a laugh a laugh ria riat
play

A Laugh A Laugh RIA RIAt Security in Rich Internet Applications - PowerPoint PPT Presentation

Jan 07, 2024 •155 likes •682 views

A Laugh A Laugh RIA RIAt Security in Rich Internet Applications Rafal M. Los Rafal M. Los HP ASC Sr. Security Solutions Expert HP ASC Sr. Security Solutions Expert 1 13 April 2009 2 13 April 2009 Now Hear This Now Hear This Hacking is

  1. A Laugh A Laugh RIA RIAt Security in Rich Internet Applications Rafal M. Los Rafal M. Los HP ASC Sr. Security Solutions Expert HP ASC Sr. Security Solutions Expert 1 13 April 2009

  2. 2 13 April 2009

  3. Now Hear This Now Hear This Hacking is Hacking is illegal illegal You should only try this at home on your own code I encourage you to think 3 13 April 2009

  4. Now Hear This Now Hear This BUT… BUT… • Rich Internet Apps are taking over • Pendulum is too far to functionality • Security is more important now than ever • Developers are writing terrible code • … and the bad guys are making money off your flaws 4 13 April 2009

  5. Define: R.I.A. Define: R.I.A. Ask Wikipedia… Rich Internet applications (RIAs) are web web applications applications that have some of the that have some of the characteristics of characteristics of desktop applications desktop applications , typically delivered by way of a proprietary web browser plug-ins or independently via sandboxes or virtual machines 5 13 April 2009

  6. 6 13 April 2009

  7. Browser Overcrowding Browser Overcrowding • The browser’s main purpose was to render HTML… and scripting languages… • RIA via plug-ins… − enhance user experience − push additional functionality to the browser − …migrate server function to desktop • RIA is a straight-on disaster! 7 13 April 2009

  8. Why the Browser? Why the Browser? Moving server-side functionality to the client is causing… challenges for security • Exposed APIs (a la AJAX) • Client-side logic • Visual technologies add scripting • Client is defenseless • Client can be 100% manipulated Does this mean RIA is 100% bad? • YOU decide… 8 13 April 2009

  9. Fish in a Barrel Fish in a Barrel AJAX FLASH simple simple to analyze informative informative transparent’ish transparent’ish 9 13 April 2009

  10. First a Word on RIA First a Word on RIA • Rich Internet Applications do not do not − Produce a new class of vulnerabilities − Make it impossible to secure the code • Rich Internet Applications do do − Create a massive new attack surface − Potentially make small coding mistakes epic − Move server-side (hidden) function to the client (exposed) 10 13 April 2009

  11. Target: AJAX Target: AJAX Wikipedia definition: AJAX (Asynchronous Asynchronous JavaScript JavaScript and and XML XML), is a group of interrelated web development techniques… With Ajax, web web applications applications can retrieve data from can retrieve data from the the server server asynchronously asynchronously in the background in the background without interfering with the display and behavior of the existing page 11 13 April 2009

  12. AJAX at 50,000ft AJAX at 50,000ft • Application Logic moved out to the client • Allows for a rich user experience rich user experience − No full-frame browser refreshes • Only pieces of the “page” have to refresh − Asynchronous fetch • No need to send… wait… render anymore! − User-independence • Data fetched as needed by the framework − Goes way beyond boring HTML • Highly interactive applications 12 13 April 2009

  13. Target: AJAX Target: AJAX HIDDEN Component User Sends a Request Wed User’s Browser Application Server Replies with Data HIDDEN Component 13 13 April 2009

  14. Target: AJAX Target: AJAX Exposed Service Web User’s Browser Application Exposed Service 14 13 April 2009

  15. AJAX is really neat… LET’S USE THIS TO OUR LET’S USE THIS TO OUR ADVANTAGE! ADVANTAGE! 15 13 April 2009

  16. Target: AJAX Target: AJAX XMLHttpRequest XMLHttpRequest Object Object • Part of the DOM API • Implemented differently in each browser • Interact directly with web server • No need for user interaction • Modify the active document without reloading the entire page 16 13 April 2009

  17. Target: AJAX Target: AJAX Example: MapQuest.com Example: MapQuest.com • Scrolling through the map… • Browser makes requests for you − http://www.mapquest.com/dwr/call/plaincall/ HomeFormService .ge tWeatherSummary.dwr − http://www.mapquest.com/dwr/call/plaincall/ AdServiceProxy .mak eAdCall.dwr • Browser auto-fetches requests without your input 17 13 April 2009

  18. Target: AJAX Target: AJAX Let’s dissect what’s going on… − http://www.mapquest.com/dwr/call/plaincall/ HomeFormService .getWea therSummary.dwr − http://www.mapquest.com/dwr/call/plaincall/ AdServiceProxy .makeAdC all.dwr − http://www.mapquest.com/dwr/call/plaincall/ AuthService .autoLogin. dwr • At least 3 exposed services − HomeFormService − AdServiceProxy − AuthService • Exposed functions − HomeFormService  getWeatherSummary − AdServiceProxy  makeAdCall − AuthService  autoLogin 18 13 April 2009

  19. Target: AJAX Target: AJAX http://www.mapquest.com/dwr/call/plaincall/ H omeFormService .getWeatherSummary getWeatherSummary.dwr POST data callCount=1 page=/ httpSessionId= scriptSessionId=sessionId639 c0- scriptName=HomeFormService c0-methodName=getWeatherSummary c0-id=0 c0- e1=number:42.103298 c0-e2=number:-88.372803 c0-e3=null:null c0-e4=null:null c0- e5=string:Gilberts c0-e6=string:IL c0-e7=null:null c0-e8=string:US c0-e9=string:CITY c0-param0=Object_Object:{latitude:reference:c0-e1, longitude:reference:c0-e2, id:reference:c0-e3, addressLine1 :reference:c0-e4, city:reference:c0-e5, state:reference:c0-e6, postalCode:reference:c0-e7, country:reference :c0-e8, geocodeQuality:reference:c0-e9} batchId=0 Response set //#DWR-INSERT //#DWR-REPLY var s0={};s0.dewPoint=null;s0.dewPointUnits=null;s0.forecasts=null;s0.humidity=null;s0.hu midityUnits =null;s0.icon="http://deskwx.weatherbug.com/images/Forecast/icons/cond002.gif";s0.nam e=null;s0.shortTitle ="Partly Cloudy";s0.station=null;s0.temperature=47.0;s0.temperatureUnits="F";s0.windDirection= null;s0 .windSpeed=null;s0.windSpeedUnits=null;s0.zip="60102"; dwr.engine._remoteHandleCallback('0','0',{data:s0,detailCode:null,errors:null,statusC ode:"SUCCESS"}) ; 19 13 April 2009

  20. Target: AJAX Target: AJAX • How would you approach the previous example? − Enumerate as many services as possible − Identify as many methods as possible − Push various data sets to gleam results • Let’s do a practical example! − FireFox − Firebug − Favorite intercepting proxy − RAW http editor 20 13 April 2009

  21. Example: MapQuest Example: MapQuest • Let’s search for cheap gas! Our proxy captures this interesting request… Our proxy captures this interesting request… http://gasprices.mapquest.com:80/searchresults.jsp?se arch=true&latitude=&longitude=&gasPriceType=3%2C4%2 C5&address=5260+morningview+drive&city=hoffman+esta tes&stateProvince=IL&postalCode=99999&radius=0&bran d=&sortOrder=2 • Let’s analyze that a little further… can we manipulate it somehow? 21 13 April 2009

  22. Example: MapQuest Example: MapQuest RAW Request GET • /searchresults.jsp?search=true&latitude=&longitude=&gasPriceType=3%2C4%2C5&address=52 60+morningview+drive&city=hoffman+estates&stateProvince=IL& postalCode=99999 &radius=0& brand=&sortOrder=2 HTTP/1.1 Host: gasprices.mapquest.com • User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) • Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 • Accept-Language: en-us,en;q=0.5 • Accept-Encoding: gzip,deflate • Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 • Keep-Alive: 300 • Referer: http://gasprices.mapquest.com/ • Cookie: locationhistory="{42109700 -88366667 ADDRESS {182 Charleston Ln} Gilberts IL • 60136-8027 {} US {} {} 6} {41886820 -87627118 ADDRESS {35 E Wacker Dr} Chicago IL 60601-2314 {} US {} {} 6} {42103298 -88372803 CITY {} Gilberts IL {} {} US {} {} 6} {41682800 -88351402 CITY {} Oswego IL {} {} US {} {} 6}"; s_cc=true; s_sq=aolwpmq%2Caolsvc%3D%2526pid%253Dgasprices%252520%25253A%252520gasprices%252520%2 5253A%252520gaspricesweb.home%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event% 252529%25257B%252520%252520document.getElementById%252528%252522search%252522%252529. value%25253Dtrue%25253B%25257D%2526oidt%253D2%2526ot%253DIMAGE; tsession=PlhFWXOcn1KzUH/X8nB+O8ZJ1bY= 22 13 April 2009

  23. Example: MapQuest Example: MapQuest • Simple script injection! • Original: http://gasprices.mapquest.com/searchresults.jsp?sea rch=true&latitude=&longitude=&gasPriceType=3,4,5&ad dress=5260+morningview+drive&city=hoffman+estates&s tateProvince=IL& postalCode=60192 postalCode=60192 &radius=0&brand=&so rtOrder=2 • Manipulated: http://gasprices.mapquest.com/searchresults.jsp?sea rch=true&latitude=&longitude=&gasPriceType=3,4,5&ad dress=5260+morningview+drive&city=hoffman+estates&s tateProvince=IL& postalCode= postalCode="><frame "><frame src=http://google.com></iframe><script>alert(docume src=http://google.com></iframe><script>alert(docume nt.cookie)</script> nt.cookie)</script> &radius=0&brand=&sortOrder=2#939 36520642628051000 23 13 April 2009

  24. Example: MapQuest Example: MapQuest 24 13 April 2009

  25. Thoughts: AJAX Thoughts: AJAX AJAX is everywhere… learn to spot it 25 13 April 2009

Recommend

SUCCESS To laugh often and much. To win the respect of intelligent people and the affection of

SUCCESS To laugh often and much. To win the respect of intelligent people and the affection of

SUCCESS To laugh often and much. To win the respect of intelligent people and the affection of children. To earn the appreciation of honest critics and endure the betrayal of false friends. To appreciate beauty; To find the best in others.

342 views • 11 slides
T EAT PLAY LIVE WORK LAUGH LOVE THRIVE OCTOBER 9, 2017 THE VISION The Alhambra A TRULY

T EAT PLAY LIVE WORK LAUGH LOVE THRIVE OCTOBER 9, 2017 THE VISION The Alhambra A TRULY

L L A I V G E E S H A T T EAT PLAY LIVE WORK LAUGH LOVE THRIVE OCTOBER 9, 2017 THE VISION The Alhambra A TRULY URBAN COMMUNITY Building upon the framework of the original C.F.Braun campus, a new urban community has emerged.

509 views • 14 slides
(Name ailment, distribute items and discuss how it causes a senior to struggle. As ailments

(Name ailment, distribute items and discuss how it causes a senior to struggle. As ailments

EMPATHY FOR ELDERS 1. WELCOME AND INTRODUCTION Purpose of the class 1. Give insight 2. Experience growing old 3. Learn to love and laugh with seniors 2. GAINING INDEPENDENCE A. It is human nature from the time we are born to strive for

425 views • 7 slides
Welcome to the January meeting 13 th January Malcolm Wells, MBE So Far, So Good 10 th February

Welcome to the January meeting 13 th January Malcolm Wells, MBE So Far, So Good 10 th February

Welcome to the January meeting 13 th January Malcolm Wells, MBE So Far, So Good 10 th February Peter Allen To Journeys End The Surprising Life of RC Sherriff U3A ETHOS Learn Laugh Live Self help education movement Run

391 views • 22 slides
Harroell 1 Recreation Ground 2 Whats important when you play? To be ,,.. BE SAFE BE

Harroell 1 Recreation Ground 2 Whats important when you play? To be ,,.. BE SAFE BE

Hang out Laugh Run Jump How do you want to have fun How do you want to have fun in Long Crendon in Long Crendon? ? Harroell 1 Recreation Ground 2 Whats

519 views • 30 slides
Tracking Across Generations From Journals to Lifelogging Glasses I generated about 40-60GB of

Tracking Across Generations From Journals to Lifelogging Glasses I generated about 40-60GB of

Tracking Across Generations From Journals to Lifelogging Glasses I generated about 40-60GB of video a day for 4 months. 720p What did I learn? That my laugh is really embarrassing The benefits of doing this does NOT YET outweigh the

330 views • 9 slides
TESTED BY FIRE [A STUDY THROUGH 1 PETER] SERMON NOTES NOVEMBER 24, 2013 1. Why does Peter

TESTED BY FIRE [A STUDY THROUGH 1 PETER] SERMON NOTES NOVEMBER 24, 2013 1. Why does Peter

SERMON NOTES NOVEMBER 24, 2013 The Freedom to Forget The Freedom to Forget 1 Peter 5:5-7 Pastor John Sloan Intr troduc oducti tion: on: Proud people dont laugh a lot. They have far too many things about which to concern themselves.

370 views • 3 slides
The importance of laughter Aino Vonge Corry Ph.D Metadeveloper @apaipi Anden information Why

The importance of laughter Aino Vonge Corry Ph.D Metadeveloper @apaipi Anden information Why

The importance of laughter Aino Vonge Corry Ph.D Metadeveloper @apaipi Anden information Why should you listen? You want to be funny You are interested in why people laugh and at what You want to hear the funniest joke in the world

1.01k views • 51 slides
NCHIMA 66 th Annual Meeting Integrating Leadership into Curriculum Sheryl Spohn, RHIA, CHC

NCHIMA 66 th Annual Meeting Integrating Leadership into Curriculum Sheryl Spohn, RHIA, CHC

NCHIMA 66 th Annual Meeting Integrating Leadership into Curriculum Sheryl Spohn, RHIA, CHC Transition Advisory Group and Evon Green, CCSP AMS Consulting Services Agenda Why are we here? Take a minute to laugh Take a minute

395 views • 37 slides
Avoiding Slips, Trips and Falls Vennsys H&amp;S Campaign June 2012 Heard the one about the

Avoiding Slips, Trips and Falls Vennsys H&amp;S Campaign June 2012 Heard the one about the

Watch your step Avoiding Slips, Trips and Falls Vennsys H&amp;S Campaign June 2012 Heard the one about the bloke who stepped on a banana skin? Slips and trips accidents are often used in cartoons and films to raise a laugh; ask a

547 views • 23 slides
Welcome to Back-to-School Night Third Grade - Miss Gallagher Room 213 tgallagher@wssd.org

Welcome to Back-to-School Night Third Grade - Miss Gallagher Room 213 tgallagher@wssd.org

Welcome to Back-to-School Night Third Grade - Miss Gallagher Room 213 tgallagher@wssd.org 610-892-3470 ext. 4913 Miss Gallagher You are what you READ. My beliefs about teaching Be Honest Laugh Often Work Hard without

404 views • 18 slides
Monitoring, modelling and managing land use change on a large scale Hermann Lotze-Campen Potsdam

Monitoring, modelling and managing land use change on a large scale Hermann Lotze-Campen Potsdam

Monitoring, modelling and managing land use change on a large scale Hermann Lotze-Campen Potsdam Institute for Climate Impact Research (PIK) ALTER-Net Summer School, Peyresq, 07 Sep 2008 What makes God laugh? Tell him about your future

353 views • 21 slides
Ages and Stages Dr. Kari Leikert 1 I Saw a Child John Anthony Davis I saw a child who could

Ages and Stages Dr. Kari Leikert 1 I Saw a Child John Anthony Davis I saw a child who could

5/16/19 Ages and Stages Dr. Kari Leikert 1 I Saw a Child John Anthony Davis I saw a child who could not walk Sit on a horse, laugh and talk. Then ride it through a field of daisies And yet he could not walk unaided. I saw a child, no legs

596 views • 14 slides
Special dates in January Cervical Cancer Prevention World Leprosy Day World Braille

Special dates in January Cervical Cancer Prevention World Leprosy Day World Braille

Special dates in January Cervical Cancer Prevention World Leprosy Day World Braille Day Global Family Day Cancer Talk Week Belly Laugh Day Blue Monday Tell us what you think Are you are a carer? Keep in

486 views • 20 slides
Towards bottom-up SHERPA and RIAT+ in Slovenia Slovenian Environment Agency Marko Rus, Rahela

Towards bottom-up SHERPA and RIAT+ in Slovenia Slovenian Environment Agency Marko Rus, Rahela

Towards bottom-up SHERPA and RIAT+ in Slovenia Slovenian Environment Agency Marko Rus, Rahela abkar, Don Cigleneki, Luka Matav and Damijan Bec LIFE-IP PREPAIR - Po Regions Engaged to Policies of Air Action C3: Establishment of a system

516 views • 17 slides
Security warnings Cristian Bravo-Lillo C MU U sable P rivacy and S ecurity Laboratory

Security warnings Cristian Bravo-Lillo C MU U sable P rivacy and S ecurity Laboratory

Security warnings Cristian Bravo-Lillo C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ Sources : http://www.homebizseo.com 2 2 http://purpleslinky.com/humor/travel/nine-funny-warnings-signs-to-make-you-laugh/ C MU U

877 views • 34 slides
EDUC EDUCATION TION 1 Media in Context: Representation and Reception Theory in action Black

EDUC EDUCATION TION 1 Media in Context: Representation and Reception Theory in action Black

EDUC EDUCATION TION 1 Media in Context: Representation and Reception Theory in action Black Representation on British Television: The 1990s Comedy and the Changing Landscape 2 Make em laugh! What makes something funny? 3 Make

451 views • 14 slides
FY2016 BUDGET HEARINGS 0 APP O RIAT 0 UNLVERSLTY OF ;ou TH DAKOTA COMMI E Student Success

FY2016 BUDGET HEARINGS 0 APP O RIAT 0 UNLVERSLTY OF ;ou TH DAKOTA COMMI E Student Success

FY2016 BUDGET HEARINGS 0 APP O RIAT 0 UNLVERSLTY OF ;ou TH DAKOTA COMMI E Student Success Fa ll 2014 enrol lment 10,061. , Both USD men 's and women's t ra ck teams were Top 10 in the nati on academically. irst-time, full time 1, 14 7;

373 views • 5 slides
Delirium Delirium KIE L ADAM MORRIS, DO BROADL AWNS GE RIAT RICS Custo mary F inanc ial

Delirium Delirium KIE L ADAM MORRIS, DO BROADL AWNS GE RIAT RICS Custo mary F inanc ial

Clinical Identification of Delirium Delirium KIE L ADAM MORRIS, DO BROADL AWNS GE RIAT RICS Custo mary F inanc ial Disc lo sure S lide I dont have any c onflic ts of inter est to disc lose whatsoever , inc luding (but

598 views • 18 slides
Director Research &amp; Advocacy , Centre for Health and Social Justice, Delhi, India Gl Global

Director Research &amp; Advocacy , Centre for Health and Social Justice, Delhi, India Gl Global

Webinar for GPSA partners facilitated by COPASAH E. Premdas Pinto Director Research &amp; Advocacy , Centre for Health and Social Justice, Delhi, India Gl Global Secretari riat at COPAS PASAH AH COPASAH 11/19/2014 1 WHAT is

405 views • 18 slides

More recommend