Hackers of India

Web 2.0 Application Kung-Fu - Securing Ajax & Web Services

By  Shreeraj Shah  on 20 Nov 2007 @ Deepsec

Presentation Material

Presentation


URL : https://www.slideshare.net/slideshow/web-20-application-kungfu/183493

Video


 

Abstract

With Web 2.0 applications being adopted by businesses at a very quick pace, security concerns around these technologies too have grown. Ajax and Web Services are key components in the Web 2.0 framework. Understanding new technology key components vis-à-vis attack vectors is imperative if the security concerns are to be adequately addressed. Financial services companies such as Wells Fargo and E*Trade are adopting Web 2.0 technologies by building next generation Enterprise 2.0 solutions. Ajax fingerprinting, crawling and scanning are key aspects for Web 2.0 threat profiling. It is possible to identify XSS and XSRF vulnerabilities and likely weak entry points on the basis of proper threat profiles. As ethical hackers, scanning and fuzzing must be accomplished before attackers have the chance to exploit vulnerable Web Services running on XML-RPC, SOAP and REST. This presentation is going to reveal methodologies, techniques and tricks to hack Web 2.0 applications and defense strategies to secure them. The presentation includes a number of demonstrations and real-life cases encompassing next generation attacks and defense. The speaker has already authored several tools – wsChess (Web Services hacking toolkit), Ajaxfinger, ScanAjax and MSNPawn – that will be demonstrated in detail.

AI Generated Summarymay contain errors

Here is a summarized version of the content:

The speaker demonstrates how to exploit a CSRF vulnerability using XML streams and hidden form inputs. They also discuss code analysis for identifying vulnerabilities,<|begin_of_text|>200 defense techniques, including SQL injection, XPath file access, and validation checks.

The speaker showcases an application code scanner that can analyze entire source code bases, identify method signatures, and detect patterns for security threats. They demonstrate how to trace variables through multiple files using a “walk” functionality.

To protect against these types of attacks, the speaker emphasizes the importance of SOAP-level filtering and HTTP module-based content filtering. They introduce a tool called Web 2.0 Wall, which enables JSON and SOAP filtering with customizable rules.

In a demo, the speaker shows how to hook into an HTTP pipe, grab an inf file with rules, and analyze POST envelopes for security threats. The tool sends a security error back if any threats are detected before they reach the application layer.

Finally, the speaker concludes that secure coding practices are essential to preventing vulnerabilities and encourages questions from the audience.