When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement...
Transcript of When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement...
![Page 1: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/1.jpg)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
AppSec DC
http://www.owasp.org
When Web 2.0 Attacks! Understanding Ajax, Flash and other highly interactive web technologies…
Rafal M. Los AppSec Specialist Hewlett-Packard, ASC [email protected] +1 (404) 606-6056 http://twitter.com/RafalLos November 10-13th, 2009
![Page 2: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/2.jpg)
OWASP 2
![Page 3: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/3.jpg)
OWASP 3
![Page 4: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/4.jpg)
OWASP
Render simple HTML content
Render complex, synchronous content
Render complex, asynchronous content
Perform complex, asynchronous interactions
Perform complex, asynchronous, offline interactions
4
online
![Page 5: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/5.jpg)
OWASP 5
![Page 6: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/6.jpg)
OWASP
2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions
What happened… Logic moved from server client Invention of asynchronous transaction The “offline web” application
6
![Page 7: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/7.jpg)
OWASP 7
![Page 8: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/8.jpg)
OWASP 8
![Page 9: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/9.jpg)
OWASP 9
![Page 10: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/10.jpg)
OWASP
… button 9 {
on (release, keyPress '<Enter>') { if (password eq ‘ PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/778.html', ''); } else { if (password eq ' PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/781.html', ''); } else { if (password eq ' PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/783.html', ''); } else { if (password eq ‘ PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/771.html', ''); } else { if (password eq ‘ PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/799.html', ''); } else { …
10
![Page 11: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/11.jpg)
OWASP 11
![Page 12: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/12.jpg)
OWASP 12
![Page 13: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/13.jpg)
OWASP 13
![Page 14: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/14.jpg)
OWASP 14
… wait, I thought you couldn’t do that!
![Page 15: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/15.jpg)
OWASP 15 hacker
![Page 16: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/16.jpg)
OWASP 16
Having some fun with MapQuest… (yes, still)
![Page 17: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/17.jpg)
OWASP 17
Having some fun with MapQuest… (yes, still)
![Page 18: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/18.jpg)
OWASP 18
![Page 19: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/19.jpg)
OWASP 19
![Page 20: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/20.jpg)
OWASP 20
![Page 21: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/21.jpg)
OWASP 21
![Page 22: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/22.jpg)
OWASP 22
![Page 23: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/23.jpg)
OWASP 23
Internet
Local Database
Local App Cache
Hardened Defenses
Browser…
Would you rather hack this…
… or this?
Remote System (Application)
Database Application
![Page 24: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/24.jpg)
OWASP
Online Application Offline Application
Remote data storage Local data storage
Enterprise DB typically “secured” Local DB “forgotten”
Enterprise DB difficult to access Local DB … on local filesystem
Attack trips security mechanisms No local security mechanisms
Remote Logic Local “Cached” Logic
Manipulate at run-time, remotely Manipulate code, locally
Remote validation of logic Fully control/manipulate logic
24
![Page 25: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/25.jpg)
OWASP 25
First, came the applications…
They were attacked.
Then they were hardened.
![Page 26: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/26.jpg)
OWASP 26
Users wanted more.
Applications were extended via APIs.
![Page 27: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/27.jpg)
OWASP 27
3rd parties built interfaces using the APIs
![Page 28: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/28.jpg)
OWASP 28
Hackers attacked users via application APIs
![Page 29: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/29.jpg)
OWASP 29
![Page 30: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/30.jpg)
OWASP 30
![Page 31: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/31.jpg)
OWASP 31
![Page 32: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/32.jpg)
OWASP 32
![Page 33: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/33.jpg)
OWASP
Validate all data as it comes into your application, and also as it leaves
• Validate every single piece of data, always • Mix white-list and black-list, focusing on
minimum required data sets • Make sure you know what’s leaving your
application…
33
![Page 34: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/34.jpg)
OWASP 34
![Page 35: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/35.jpg)
OWASP
Usable security is a myth on the web.
Web 2.0+ focuses on usability, over security.
“Cool” wins over “secure” every time.
Never trust to user to make a decision.
35
![Page 36: When Web 2.0 Attacks! - OWASP...2 reasons “Web 2.0” happened… 1. Processing power requirement moved off to client 2. Decrease bandwidth required for interactions What happened…](https://reader033.fdocuments.us/reader033/viewer/2022042919/5f636c26eaed9e318a7a5df7/html5/thumbnails/36.jpg)
OWASP 36