SlideShare a Scribd company logo

Scrubbing Your AJAX

Download as PPTX, PDF
G
goodfriday

Learn how AJAX is being used for good and evil. See where to find vulnerabilities (hint: not just in the code). Discuss methods others are using to overcome challenges and methods for securing AJAX-based applications.

Technology
1 of 12
What is Cross Site Scripting Cross Site Scripting (XSS) is a security exploit where malicious scripts are injected into the URL (query strings?) or form fields of a site and then run by unsuspecting victims. Reflected Stored Local
Hacker Persuades Victim to click on a URL Victim Clicks Link Script Embedded in URL Steals Sensitive Info Hacker Victim
<HTML> <HEAD> <TITLE>Search Example</TITLE> <META http-equiv=quot;content-typequot; content=quot;text/html; charset=utf-8quot;> </HEAD> <BODY> <H1>Search Results</H1> for <SCRIPT>alert(quot;Running!quot;)</SCRIPT> <BR> <BR> <h2>Sorry, no results were found.</h2> <BR> <FORM name=search> <INPUT type=text name=quot;keywordquot; value=“<SCRIPT>alert(&quot;Running!&quot;)</SCRIPT> <INPUT type=submit value=quot;Goquot;> </FORM> </BODY> </HTML> http://myserver/search.aspx?keyword=<SCRIPT>alert(quot;Running!quot;)</SCRIPT>
Input Validation Client side?? Request Validation Attribute Output Encoding HTMLEncode – Black listing Microsoft Anti-Cross Site Scripting Library - Whitelisting
Hacker Injects Script to Datastore When Victim visits, it is run on their machine Hacker Victim
First Name Last Name Comments <script> Anything</script>
Input Validation Client side?? Request Validation Attribute Output Encoding HTMLEncode – Black listing Microsoft Anti-Cross Site Scripting Library - Whitelisting
Hacker Injects Script to Datastore When Victim visits, it is run on their machine Victim X Hacker
<HTML> <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos=document.URL.indexOf(quot;name=quot;)+5; document.write(document.URL.substring(pos,document.URL.length)); </SCRIPT> <BR> Welcome to our system … </HTML> http://www.vulnerable.site/welcome.html#name=<script>alert(document.cookie)<script>
Javascript Hardening Analyze Dom Modifications document window Eval() (don’t use) Regular Expressions Remember Hacker can see your javascript Use a JSON Parser instead of Eval() (www.json.org)
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Recommended

Randy Witt Audio Assignment
Randy Witt Audio AssignmentRandy Witt Audio Assignment
Randy Witt Audio Assignment
PAVenturer
 
IST 561 Session2--Feb 2, 2009 Basic XHTML Concepts
IST 561 Session2--Feb 2, 2009 Basic XHTML ConceptsIST 561 Session2--Feb 2, 2009 Basic XHTML Concepts
IST 561 Session2--Feb 2, 2009 Basic XHTML Concepts
D.A. Garofalo
 
Intro to Html 5
Intro to Html 5Intro to Html 5
Intro to Html 5
Shauvik Roy Choudhary, Ph.D.
 
Building a Real, Money-Making Business Application Using Microsoft Virtual Earth
Building a Real, Money-Making Business Application Using Microsoft Virtual EarthBuilding a Real, Money-Making Business Application Using Microsoft Virtual Earth
Building a Real, Money-Making Business Application Using Microsoft Virtual Earth
goodfriday
 
Measuring Social Media Marketing
Measuring Social Media MarketingMeasuring Social Media Marketing
Measuring Social Media Marketing
goodfriday
 
Copy Of Lent 2
Copy Of Lent 2Copy Of Lent 2
Copy Of Lent 2
goodfriday
 
Latvian Easter
Latvian EasterLatvian Easter
Latvian Easter
goodfriday
 
5c. Easter Sunday William Lee
5c. Easter Sunday William Lee5c. Easter Sunday William Lee
5c. Easter Sunday William Lee
goodfriday
 

Recommended

Randy Witt Audio Assignment
Randy Witt Audio AssignmentRandy Witt Audio Assignment
Randy Witt Audio Assignment
PAVenturer
 
IST 561 Session2--Feb 2, 2009 Basic XHTML Concepts
IST 561 Session2--Feb 2, 2009 Basic XHTML ConceptsIST 561 Session2--Feb 2, 2009 Basic XHTML Concepts
IST 561 Session2--Feb 2, 2009 Basic XHTML Concepts
D.A. Garofalo
 
Intro to Html 5
Intro to Html 5Intro to Html 5
Intro to Html 5
Shauvik Roy Choudhary, Ph.D.
 
Building a Real, Money-Making Business Application Using Microsoft Virtual Earth
Building a Real, Money-Making Business Application Using Microsoft Virtual EarthBuilding a Real, Money-Making Business Application Using Microsoft Virtual Earth
Building a Real, Money-Making Business Application Using Microsoft Virtual Earth
goodfriday
 
Measuring Social Media Marketing
Measuring Social Media MarketingMeasuring Social Media Marketing
Measuring Social Media Marketing
goodfriday
 
Copy Of Lent 2
Copy Of Lent 2Copy Of Lent 2
Copy Of Lent 2
goodfriday
 
Latvian Easter
Latvian EasterLatvian Easter
Latvian Easter
goodfriday
 
5c. Easter Sunday William Lee
5c. Easter Sunday William Lee5c. Easter Sunday William Lee
5c. Easter Sunday William Lee
goodfriday
 
RESTful Services for the Programmable Web with Windows Communication Foundation
RESTful Services for the Programmable Web with Windows Communication FoundationRESTful Services for the Programmable Web with Windows Communication Foundation
RESTful Services for the Programmable Web with Windows Communication Foundation
goodfriday
 
IIS7 As a Developer Platform
IIS7 As a Developer PlatformIIS7 As a Developer Platform
IIS7 As a Developer Platform
goodfriday
 
03 16 2008 Palm Passion Sunday
03 16 2008 Palm Passion Sunday03 16 2008 Palm Passion Sunday
03 16 2008 Palm Passion Sunday
goodfriday
 
The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...
The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...
The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...
goodfriday
 
The Easter Freeze Of April 2007
The Easter Freeze Of April 2007The Easter Freeze Of April 2007
The Easter Freeze Of April 2007
goodfriday
 
A Designer's Overview of Windows Presentation Foundation
A Designer's Overview of Windows Presentation FoundationA Designer's Overview of Windows Presentation Foundation
A Designer's Overview of Windows Presentation Foundation
goodfriday
 
Narine Presentations 20051021 134052
Narine Presentations 20051021 134052Narine Presentations 20051021 134052
Narine Presentations 20051021 134052
goodfriday
 
Enhancing Large Windows Media Platforms with Microsoft Silverlight
Enhancing Large Windows Media Platforms with Microsoft SilverlightEnhancing Large Windows Media Platforms with Microsoft Silverlight
Enhancing Large Windows Media Platforms with Microsoft Silverlight
goodfriday
 
Dipl. Anerkennung
Dipl. AnerkennungDipl. Anerkennung
Dipl. Anerkennung
Samee Ullah
 
Abertura ademar 29_03
Abertura ademar 29_03Abertura ademar 29_03
Abertura ademar 29_03
Ademar Bueno
 
Desafio swu
Desafio swuDesafio swu
Desafio swu
Ademar Bueno
 
Compañia
CompañiaCompañia
Compañia
Rosa Cervantes
 
Internet Explorer 8 Developer Overview
Internet Explorer 8 Developer OverviewInternet Explorer 8 Developer Overview
Internet Explorer 8 Developer Overview
Dave Bost
 
Designing with Microsoft Expression Web: Today and Tomorrow
Designing with Microsoft Expression Web: Today and TomorrowDesigning with Microsoft Expression Web: Today and Tomorrow
Designing with Microsoft Expression Web: Today and Tomorrow
goodfriday
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"
Jeremiah Grossman
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
Advanced SEO for Developers (Mix08)
Advanced SEO for Developers (Mix08)Advanced SEO for Developers (Mix08)
Advanced SEO for Developers (Mix08)
Nathan Buggia
 
&lt;img src="xss.com">
&lt;img src="xss.com">&lt;img src="xss.com">
&lt;img src="xss.com">
"&lt;u>aaa&lt;/u>
 
Fav
FavFav
Fav
helloppt
 
Securing Applications
Securing ApplicationsSecuring Applications
Securing Applications
Burak DAYIOGLU
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Damon Cortesi
 

More Related Content

Viewers also liked

03 16 2008 Palm Passion Sunday
03 16 2008 Palm Passion Sunday03 16 2008 Palm Passion Sunday
03 16 2008 Palm Passion Sunday
goodfriday
 
The Easter Freeze Of April 2007
The Easter Freeze Of April 2007The Easter Freeze Of April 2007
The Easter Freeze Of April 2007
goodfriday
 
Narine Presentations 20051021 134052
Narine Presentations 20051021 134052Narine Presentations 20051021 134052
Narine Presentations 20051021 134052
goodfriday
 
Dipl. Anerkennung
Dipl. AnerkennungDipl. Anerkennung
Dipl. Anerkennung
Samee Ullah
 
Abertura ademar 29_03
Abertura ademar 29_03Abertura ademar 29_03
Abertura ademar 29_03
Ademar Bueno
 

Viewers also liked (12)

RESTful Services for the Programmable Web with Windows Communication Foundation
RESTful Services for the Programmable Web with Windows Communication FoundationRESTful Services for the Programmable Web with Windows Communication Foundation
RESTful Services for the Programmable Web with Windows Communication Foundation
 
IIS7 As a Developer Platform
IIS7 As a Developer PlatformIIS7 As a Developer Platform
IIS7 As a Developer Platform
 
03 16 2008 Palm Passion Sunday
03 16 2008 Palm Passion Sunday03 16 2008 Palm Passion Sunday
03 16 2008 Palm Passion Sunday
 
The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...
The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...
The Microsoft Web Platform: Starring Internet Information Services (IIS) and ...
 
The Easter Freeze Of April 2007
The Easter Freeze Of April 2007The Easter Freeze Of April 2007
The Easter Freeze Of April 2007
 
A Designer's Overview of Windows Presentation Foundation
A Designer's Overview of Windows Presentation FoundationA Designer's Overview of Windows Presentation Foundation
A Designer's Overview of Windows Presentation Foundation
 
Narine Presentations 20051021 134052
Narine Presentations 20051021 134052Narine Presentations 20051021 134052
Narine Presentations 20051021 134052
 
Enhancing Large Windows Media Platforms with Microsoft Silverlight
Enhancing Large Windows Media Platforms with Microsoft SilverlightEnhancing Large Windows Media Platforms with Microsoft Silverlight
Enhancing Large Windows Media Platforms with Microsoft Silverlight
 
Dipl. Anerkennung
Dipl. AnerkennungDipl. Anerkennung
Dipl. Anerkennung
 
Abertura ademar 29_03
Abertura ademar 29_03Abertura ademar 29_03
Abertura ademar 29_03
 
Desafio swu
Desafio swuDesafio swu
Desafio swu
 
Compañia
CompañiaCompañia
Compañia
 

Similar to Scrubbing Your AJAX

Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"
Jeremiah Grossman
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
Advanced SEO for Web Developers
Advanced SEO for Web DevelopersAdvanced SEO for Web Developers
Advanced SEO for Web Developers
Nathan Buggia
 

Similar to Scrubbing Your AJAX (20)

Internet Explorer 8 Developer Overview
Internet Explorer 8 Developer OverviewInternet Explorer 8 Developer Overview
Internet Explorer 8 Developer Overview
 
Designing with Microsoft Expression Web: Today and Tomorrow
Designing with Microsoft Expression Web: Today and TomorrowDesigning with Microsoft Expression Web: Today and Tomorrow
Designing with Microsoft Expression Web: Today and Tomorrow
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Advanced SEO for Developers (Mix08)
Advanced SEO for Developers (Mix08)Advanced SEO for Developers (Mix08)
Advanced SEO for Developers (Mix08)
 
&lt;img src="xss.com">
&lt;img src="xss.com">&lt;img src="xss.com">
&lt;img src="xss.com">
 
Fav
FavFav
Fav
 
Securing Applications
Securing ApplicationsSecuring Applications
Securing Applications
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
MTaulty_DevWeek_Silverlight
MTaulty_DevWeek_SilverlightMTaulty_DevWeek_Silverlight
MTaulty_DevWeek_Silverlight
 
Getting More Traffic From Search Advanced Seo For Developers Presentation
Getting More Traffic From Search Advanced Seo For Developers PresentationGetting More Traffic From Search Advanced Seo For Developers Presentation
Getting More Traffic From Search Advanced Seo For Developers Presentation
 
Understanding Web Applications and Web Testing Tools - QAConf
Understanding Web Applications and Web Testing Tools - QAConfUnderstanding Web Applications and Web Testing Tools - QAConf
Understanding Web Applications and Web Testing Tools - QAConf
 
Advanced SEO for Web Developers
Advanced SEO for Web DevelopersAdvanced SEO for Web Developers
Advanced SEO for Web Developers
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filter
 
Securing Web Applications
Securing Web ApplicationsSecuring Web Applications
Securing Web Applications
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Security
 
Building Web Applications with Windows Azure
Building Web Applications with Windows AzureBuilding Web Applications with Windows Azure
Building Web Applications with Windows Azure
 

More from goodfriday

09 03 22 easter
09 03 22 easter09 03 22 easter
09 03 22 easter
goodfriday
 
Holy Week Easter 2009
Holy Week Easter 2009Holy Week Easter 2009
Holy Week Easter 2009
goodfriday
 
Holt Park Easter 09 Swim
Holt Park Easter 09 SwimHolt Park Easter 09 Swim
Holt Park Easter 09 Swim
goodfriday
 
Swarthmore Lentbrochure20092
Swarthmore Lentbrochure20092Swarthmore Lentbrochure20092
Swarthmore Lentbrochure20092
goodfriday
 
Eastercard2009
Eastercard2009Eastercard2009
Eastercard2009
goodfriday
 
Easterservices2009
Easterservices2009Easterservices2009
Easterservices2009
goodfriday
 
Bulletin Current
Bulletin CurrentBulletin Current
Bulletin Current
goodfriday
 
March 2009 Newsletter
March 2009 NewsletterMarch 2009 Newsletter
March 2009 Newsletter
goodfriday
 
Lent Easter 2009
Lent Easter 2009Lent Easter 2009
Lent Easter 2009
goodfriday
 
Easterpowersports09
Easterpowersports09Easterpowersports09
Easterpowersports09
goodfriday
 
Easter Trading 09
Easter Trading 09Easter Trading 09
Easter Trading 09
goodfriday
 
Easter Brochure 2009
Easter Brochure 2009Easter Brochure 2009
Easter Brochure 2009
goodfriday
 
March April 2009 Calendar
March April 2009 CalendarMarch April 2009 Calendar
March April 2009 Calendar
goodfriday
 
Easter 2009 Advertising
Easter 2009 AdvertisingEaster 2009 Advertising
Easter 2009 Advertising
goodfriday
 

More from goodfriday (20)

Triunemar05
Triunemar05Triunemar05
Triunemar05
 
09 03 22 easter
09 03 22 easter09 03 22 easter
09 03 22 easter
 
Holy Week Easter 2009
Holy Week Easter 2009Holy Week Easter 2009
Holy Week Easter 2009
 
Holt Park Easter 09 Swim
Holt Park Easter 09 SwimHolt Park Easter 09 Swim
Holt Park Easter 09 Swim
 
Easter Letter
Easter LetterEaster Letter
Easter Letter
 
April2009
April2009April2009
April2009
 
Swarthmore Lentbrochure20092
Swarthmore Lentbrochure20092Swarthmore Lentbrochure20092
Swarthmore Lentbrochure20092
 
Eastercard2009
Eastercard2009Eastercard2009
Eastercard2009
 
Easterservices2009
Easterservices2009Easterservices2009
Easterservices2009
 
Bulletin Current
Bulletin CurrentBulletin Current
Bulletin Current
 
Easter2009
Easter2009Easter2009
Easter2009
 
Bulletin
BulletinBulletin
Bulletin
 
March 2009 Newsletter
March 2009 NewsletterMarch 2009 Newsletter
March 2009 Newsletter
 
Mar 29 2009
Mar 29 2009Mar 29 2009
Mar 29 2009
 
Lent Easter 2009
Lent Easter 2009Lent Easter 2009
Lent Easter 2009
 
Easterpowersports09
Easterpowersports09Easterpowersports09
Easterpowersports09
 
Easter Trading 09
Easter Trading 09Easter Trading 09
Easter Trading 09
 
Easter Brochure 2009
Easter Brochure 2009Easter Brochure 2009
Easter Brochure 2009
 
March April 2009 Calendar
March April 2009 CalendarMarch April 2009 Calendar
March April 2009 Calendar
 
Easter 2009 Advertising
Easter 2009 AdvertisingEaster 2009 Advertising
Easter 2009 Advertising
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 

Scrubbing Your AJAX

  • 1.
  • 2. What is Cross Site Scripting Cross Site Scripting (XSS) is a security exploit where malicious scripts are injected into the URL (query strings?) or form fields of a site and then run by unsuspecting victims. Reflected Stored Local
  • 3. Hacker Persuades Victim to click on a URL Victim Clicks Link Script Embedded in URL Steals Sensitive Info Hacker Victim
  • 4. <HTML> <HEAD> <TITLE>Search Example</TITLE> <META http-equiv=quot;content-typequot; content=quot;text/html; charset=utf-8quot;> </HEAD> <BODY> <H1>Search Results</H1> for <SCRIPT>alert(quot;Running!quot;)</SCRIPT> <BR> <BR> <h2>Sorry, no results were found.</h2> <BR> <FORM name=search> <INPUT type=text name=quot;keywordquot; value=“<SCRIPT>alert(&quot;Running!&quot;)</SCRIPT> <INPUT type=submit value=quot;Goquot;> </FORM> </BODY> </HTML> http://myserver/search.aspx?keyword=<SCRIPT>alert(quot;Running!quot;)</SCRIPT>
  • 5. Input Validation Client side?? Request Validation Attribute Output Encoding HTMLEncode – Black listing Microsoft Anti-Cross Site Scripting Library - Whitelisting
  • 6. Hacker Injects Script to Datastore When Victim visits, it is run on their machine Hacker Victim
  • 7. First Name Last Name Comments <script> Anything</script>
  • 8. Input Validation Client side?? Request Validation Attribute Output Encoding HTMLEncode – Black listing Microsoft Anti-Cross Site Scripting Library - Whitelisting
  • 9. Hacker Injects Script to Datastore When Victim visits, it is run on their machine Victim X Hacker
  • 11. Javascript Hardening Analyze Dom Modifications document window Eval() (don’t use) Regular Expressions Remember Hacker can see your javascript Use a JSON Parser instead of Eval() (www.json.org)
  • 12. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.