Security Testing 简明教程

AJAX Security

异步 Javascript 和 XML (AJAX) 是用于开发 Web 应用程序的最新技术之一,旨在提供丰富的用户体验。由于它是一项新技术,因此还有很多要建立的安全问题,以下是 AJAX 中的一些安全问题:

Asynchronous Javascript and XML (AJAX) is one of the latest techniques used to develope web application inorder to give a rich user experience. Since it is a new technology, there are many security issues that are yet to be completed established and below are the few security issues in AJAX.

  1. The attack surface is more as there are more inputs to be secured.

  2. It also exposes the internal functions of the applications.

  3. Failure to protect authentication information and sessions.

  4. There is a very narrow line between client-side and server-side, hence there are possibilities of committing security mistakes.

Example

以下是 AJAX 安全的一个例子:

Here is an example for AJAX Security −

2006 年,一个蠕虫病毒感染了 yahoo 邮件服务,它利用了 Yahoo 邮件 onload 事件处理中的一个漏洞,该蠕虫利用了 XSS 和 AJAX。当打开受感染的电子邮件时,蠕虫会执行其 JavaScript,向受感染用户的全部 Yahoo 联系人发送一封副本。

In 2006, a worm infected yahoo mail service using XSS and AJAX that took advantage of a vulnerability in Yahoo Mail’s onload event handling. When an infected email was opened, the worm executed its JavaScript, sending a copy to all the Yahoo contacts of the infected user.

Hands ON

Step 1 − 我们需要尝试使用 XML 注入来向已获准的奖励集中添加更多奖励。以下是该场景的快照。

Step 1 − We need to try to add more rewards to your allowed set of reward using XML injection. Below is the snapshot of the scenario.

xml injection

Step 2 − 确保使用 Burp Suite 拦截 请求和响应。设置如下所示。

Step 2 − Make sure that we intercept both request and response using Burp Suite. Settings of the same as shown below.

burp settings

Step 3 − 输入场景中给出的帐号。我们能够获得我们有资格享受的所有奖励的列表。我们有资格享受 5 个奖励中的 3 个。

Step 3 − Enter the account number as given in the scenario. We will be able to get a list of all rewards that we are eligible for. We are eligible for 3 rewards out of 5.

xml injection1

Step 4 − 现在,让我们点击“提交”,看看在响应 XML 中会看到什么。如下所示,我们有资格享受的 3 个奖励都以 XML 形式传给了我们。

Step 4 − Now let us click 'Submit' and see what we get in the response XML. As shown below the three rewards that are we are eligible are passed to us as XML.

xml injection2

Step 5 − 现在,让我们编辑那些 XML,加上另外两个奖励。

Step 5 − Now let us edit those XMLs and add the other two rewards as well.

xml injection3

Step 6 − 现在,用户可以选择所有奖励。选择我们添加的那些奖励,然后点击“提交”。

Step 6 − Now all the rewards would be displayed to the user for them to select. Select the ones that we added and click 'Submit'.

xml injection4

Step 7 − 出现以下消息,显示“* 恭喜。您已成功完成此课程”。

Step 7 − The following message appears saying, "* Congratulations. You have successfully completed this lesson."

Preventive Mechanisms

客户端 -

Client side −

  1. Use .innerText instead of .innerHtml.

  2. Do not use eval.

  3. Do not rely on client logic for security.

  4. Avoid writing serialization code.

  5. Avoid building XML dynamically.

  6. Never transmit secrets to the client.

  7. Do not perform encryption in client side code.

  8. Do not perform security impacting logic on client side.

服务器端-

Server side −

  1. Use CSRF protection.

  2. Avoid writing serialization code.

  3. Services can be called by users directly.

  4. Avoid building XML by hand, use the framework.

  5. Avoid building JSON by hand, use an existing framework.