- ホーム
- > 洋書
- > 英文書
- > Internet / General
Full Description
The Hands-On, Practical Guide to Preventing Ajax-Related Security Vulnerabilities More and more Web sites are being rewritten as Ajax applications; even traditional desktop software is rapidly moving to the Web via Ajax. But, all too often, this transition is being made with reckless disregard for security. If Ajax applications aren't designed and coded properly, they can be susceptible to far more dangerous security vulnerabilities than conventional Web or desktop software. Ajax developers desperately need guidance on securing their applications: knowledge that's been virtually impossible to find, until now. Ajax Security systematically debunks today's most dangerous myths about Ajax security, illustrating key points with detailed case studies of actual exploited Ajax vulnerabilities, ranging from MySpace's Samy worm to MacWorld's conference code validator. Even more important, it delivers specific, up-to-the-minute recommendations for securing Ajax applications in each major Web programming language and environment, including .NET, Java, PHP, and even Ruby on Rails. You'll learn how to:* Mitigate unique risks associated with Ajax, including overly granular Web services, application control flow tampering, and manipulation of program logic* Write new Ajax code more safely-and identify and fix flaws in existing code * Prevent emerging Ajax-specific attacks, including JavaScript hijacking and persistent storage theft* Avoid attacks based on XSS and SQL Injection-including a dangerous SQL Injection variant that can extract an entire backend database with just two requests* Leverage security built into Ajax frameworks like Prototype, Dojo, and ASP.NET AJAX Extensions-and recognize what you still must implement on your own* Create more secure "mashup" applicationsAjax Security will be an indispensable resource for developers coding or maintaining Ajax applications; architects and development managers planning or designing new Ajax software, and all software security professionals, from QA specialists to penetration testers.
Contents
Preface xviiPreface (The Real One) xvixChapter 1 Introduction to Ajax Security 1An Ajax Primer 2What Is Ajax? 2Asynchronous 3JavaScript 6XML 11Dynamic HTML (DHTML) 11The Ajax Architecture Shift 11Thick-Client Architecture 12Thin-Client Architecture 13Ajax: The Goldilocks of Architecture 15A Security Perspective: Thick-Client Applications 16A Security Perspective: Thin-Client Applications 17A Security Perspective: Ajax Applications 18A Perfect Storm of Vulnerabilities 19Increased Complexity, Transparency, and Size 19Sociological Issues 22Ajax Applications: Attractive and Strategic Targets 23Conclusions 24Chapter 2 The Heist 25Eve 25Hacking HighTechVacations.net 26Hacking the Coupon System 26Attacking Client-Side Data Binding 32Attacking the Ajax API 36A Theft in the Night 42Chapter 3 Web Attacks 45The Basic Attack Categories 45Resource Enumeration 46Parameter Manipulation 50Other Attacks 75Cross-Site Request Forgery (CSRF) 75Phishing 76Denial-of-Service (DoS) 77Protecting Web Applications from Resource Enumeration and ParameterManipulation 77Secure Sockets Layer 78Conclusions 78Chapter 4 Ajax Attack Surface 81Understanding the Attack Surface 81Traditional Web Application Attack Surface 83Form Inputs 83Cookies 84Headers 85Hidden Form Inputs 86Query Parameters 86Uploaded Files 89Traditional Web Application Attacks: A Report Card 90Web Service Attack Surface 92Web Service Methods 92Web Service Definitions 94Ajax Application Attack Surface 94The Origin of the Ajax Application Attack Surface 96Best of Both Worlds-for the Hacker 98Proper Input Validation 98The Problem with Blacklisting and Other Specific Fixes 99Treating the Symptoms Instead of the Disease 102Whitelist Input Validation 105Regular Expressions 109Additional Thoughts on Input Validation 109Validating Rich User Input 111Validating Markup Languages 111Validating Binary Files 113Validating JavaScript Source Code 114Validating Serialized Data 120The Myth of User-Supplied Content 122Conclusion 123Chapter 5 Ajax Code Complexity 125Multiple Languages and Architectures 125Array Indexing 126String Operations 128Code Comments 129Someone Else's Problem 130JavaScript Quirks 132Interpreted, Not Compiled 132Weakly Typed 133Asynchronicity 135Race Conditions 135Deadlocks and the Dining Philosophers Problem 139Client-Side Synchronization 144Be Careful Whose Advice You Take 144Conclusions 145Chapter 6 Transparency in Ajax Applications 147Black Boxes Versus White Boxes 147Example: MyLocalWeatherForecast.com 150Example: MyLocalWeatherForecast.com "Ajaxified" 152Comparison Conclusions 156The Web Application as an API 156Data Types and Method Signatures 158Specific Security Mistakes 158Improper Authorization 159Overly Granular Server API 161Session State Stored in JavaScript 164Sensitive Data Revealed to Users 165Comments and Documentation Included in Client-Side Code 166Data Transformation Performed on the Client 167Security through Obscurity 172Obfuscation 173Conclusions 174Chapter 7 Hijacking Ajax Applications 175Hijacking Ajax Frameworks 176Accidental Function Clobbering 176Function Clobbering for Fun and Profit 178Hijacking On-Demand Ajax 184Hijacking JSON APIs 190Hijacking Object Literals 195Root of JSON Hijacking 195Defending Against JSON Hijacking 196Conclusions 199Chapter 8 Attacking Client-Side Storage 201Overview of Client-Side Storage Systems 201General Client-Side Storage Security 202HTTP Cookies 204Cookie Access Control Rules 206Storage Capacity of HTTP Cookies 211Lifetime of Cookies 215Additional Cookie Storage Security Notes 216Cookie Storage Summary 216Flash Local Shared Objects 218Flash Local Shared Objects Summary 225DOM Storage 226Session Storage 227Global Storage 229The Devilish Details of DOM Storage 231DOM Storage Security 233DOM Storage Summary 234Internet Explorer userData 235Security Summary 240General Client-Side Storage Attacks and Defenses 240Cross-Domain Attacks 241Cross-Directory Attacks 242Cross-Port Attacks 243Conclusions 243Chapter 9 Offline Ajax Applications 245Offline Ajax Applications 245Google Gears 247Native Security Features and Shortcomings of Google Gears 248Exploiting WorkerPool 251LocalServer Data Disclosure and Poisoning 253Directly Accessing the Google Gears Database 257SQL Injection and Google Gears 258How Dangerous Is Client-Side SQL Injection? 262Dojo.Offline 264Keeping the Key Safe 265Keeping the Data Safe 266Good Passwords Make for Good Keys 267Client-Side Input Validation Becomes Relevant 268Other Approaches to Offline Applications 270Conclusions 270Chapter 10 Request Origin Issues 273Robots, Spiders, Browsers, and Other Creepy Crawlers 273"Hello! My Name Is Firefox. I Enjoy Chunked Encoding, PDFs, andLong Walks on the Beach." 275Request Origin Uncertainty and JavaScript 276Ajax Requests from the Web Server's Point of View 276Yourself, or Someone Like You 280Sending HTTP Requests with JavaScript 282JavaScript HTTP Attacks in a Pre-Ajax World 284Hunting Content with XMLHttpRequest 286Combination XSS/XHR Attacks in Action 290Defenses 292Conclusions 294Chapter 11 Web Mashups and Aggregators 295Machine-Consumable Data on the Internet 296Early 90's: Dawn of the Human Web 296Mid 90s: The Birth of the Machine Web 2972000s: The Machine Web Matures 298Publicly Available Web Services 299Mashups: Frankenstein on the Web 301ChicagoCrime.org 302HousingMaps.com 303Other Mashups 304Constructing Mashups 304Mashups and Ajax 306Bridges, Proxies, and Gateways-Oh My! 308Ajax Proxy Alternatives 309Attacking Ajax Proxies 310Et Tu, HousingMaps.com? 312Input Validation in Mashups 314Aggregate Sites 317Degraded Security and Trust 324Conclusions 327Chapter 12 Attacking the Presentation Layer 329A Pinch of Presentation Makes the Content Go Down 329Attacking the Presentation Layer 333Data Mining Cascading Style Sheets 334Look and Feel Hacks 337Advanced Look and Feel Hacks 341Embedded Program Logic 345Cascading Style Sheets Vectors 347Modifying the Browser Cache 348Preventing Presentation Layer Attacks 352Conclusion 353Chapter 13 JavaScript Worms 355Overview of JavaScript Worms 355Traditional Computer Viruses 356JavaScript Worms 359JavaScript Worm Construction 361JavaScript Limitations 363Propagating JavaScript Worms 364JavaScript Worm Payloads 364Putting It All Together 372Case Study: Samy Worm 373How It Worked 374The Virus' Payload 377Conclusions About the Samy Worm 379Case Study: Yamanner Worm (JS/Yamanner-A) 380How It Worked 380The Virus' Payload 383Conclusions About the Yamanner Worm 384Lessons Learned from Real JavaScript Worms 387Conclusions 389Chapter 14 Testing Ajax Applications 391Black Magic 391Not Everyone Uses a Web Browser to Browse the Web 396Catch-22 398Security Testing Tools-or Why Real Life Is Not Like Hollywood 399Site Cataloging 400Vulnerability Detection 401Analysis Tool: Sprajax 403Analysis Tool: Paros Proxy 406Analysis Tool: LAPSE (Lightweight Analysis for Program Security in Eclipse) 408Analysis Tool:WebInspect (TM) 409Additional Thoughts on Security Testing 411Chapter 15 Analysis of Ajax Frameworks 413ASP.NET 413ASP.NET AJAX (formerly Atlas) 414ScriptService 417Security Showdown: UpdatePanel Versus ScriptService 419ASP.NET AJAX and WSDL 420ValidateRequest 424ViewStateUserKey 425ASP.NET Configuration and Debugging 426PHP 427Sajax 427Sajax and Cross-Site Request Forgery 430Java EE 431Direct Web Remoting (DWR) 432JavaScript Frameworks 434A Warning About Client-Side Code 435Prototype 435Conclusions 437Appendix A Samy Source Code 439Appendix B Source Code for Yamanner Worm 447Index 453
