Difference between revisions of "OWASP AJAX Security Guidelines"

From OWASP
Jump to: navigation, search
(Canonicalize data (read: encode before use))
m (separate generic and asp server side notes)
 
(24 intermediate revisions by 7 users not shown)
Line 15: Line 15:
 
=== Canonicalize data to consumer (read: encode before use) ===
 
=== Canonicalize data to consumer (read: encode before use) ===
  
When using data to build HTML, script, CSS, XML, JSON, etc. make sure you take into account how that data must be presented in a literal sense to keep it's logical meaning.  Data should be properly encoded before used in this manor to prevent injection style issues, and to make sure the logical meaning is preserved.
+
When using data to build HTML, script, CSS, XML, JSON, etc. make sure you take into account how that data must be presented in a literal sense to keep it's logical meaning.  Data should be properly encoded before used in this manner to prevent injection style issues, and to make sure the logical meaning is preserved.
  
[https://www.owasp.org/index.php/Category:OWASP_Encoding_Project Check out the OWASP Encoding Project.]
+
[[:Category:OWASP_Encoding_Project|Check out the OWASP Encoding Project.]]
  
 
=== Don't rely on client logic for security ===
 
=== Don't rely on client logic for security ===
Line 29: Line 29:
 
=== Avoid writing serialization code ===
 
=== Avoid writing serialization code ===
  
This is hard and even a small mistake can cause large security issues.  There are already a lot of frameworks to provide this functionality.  Take a look at the JSON page for links.
+
This is hard and even a small mistake can cause large security issues.  There are already a lot of frameworks to provide this functionality.  Take a look at the [http://www.json.org/ JSON page] for links.
  
 
=== Avoid building XML dynamically ===
 
=== Avoid building XML dynamically ===
Line 35: Line 35:
 
Just like building HTML or SQL you will cause XML injection bugs, so stay way from this or at least use an encoding library to make attributes and element data safe.
 
Just like building HTML or SQL you will cause XML injection bugs, so stay way from this or at least use an encoding library to make attributes and element data safe.
  
[https://www.owasp.org/index.php/Category:OWASP_Encoding_Project Check out the OWASP Encoding Project.]
+
[[:Category:OWASP_Encoding_Project|Check out the OWASP Encoding Project.]]
  
 
=== Never transmit secrets to the client ===
 
=== Never transmit secrets to the client ===
  
I hope this is a "duh" item.  Anything the client knows the user will also know, so keep all that secret stuff on the server please.
+
Anything the client knows the user will also know, so keep all that secret stuff on the server please.
  
 
=== Don't perform encryption in client side code ===
 
=== Don't perform encryption in client side code ===
  
Use SSL and encrypt on the server!
+
Use TSL/SSL and encrypt on the server!
  
 
=== Don't perform security impacting logic on client side ===
 
=== Don't perform security impacting logic on client side ===
Line 49: Line 49:
 
This is the overall one that gets me out of trouble in case I missed something :)  
 
This is the overall one that gets me out of trouble in case I missed something :)  
  
== ASP.NET ==
+
== Server Side ==
 +
=== Protect against [http://capec.mitre.org/data/definitions/111.html JSON/JavaScript Hijacking] ===
 +
====  Use [[wiki:Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet|CSRF protection]] ====
 +
Proper CSRF protection ensures that attackers without access to the same origin as the data returned from the server cannot make the server respond with confidential and use JavaScript Hijacking to access it.
  
 +
==== Always return JSON with an Object on the outside ====
  
=== Avoid writing serialization code. Remember ref vs. value types! ===
+
Always have the outside primitive be an object for JSON strings:
  
Writing serialization code in .NET seems not to hard and yet everyone gets it wrong.  Look for an existing library that has been reviewed.  I'll post more on that as I eval them.
+
'''Exploitable:'''
 +
<pre>
 +
[{"object": "inside an array"}]
 +
</pre>
  
=== Services can be called by users directly ===
+
'''Not exploitable:'''
 +
<pre>
 +
{"object": "not inside an array"}
 +
</pre>
  
Even though you only expect your AJAX client side code to call those services the users can too.  Make sure you validate inputs and treat them like they are under user control (because they are!).
+
'''Also not exploitable:'''
 +
<pre>
 +
{"result": [{"object": "inside an array"}]}
 +
</pre>
  
=== Web service calls are not schema verified ===
 
  
You need to use a 3rd party library to validate web services.
 
  
Check out OWASP .NET Web Service Validation.
 
  
=== Avoid building XML by hand, use the framework ===
+
=== Avoid writing serialization code. Remember ref vs. value types! ===
  
Use the framework and be safe, do it by hand and have security issues.  Simple.
+
Look for an existing library that has been reviewed.
  
=== Avoid building JSON by hand, use an existing frameworl ===
+
=== Services can be called by users directly ===
  
This is to hard to get wrongUse existing code for this.  Check out the JSON site for information.
+
Even though you only expect your AJAX client side code to call those services the users can tooMake sure you validate inputs and treat them like they are under user control (because they are!).
  
== Java ==
+
=== Avoid building XML by hand, use the framework ===
  
Coming soon....maybe...
+
Use the framework and be safe, do it by hand and have security issues.
  
 +
=== Avoid building JSON by hand, use an existing framework  ===
 +
 +
This is to hard to get right. Use existing code for this. Check out the JSON site for information.
 +
 +
== ASP.NET ==
 +
A guide for building a secure AJAX service layer can be found [http://msdn.microsoft.com/en-us/magazine/cc793961.aspx here].
 +
=== Web service calls are not schema verified ===
 +
 +
You need to use a 3rd party library to validate web services.
  
= Project Contributors =
+
[[:.NET_Web_Service_Validation|Check out OWASP .NET Web Service Validation.]]
  
[http://phed.org Michael Eddington]
 
  
= Project Sponsor =
 
  
[http://leviathansecurity.com Leviathan Security Group, Inc.]
 
 
[[Category:OWASP AJAX Security Project]]
 
[[Category:OWASP AJAX Security Project]]
 +
[[Category:AJAX]]

Latest revision as of 08:50, 22 January 2013

Contents

AJAX Security Guidelines

There is a complete lack of guidelines for AJAX. This document will provide a starting point for AJAX security and will hopefully be updated and expanded reasonably often to provide more detailed information about specific frameworks and technologies.

Client Side (Javascript)

Use .innerText instead of .innerHtml

The use of .innerText will prevent most XSS problems as it will automatically encode the text. Only use innerHtml when you are displaying HTML.

Don't use eval

Eval is evil, never use it. Needing to use eval usually indicates a problem in your design.

Canonicalize data to consumer (read: encode before use)

When using data to build HTML, script, CSS, XML, JSON, etc. make sure you take into account how that data must be presented in a literal sense to keep it's logical meaning. Data should be properly encoded before used in this manner to prevent injection style issues, and to make sure the logical meaning is preserved.

Check out the OWASP Encoding Project.

Don't rely on client logic for security

Least ye have forgotten the user controls the client side logic. I can use a number of browser plugging to set breakpoints, skip code, change values, etc. Never rely on client logic.

Don't rely on client business logic

Just like the security one, make sure any interesting business rules/logic is duplicated on the server side less a user bypass needed logic and do something silly, or worse, costly.

Avoid writing serialization code

This is hard and even a small mistake can cause large security issues. There are already a lot of frameworks to provide this functionality. Take a look at the JSON page for links.

Avoid building XML dynamically

Just like building HTML or SQL you will cause XML injection bugs, so stay way from this or at least use an encoding library to make attributes and element data safe.

Check out the OWASP Encoding Project.

Never transmit secrets to the client

Anything the client knows the user will also know, so keep all that secret stuff on the server please.

Don't perform encryption in client side code

Use TSL/SSL and encrypt on the server!

Don't perform security impacting logic on client side

This is the overall one that gets me out of trouble in case I missed something :)

Server Side

Protect against JSON/JavaScript Hijacking

Use CSRF protection

Proper CSRF protection ensures that attackers without access to the same origin as the data returned from the server cannot make the server respond with confidential and use JavaScript Hijacking to access it.

Always return JSON with an Object on the outside

Always have the outside primitive be an object for JSON strings:

Exploitable:

[{"object": "inside an array"}]

Not exploitable:

{"object": "not inside an array"}

Also not exploitable:

{"result": [{"object": "inside an array"}]}



Avoid writing serialization code. Remember ref vs. value types!

Look for an existing library that has been reviewed.

Services can be called by users directly

Even though you only expect your AJAX client side code to call those services the users can too. Make sure you validate inputs and treat them like they are under user control (because they are!).

Avoid building XML by hand, use the framework

Use the framework and be safe, do it by hand and have security issues.

Avoid building JSON by hand, use an existing framework

This is to hard to get right. Use existing code for this. Check out the JSON site for information.

ASP.NET

A guide for building a secure AJAX service layer can be found here.

Web service calls are not schema verified

You need to use a 3rd party library to validate web services.

Check out OWASP .NET Web Service Validation.