[Owasp-ajax] Ajax Security Project Roadmap (resend)
anurag.agarwal at yahoo.com
anurag.agarwal at yahoo.com
Thu Apr 12 17:25:41 EDT 2007
>>1) map to OWASP Top Ten
I had started working on an article on mapping OWASP Top Ten with Ajax. Didnt get time to finish it and also OWASP Top Ten changed, but i can certainly share it here on the list. The question, however, i have is can i still publish it or not?
>> 2) Detail Ajax functionalities which can be used in a malicious way. For e.g. realtime keylogging.
This is a little confusing. Since ajax by itself is a collection of technologies(javascript, DHTML and XML) along with XHR function. So i am not sure what we want to detail here for the functionality and then again these are being abused so i dont think that is a vulnerability. In my opinion, we should call it as Top Ten malicious Ajax scripts. For example - there are certain proof of concepts i published on www.attacklabs.com. If you havent got a chance to look at it yet.
a. Ajax Sniffer
b. Ajax Worm
c. Ajax Keylogger
We can certainly add more..
thoughts / suggestions?
>>3) Build and maintain a database of Ajax vulnerabilities
Once again, ajax by itself does not introduce any vulnerabilities (i am not taking into account the cross domain feature they are planning to add). The rest would probably be covered under section 1 and 2 above
>>4) Start an Incident database where for hacking incidents using Ajax only. Like samy work
Any thoughts on the what are we trying to achieve by this?
Cheers,
Anurag Agarwal
SEEC - An application security search engine
Web: www.attacklabs.com , www.myappsecurity.com
Email : anurag.agarwal at yahoo.com
Blog : http://myappsecurity.blogspot.com
----- Original Message ----
From: Rohini Sulatycki <rsulatycki at vml.com>
To: Anurag Agarwal <anurag.agarwal at yahoo.com>; owasp-ajax at lists.owasp.org
Sent: Thursday, April 12, 2007 8:07:51 AM
Subject: RE: [Owasp-ajax] Ajax Security Project Roadmap (resend)
HI Anurag,
I say lets get started. We can pick a couple of topics and start tackling them. Here are some possible candidates:
1) map to OWASP Top Ten
2) Detail Ajax functionalities which can be used in a malicious way. For e.g. realtime keylogging.
3) Build and maintain a database of Ajax vulnerabilities
4) Start an Incident database where for hacking incidents using Ajax only. Like samy work
5) ....
Let me know which ones you want to work on and we can get going!
Thanks,
Rohini
From: Anurag Agarwal [mailto:anurag.agarwal at yahoo.com]
Sent: Wednesday, April 11, 2007 11:11 PM
To: Rohini Sulatycki; owasp-ajax at lists.owasp.org
Subject: Re: [Owasp-ajax] Ajax Security Project Roadmap (resend)
Rohini
The list had been quiet for sometime. If you want to wait for some more time then its ok otherwise we can start to take this project ahead and as and hopefully people will start to be more involed.
let me know what you think?
regards
anurag
----- Original Message -----
From: Rohini Sulatycki
To: Anurag Agarwal ; owasp-ajax at lists.owasp.org
Sent: Tuesday, April 10, 2007 7:58 AM
Subject: RE: [Owasp-ajax] Ajax Security Project Roadmap (resend)
Hi Anurag,
My answers below. These topics are open to discussion so all input is welcome J
Thanks,
Rohini
From: Anurag Agarwal [mailto:anurag.agarwal at yahoo.com]
Sent: Monday, April 09, 2007 6:03 PM
To: Rohini Sulatycki; owasp-ajax at lists.owasp.org
Subject: Re: [Owasp-ajax] Ajax Security Project Roadmap (resend)
Hi Rohini
Here are some more questions i had in regards to this email. Since the previous discussion was so long ago, the chain of thoughts is broken. I was hoping if you could help answer some of these questions.
>>Identify short list of top Ajax security vulnerabilities.
Shouldn't we map it to OWASP Top Ten instead of creating a separate list? After all, Ajax does not open up any new vulnerabilities or does it?
I like the idea of mapping to OWAS Top Ten instead of creating a separate list.
>>Detail Ajax functionalities which can be used in a malicious way. For e.g. realtime keylogging.
Essentially heart of ajax is XHR function. Which by itself is just about sending a GET/POST request to the server, but combined with other javascript functions or features(like prototyping), and DHTML can be abused in a harmful way. If we start to make a list of all those, then it will be a huge list and will keep growing. Instead, may I suggest just sticking to top ten ways of abusing ajax .
One of the goals of the Ajax Security Project is to be a central repository for all things related to Ajax Security. I know that I get asked this question a lot and it would be appropriate for users to expect to get an answer or at least see examples within our project. I agree that an exhaustive list maybe out of scope here but if we provide say the Top Ten ways that Ajax functionality maybe used maliciously then that might be helpful. I welcome other member’s opinions hereJ
>>Provide security audit of all major Ajax frameworks e.g. Atlas, GWT, backbase
I am not sure about this one... do we only want a list of frameworks or do we really want to audit? if we are coming up with recommendations and not regulations, then why do we want to audit? If we still want to audit, then are we thinking of certifying these frameworks? Is it going to be a manual audit or are we planning to build a tool for audit?
The thought here was to provide information of the top Ajax frameworks, the security features provided by them and how to use them in an application. The intent was not to certify the frameworks or to build an audit tool. However, if some of the members are interested in building such a tool then that would be very useful.
>>Create an Ajax Security Engine (like struts input validation API)
Can you explain a little bit more about this? The problems with ajax is a lot bigger then input validation. Things like "Business Logic on the client side", and "improper logging and error handling", are also a part of issues with using ajax .
I was thinking along the lines of pluggable components e.g. input validation, that can be plugged into existing frameworks to provide functionality not provided by the framework out of the box. These components maybe developed by us or elsewhere. The ultimate goal is to provide a one-stop-shop for users.
I am glad we have started this again. Hope the momentum doesn't dies off this time :)
regards
anurag
----- Original Message -----
From: Rohini Sulatycki
To: owasp-ajax at lists.owasp.org
Sent: Monday, April 09, 2007 6:56 AM
Subject: [Owasp-ajax] Ajax Security Project Roadmap (resend)
Resending in case this email didn’t reach everyone on the list:
Hi all:
As the new lead of the OWASP Ajax security project I thought that I would get the discussion started on putting together a roadmap for this project. Luckily I found a lot of information on this topic in the mailing list discussions from last year.
It would be great if everyone would take a look at the proposed roadmap and provide your feedback. If we can all agree on the items on the roadmap and prioritize them then we can get to work on the individual items. Also, if there are particular items that you are interested in working on or are already working on then let us know. I am looking forward to working with you all!
Ajax Security Project Roadmap (proposed)
Informational
Identify short list of top Ajax security vulnerabilities.
Detail Ajax functionalities which can be used in a malicious way. For e.g. realtime keylogging.
Provide detailed interpretation of security principles, vulnerabilities, countermeasures for Ajax applications
Build and maintain a database of Ajax vulnerabilities
Start an Incident database where for hacking incidents using Ajax only. Like samy work
Provide security audit of all major Ajax frameworks e.g. Atlas, GWT, backbase
Guidance
Complete Ajax Chapter of OWASP Guide.
Provide sample Code
Secure Coding guidelines (without frameworks or toolkits)
Create an Ajax Security Engine (like struts input validation API
Provide an awareness Plan
Develop/enhance testing tools
Standards
Align efforts with OpenAjax Alliance security TF: http://www.openajax.org/member/wiki/Security_TF
Assemble a team of experts from the most prominent open or closed source Ajax toolkit vendors
Invite members from the browser manufacturers as their participation would be paramount in securing the client side
Industry representatives from high-security (e.g. banking) institutions
Define the most fundamental issues (together) and work out solutions to these issues and create a certification program for vendors that would demonstrate their commitment to user security
Thank you,
Rohini Sulatycki | VML | Technical Architect
250 Richards Road | Kansas City , MO 64116 | (: 816.218.3168 | 7: 816.283.0954 | *: rsulatycki at vml.com
This transmission is confidential and intended solely for the party to whom it is addressed. If the reader of this email is not the intended recipient, you are hereby notified that it may contain privileged, confidential and trade secret information, and that any dissemination, distribution, copying or use of the information in this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender at the email address above, and delete all copies of it from your computer
_______________________________________________
Owasp-ajax mailing list
Owasp-ajax at lists.owasp.org
http://lists.owasp.org/mailman/listinfo/owasp-ajax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-ajax/attachments/20070412/f32bda92/attachment-0001.html
More information about the Owasp-ajax
mailing list