[Owasp-ajax] Ajax Security Project Roadmap (resend)
Rohini Sulatycki
rsulatycki at vml.com
Thu Apr 12 11:07:51 EDT 2007
HI Anurag,
I say lets get started. We can pick a couple of topics and start
tackling them. Here are some possible candidates:
1) map to OWASP Top Ten
2) Detail Ajax functionalities which can be used in a malicious way.
For e.g. realtime keylogging.
3) Build and maintain a database of Ajax vulnerabilities
4) Start an Incident database where for hacking incidents using
Ajax only. Like samy work
5) ....
Let me know which ones you want to work on and we can get going!
Thanks,
Rohini
________________________________
From: Anurag Agarwal [mailto:anurag.agarwal at yahoo.com]
Sent: Wednesday, April 11, 2007 11:11 PM
To: Rohini Sulatycki; owasp-ajax at lists.owasp.org
Subject: Re: [Owasp-ajax] Ajax Security Project Roadmap (resend)
Rohini
The list had been quiet for sometime. If you want to wait for some more
time then its ok otherwise we can start to take this project ahead and
as and hopefully people will start to be more involed.
let me know what you think?
regards
anurag
----- Original Message -----
From: Rohini Sulatycki <mailto:rsulatycki at vml.com>
To: Anurag Agarwal <mailto:anurag.agarwal at yahoo.com> ;
owasp-ajax at lists.owasp.org
Sent: Tuesday, April 10, 2007 7:58 AM
Subject: RE: [Owasp-ajax] Ajax Security Project Roadmap (resend)
Hi Anurag,
My answers below. These topics are open to discussion so all
input is welcome :-)
Thanks,
Rohini
________________________________
From: Anurag Agarwal [mailto:anurag.agarwal at yahoo.com]
Sent: Monday, April 09, 2007 6:03 PM
To: Rohini Sulatycki; owasp-ajax at lists.owasp.org
Subject: Re: [Owasp-ajax] Ajax Security Project Roadmap (resend)
Hi Rohini
Here are some more questions i had in regards to this email.
Since the previous discussion was so long ago, the chain of thoughts is
broken. I was hoping if you could help answer some of these questions.
>>Identify short list of top Ajax security vulnerabilities.
Shouldn't we map it to OWASP Top Ten instead of creating a
separate list? After all, Ajax does not open up any new vulnerabilities
or does it?
I like the idea of mapping to OWAS Top Ten instead of creating a
separate list.
>>Detail Ajax functionalities which can be used in a malicious
way. For e.g. realtime keylogging.
Essentially heart of ajax is XHR function. Which by itself is
just about sending a GET/POST request to the server, but combined with
other javascript functions or features(like prototyping), and DHTML can
be abused in a harmful way. If we start to make a list of all those,
then it will be a huge list and will keep growing. Instead, may I
suggest just sticking to top ten ways of abusing ajax.
One of the goals of the Ajax Security Project is to be a central
repository for all things related to Ajax Security. I know that I get
asked this question a lot and it would be appropriate for users to
expect to get an answer or at least see examples within our project. I
agree that an exhaustive list maybe out of scope here but if we provide
say the Top Ten ways that Ajax functionality maybe used maliciously then
that might be helpful. I welcome other member's opinions here:-)
>>Provide security audit of all major Ajax frameworks e.g.
Atlas, GWT, backbase
I am not sure about this one... do we only want a list of
frameworks or do we really want to audit? if we are coming up with
recommendations and not regulations, then why do we want to audit? If we
still want to audit, then are we thinking of certifying these
frameworks? Is it going to be a manual audit or are we planning to
build a tool for audit?
The thought here was to provide information of the top Ajax
frameworks, the security features provided by them and how to use them
in an application. The intent was not to certify the frameworks or to
build an audit tool. However, if some of the members are interested in
building such a tool then that would be very useful.
>>Create an Ajax Security Engine (like struts input validation
API)
Can you explain a little bit more about this? The problems with
ajax is a lot bigger then input validation. Things like "Business Logic
on the client side", and "improper logging and error handling", are also
a part of issues with using ajax.
I was thinking along the lines of pluggable components e.g.
input validation, that can be plugged into existing frameworks to
provide functionality not provided by the framework out of the box.
These components maybe developed by us or elsewhere. The ultimate goal
is to provide a one-stop-shop for users.
I am glad we have started this again. Hope the momentum doesn't
dies off this time :)
regards
anurag
----- Original Message -----
From: Rohini Sulatycki <mailto:rsulatycki at vml.com>
To: owasp-ajax at lists.owasp.org
Sent: Monday, April 09, 2007 6:56 AM
Subject: [Owasp-ajax] Ajax Security Project Roadmap
(resend)
Resending in case this email didn't reach everyone on
the list:
Hi all:
As the new lead of the OWASP Ajax security project I
thought that I would get the discussion started on putting together a
roadmap for this project. Luckily I found a lot of information on this
topic in the mailing list discussions from last year.
It would be great if everyone would take a look at the
proposed roadmap and provide your feedback. If we can all agree on the
items on the roadmap and prioritize them then we can get to work on the
individual items. Also, if there are particular items that you are
interested in working on or are already working on then let us know. I
am looking forward to working with you all!
Ajax Security Project Roadmap (proposed)
Informational
* Identify short list of top Ajax security
vulnerabilities.
* Detail Ajax functionalities which can be used in
a malicious way. For e.g. realtime keylogging.
* Provide detailed interpretation of security
principles, vulnerabilities, countermeasures for Ajax applications
* Build and maintain a database of Ajax
vulnerabilities
* Start an Incident database where for hacking
incidents using Ajax only. Like samy work
* Provide security audit of all major Ajax
frameworks e.g. Atlas, GWT, backbase
Guidance
* Complete Ajax Chapter of OWASP Guide.
* Provide sample Code
* Secure Coding guidelines (without frameworks or
toolkits)
* Create an Ajax Security Engine (like struts
input validation API
* Provide an awareness Plan
* Develop/enhance testing tools
Standards
* Align efforts with OpenAjax Alliance security
TF: http://www.openajax.org/member/wiki/Security_TF
* Assemble a team of experts from the most
prominent open or closed source Ajax toolkit vendors
* Invite members from the browser manufacturers as
their participation would be paramount in securing the client side
* Industry representatives from high-security
(e.g. banking) institutions
* Define the most fundamental issues (together)
and work out solutions to these issues and create a certification
program for vendors that would demonstrate their commitment to user
security
Thank you,
Rohini Sulatycki | VML | Technical Architect
250 Richards Road | Kansas City, MO 64116 | *:
816.218.3168 | 7: 816.283.0954 | *: rsulatycki at vml.com
<mailto:rsulatycki at vml.com>
This transmission is confidential and intended solely
for the party to whom it is addressed. If the reader of this email is
not the intended recipient, you are hereby notified that it may contain
privileged, confidential and trade secret information, and that any
dissemination, distribution, copying or use of the information in this
transmission is strictly prohibited. If you have received this
transmission in error, please immediately notify the sender at the email
address above, and delete all copies of it from your computer
________________________________
_______________________________________________
Owasp-ajax mailing list
Owasp-ajax at lists.owasp.org
http://lists.owasp.org/mailman/listinfo/owasp-ajax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-ajax/attachments/20070412/9ca084fe/attachment-0001.html
More information about the Owasp-ajax
mailing list