[Owasp-ajax] Some Roadmap Ideas

Tue Sep 12 23:00:34 EDT 2006

John - 

I think its a great start. Here are a few things of the top of my head, they may sound a little ambitious in the beginning but we might wanna put them on the roadmap.

1. In addition to the Ajax vulnerabilities, we may also need to showcase some of the regular functionality which can be used in a malicious way. For eg realtime keylogging using Ajax
2. Since we are going to identify vulnerabilities in Ajax, how about maintaining a database of Ajax vulnerabilities which can be used independently or can act as an input to a tool which OWASP or some other party might want to create like appscan, webinspect, etc
3. Another idea which came to my mind was maintaining an Ajax incident database where we have hacking incidents using Ajax. This may sound too ambitious but i thought i will share it with you guys.

thoughts / suggestion?

anurag

----- Original Message ----
From: John Creason <john.creason at smartsheet.com>
To: owasp-ajax at lists.owasp.org
Sent: Tuesday, September 12, 2006 6:54:53 PM
Subject: [Owasp-ajax] Some Roadmap Ideas

ALL –

OK – let’s get the dialogue started.  I’ve been thinking about this a lot, and I have felt sort of stuck.  I think that a most of the issues that need to be addressed in order to make AJAX secure are really things which we already know about: authentication, access control, etc.  I am sure that with everyone’s ideas, we can get a roadmap pulled together quickly.

Here are some of my ideas about the AJAX Security Roadmap

1) Identify short list of top AJAX security vulnerabilities.

Include instructions on how to determine if your code is vulnerable, and include recommendations on how to defend against a related attack.

This is similar to the top-ten, but it's AJAX focused.  My expectation is that nearly every one of these issues will already be covered in Top Ten or somewhere else in the OWASP materials.

We could address any AJAX specific aspects of the vulnerability and reference other materials as needed

2) Complete AJAX Chapter of OWASP Guide.

There are a number of sub-sections which are just stub.  My recollection is that most of these are on the various injection attacks.  These injection attacks can exist inbound to the AJAX client or inbound to the web server - need to address both sides of the injection threat.

3) Sample Code

With AJAX , developers are going to be using JavaScript to build content for requests.  Some JavaScript samples could be helpful.

A couple simple samples come to mind.  In both cases, I have production code which could be donated as examples:

toSafeXML(string) - Escapes all unsafe characters from the supplied string using standard XML escape sequence.  It is important that all user supplied data is made safe before attempting to include that data in an XML document for transport from an AJAX Client to the Application Server.  This sample code uses a "whitelist" approach and will escape all non-listed characters using standard XML escape encoding.

toFormUrlEncoded(string) - This function takes a string and efficently does the Form URL Ecoding.  This is a necessary step to submit an AJAX request via POST.  See OWASP guide for details on why we want to encourage people to only use POST for sending AJAX requests.

Other ideas?

John D. Creason
Smartsheet.com
john.creason at smartsheet.com
(o) 425-296-2488
(m) 425-760-0985

www.smartsheet.com 

_______________________________________________
Owasp-ajax mailing list
Owasp-ajax at lists.owasp.org
http://lists.owasp.org/mailman/listinfo/owasp-ajax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-ajax/attachments/20060912/b4fcb521/attachment-0002.html 