Ajax Applications : A Blueprint for Disaster

Bryan Sullivan, Security Program Manager

Microsoft

Originally developed with Billy Hoffman, Hewlett Packard

2

General Ajax Security Issues

• Increased attack surface• Direct API access• Easier to reverse-engineer• Amplifies web attacks• Offline attacks

…in theory…

Theory put to the test

• Ajax application built using “expert” advice

• Books• Blogs• Conferences

3

DEMONSTRATIONHacker Vacations

4

Lessons learned

1. You cannot control client-side code

2. Don’t store secrets in client-side code

3. Don’t let client-side code perform authentication/authorization functions

4. Don’t expose admin functionality

5. Remember web application security basics

6. Exercise caution when converting data to HTML on the client

5

PATTERNS AND ANTIPATTERNSAjax Security

6

Antipattern 1: Domino Effect

holdSeat

makeOffer

chargeAccount

bookSeat

7

Pattern 1: Polling Status Calls

8

PerformLongOp

GetStatus

Antipattern 2: Holding Critical State on Client

• Script variables• Flash/Silverlight variables• Offline storage mechanisms• Local Shared Objects ie “Flash cookies”• Silverlight Isolated Storage• Hidden form fields• Cookies

9

Pattern 2: Hold Critical State on Server

• Keep session state just like Web 1.0

10

Antipattern 3: Single-call Authorization

11

holdSeat

makeOffer

chargeAccount

Check authorization here

Pattern 3: Every-call Authorization

12

holdSeat

makeOffer

chargeAccount

Check authorization here

…and here

…and here

Antipattern 4: Exposing Admin Libraries

13

Pattern 4: Segregate Admin Libraries

14

Use with care: Client-side Data Binding

15

Conclusion

With great power comes great responsibility

16

More resources

17

My blog:http://blogs.msdn.com/sdl/

My alias:bryansul