power comes great responsibility
16
More resources
17
My blog:http://blogs.msdn.com/sdl/
My alias:bryansul