Security in Web 2.0, AJAX, SOA

possumneckvegetableΛογισμικό & κατασκευή λογ/κού

4 Ιουλ 2012 (πριν από 5 χρόνια και 1 μήνα)

191 εμφανίσεις

p1
Agenda
Security in Web 2.0,
HTTP – How web sites work
AJAX, SOA
Fundamentals of AJAX, WebServices & SOA
Dennis Hurst
Fundamentals of web hacks (SQL Injection)
Application Security Center, HP Software
Hacking AJAX
Exploiting WebServices & Bridges
Testing Security in Web 2.0
© 2007 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
HTTP
What is HTTP?
Web Application
HTTP
Network
What is HTTP? How Does Your Application Work?
• GET – Simple query string based request
• POST – Contains POST data in the body of the
request
Web Application
HTTP
Network
Client PC Server
Request
Response
October 2003 Copyright © 2006 HP corporate presentation. All rights reserved.Slide 2
p1 Bei Quality Center sollte als Punkt auch FT aufgeführt sein
Juergen Pilz, 21-Mar-08HTTP – GET With a Query String HTTP – POST With POST Data
Tools – Local Host Proxies Tools – HTTP Editors
Proxy
Browser Web Server
Demo – Localhost
Proxies & HTTP
Editors
Fundamentals of AJAX,
Web Services & SOA
October 2003 Copyright © 2006 HP corporate presentation. All rights reserved.The Long Wait of a Page Refresh MapQuest circa 2000
Web 2.0 Style Web Application Providing a Rich User Experience
• JavaScript traps user
events
• Sends HTTP request in
background
• Application stays
responsive
• Server returns
requested data
• JavaScript processes
data, dynamically
changes page as
needed
Google Maps
MapQuest circa 2000
October 2003 Copyright © 2006 HP corporate presentation. All rights reserved.Comparison WebServices & SOA
• HTTP for applications, not
Web 1.0 Web 2.0
people
• Client sends HTTP/XML
New content
Full page refresh XmlHttpRequest
Request
retrieved with
• Server responds with
During content Application in Application fully
HTTP/XML Response
retrieval undefined state usable
• Allows for a “Service
Page layout On server On client Oriented Architecture”
Hyperlink
Actions that change
Any user event
content
Form submission
HyperText page
Atomic unit for
Data
content
Some media
Service Oriented Architecture (SOA)
• Built by exposing
functionality through
Web Services
Inventory
Fundamentals of
• Allows for loose
coupling of systems to
create complex systems
web hacks
• Solves MANY Billing
compatibility issues
• Opens some security
Web Site
issues
CRM
Shipping
SQL Injection SQL Injection – Vulnerable Code
Vulnerable code
SQL Injection is a technique for exploiting Web
ssSSqqll == ssSSqqll ++ "" wwhheerree LLooccaattiioonnIIDD == "" ++ RReeqquueesstt[[""ccbbooLLooccaattiioonn""]] ++ """";;
applications that use client-supplied data in SQL
ooCCmmdd..CCoommmmaannddTTeexxtt == ssSSqqll;;
queries without stripping potentially harmful
characters first
URL
SQL Injection
1. Surf the Web site
2. Find dynamic pages
3. Change parameters to locate SQL Error
4. Exploit SQL Injection
October 2003 Copyright © 2006 HP corporate presentation. All rights reserved.Demo – SQL
SQL Injection – Vulnerable Code
Injection
Debug View
?? ooCCmmdd..CCoommmmaannddTTeexxtt
""SSEELLEECCTT EEvveennttNNaammee,, EEnnddDDaattee,, [[DDeessccrriippttiioonn]],, [[LLooccaattiioonn]],, …………..
ffrroomm EEvveennttss
wwhheerree LLooccaattiioonnIIDD == ccoonnvveerrtt((iinntt,,((sseelleecctt ttoopp 11 nnaammee ffrroomm ssyyssoobbjjeeccttss))))""
Demo – SQL
Injection against
AJAX and Web
Services
Hacking AJAX
Data Theft Through a Bridget
• Direct access hits limitations
• Exploit trust to steal more data
Exploiting WebServices
• Performance enhancements only help attacker
& Bridges (SOA)
October 2003 Copyright © 2006 HP corporate presentation. All rights reserved.rd rd
Attacking 3 Parties Through Bridges Attacking 3 Parties Through Bridges
• AwesomeBooks detects the XSS or SQL Injection • Auto-shunning IDS/IPS notices XSS or SQL
attacks Injection attacks
− AwesomeBooks: Why is BillysRareBooks SQL injecting me? − IPS: This site is SQL injecting me! [Blocks IP]
− Another layer to hide behind − Wanted SQL injection, got DoS of aggregate site
rd
Attacking 3 Parties Through Bridges Testing for security in Web 2.0
Similarities with traditional web sites
rd
• Maybe 3 party doesn't notice at all
• Exploits are the same technique
− Large site with lots of requests from affiliates
− SQL Injection
− Performs less analysis; attacks only work through bridge
− Cross Site Scripting
− Cross Site Request Forgery
− Authentication, Authorization, Forceful Browsing
• Must test (manipulate) request at a low (HTTP) level to see
the “true” nature of the application
• GET / POST rules still apply
• At it’s core it’s an HTTP based application
− Very little has changed in the HTTP standard in 15 years
Testing for security in Web 2.0 How HP is helping
Differences with traditional web sites
• AJAX and Web Services are harder to manipulate
Design Develop Quality Stage Operations
− SOAP, XML, JSON encoded date
− Must understand the XML/JSON and manipulate it 1 2 3 4 5
• Authentication is harder in Web Services
Sec Training, Security Pen
• Tools need to understand XML, SOAP, JSON Testing Monitor
Design Code Testing Test
• Bridged attacks
− Web site may front end MANY other applications
DevInspect QAInspect WebInspect
− This allows for bridged attacks
− These are harder to understand and test
Assessment Management Platform (AMP)
• AJAX is based on a “framework” you don’t control so it
can change on you with little to no notice.
effective, efficient, and repeatable
October 2003 Copyright © 2006 HP corporate presentation. All rights reserved.Technology for better business outcomes
October 2003 Copyright © 2006 HP corporate presentation. All rights reserved.