SOA WOA and SaaS
SOA components contain Web services, RPC layer services for applications, and generic services written in traditional applications. Most of the SOA components are written in Web services, as modeled in Figure 2.11. A Web Service can be defined in the following way A Web service is a software component developed to support interoperability over a network using an interface described in WSDL, a machine-understandable format. Other systems communicate with the Web service, using SOAP messages that...
CSRF Vulnerability Detection with Web Applications
Traditional CSRF vulnerabilities can be identified by analyzing each important get and post request going to the application. If an attacker can reproduce a get or post request, this can lead to CSRF. If a specific get or post request on an application throws some magic number that cannot be guessed easily, this can act as a token to guard against a CSRF attack vector. This magic token can be part of a querystring in a GET request while in a data buffer as part of a posT request. These tokens...
Tampering with Data Types of the SOAP Message
Here is an example of a SOAP request that takes an array as input. lt xml version 1.0 encoding utf-16 gt lt soap Envelope lt soap Body lt tns solvesys gt lt Arr href id1 gt lt tns solvesys gt lt soapenc Array id id1 lt Item gt 0 lt Item gt lt soapenc Array gt lt soap Body gt lt soap Envelope gt The following node gives away information about the input parameter an array of items. lt soapenc Array id id1 lt Item gt 0 lt Item gt lt soapenc Array gt xsd double indicates that the array consists of...
JavaScript ClientSide Scanning for Entry Points
Web 2.0 applications run with several different entry points to the application logic. These entry points reside in the JavaScript or HTML pages. These entry points or resources are not simple to grab, like HREF is. In traditional applications, it was easy to grab these entry points or resources, but this is not the case with Web 2.0 applications. One of the challenges is to identify these entry points and the structures associated with them. For example, using the Atlas framework, it is easy...
CSRF and Getting CrossDomain Information Access
In the last section, we showed that it is possible to force a browser to generate an HTTP request to cross-domain and that an attacker can force a command or event to be executed on the application side. With this method, it is not possible to get read access to information coming from the application. It is more like one-way communication. In two-way communication, it is possible to generate a CSRF request by forcing the browser and to fetch the response generated from the server as well. This...
XPATH Injection
We use regular expressions to search text documents. Similarly, XPATH can be used to search information in XML documents by navigating through elements and attributes in the XML document. XPATH, a language defined to find information in an XML document, is an important element of the W3C XSLT standard. As the name suggests, it indeed uses path to traverse through nodes of XML documents to look for specific information. It has functions for string values, numeric values, node and name...
CrossDomain Bypass with Callback
The JavaScript callback mechanism is another way of establishing cross-domain data access for an application. Various applications on the Internet provide this type of callback mechanism, by which it is possible to integrate the stream into the client side of the application layer. We discussed this callback mechanism in Chapter 8 on CSRF. Here we are looking at it in detail. Many popular portals such as Yahoo provide this mechanism to support cross-domain calls. This callback works by...
Web Firewall and Filtering with ModSecurity
ModSecurity is a very interesting project and well accepted by the industry. Its focus is HTTP filtering capability for Apache. It is a module or shared object for Apache Web Server, and various rules are provided to defend Web applications. Documentation and downloads are available at http www.modsecurity.org . ModSecurity has well-formed directives and rules by which it is possible to protect HTTP headers, POST buffers, malicious attack vectors, and so on. This module is designed to provide...
Web Application Information Sources and Flow
One of the major differences between Web 2.0 applications and the previous-generation application is usage of information and its sources. Web 2.0 applications leverage underlying technologies and application programming interfaces APIs supported by various other applications. This support empowers applications to consume information residing on other servers and to fetch and present to the end user this information effectively and efficiently. For example, as shown in Figure 1.2, we have a...
RealLife Web Application Examples
Here is a sample list of some well-known Web 2.0 applications. Social bookmarking. Provides bookmarking services on the Web so people can share their bookmarks. This application is available at http del.icio.us . Social information-sharing. A place where people share their profiles and other information. One such application is available at http www.myspace. com . Google Maps. Provides a Web 2.0-based mapping site. Start page. A nice Web 2.0-based start page where information can be aligned....
Conclusion
The Web 2.0 application architecture and framework is exciting for end users. Statistics show that in the past year Web 2.0 application traffic has grown by an astonishing 300 . Web 2.0 applications have produced a new range of security concerns with regard to Ajax, Flash, Web Services, and information sources. These issues need to be addressed. Threat modeling for these applications is a challenge for security professionals protecting the end user from multiple attacks is also their...
Web Technology Vectors and Architecture
Web 2.0 is a cocktail of various new technology vectors. These technology vectors have given a fresh impetus to next-generation applications. Over the past few years new architectures have been evolving around these vectors. It is important to understand their inner workings to gain a better understanding of security risks. Technology vectors can be divided in the following categories as shown in Figure 1.1. Compared to its predecessor, Web 2.0 has empowered clients substantially. Old...