"Ajax Security is a remarkably rigorous and thorough examination of an underexplored subject. Every Ajax engineer needs to have the knowledge contained in this book - or be able to explain why they don't."
-- Jesse James Garrett, Father of Ajax

Best. Praise Quote. Ever.

Jesse James Garett: Buy Ajax Security Book

K Said:

Just ran across this...

Any chance it makes the baby jesus' crying less acute?

Well, this sure scares me: http://saja.sourceforge.net/security/

I need to look at this but here are my thoughs so far.

The "Function" security sounds a lot like nonce on the system calls. Ok, so no one can access you system calls unless they are using your application, but most of hte Ajax stuff I'm focusing on is exploiting the application inside the context of the application (i.e. tampering with variables while its being used, control flow modification, data leakage, etc). This "you can only access the callback if you are really using the application" approach doesn't sound promising because it doesn't really address the problem, it attempts to limit access to the problem.

The emulating SSL with JavaScript is just damn scary. We have a whole chapter about hacking and securing mashups and aggregates like NetVibes, Facebook, etc in Chapter 11, Web Mashups and Aggregators, in our book Ajax Security. Here we point out that this implementing crypto in JavaScript is a bad idea. In fact, here is the text from the book:

Another popular aggregate site, PageFlakes, tries attempts a different solution: using asymmetric key encryption (also known as public key encryption). In public key encryption, the key used to encrypt the data is different than the key to decrypt the information. Thus PageFlakes uses a public/private key pair and embeds the public key in the web pages it sends to the client. Client-side JavaScript uses RSA to encrypt sensitive data before transmitting it to back to the server. This allows data to be securely sent from the client to PageFlakes by essentially emulating parts of an SSL connection on top of an HTTP connection. However this is not a good solution because it only solves half the problem because. Only the web server has a public/private key pair allowing secure communication in a single direction form the client to the server. There is no way for the server to communicate back to the client. You cannot pre-seed the client-side code with its own public/private key pair because that would be transmitted to a user’s web browser unencrypted over standard HTTP. An attacker would simply intercept it. The public/private key pair for the client would have to be generated on the client. JavaScript does not have a random number generator that is suitable for cryptographic functions. It might be possible for JavaScript to use a Java Applet’s cryptographically secure random number generator for key generation, but some browsers do not allow Applet’s to access these secure libraries. This whole approach does not even matter if malicious widgets that are not properly jailed. They could simply hook the JavaScript code and steal sensitive data before it is even encrypted using this convol... [ Read More (0.2k in body) ]

SAJA, and the smoking of the crack

Modern "security" poster for the UK

Poster from IBM's German subsidiary Dehomag which roughly translates to "Watch everything with a Hollerith." Dehomag sold equipment to the Nazis to power the logistics of Holocaust.

Everything old...

I'm in Japan and got to the hotel. I was on a plane for 14 hours. Its about 5pm here but my laptop clock (Still on EST) says 3:45am.

I think my head is going to explode from sleep dep, but I know if I crash before 8pm or 9pm, I'll be screwed up for tomorrow.

I keep asking for Red Bull, but people just smile and say "so-sorry."

:-(

:-( [REDBULL] )

:-)

Why can't I get to stage 2?

Caleb and I joke that the conference talk we most want to give, but (for various legal reasons) will never be able to give, is how to write a modern web scanner.

This architecture looks a lot like what we would discuss. But, as always, there are things that are essential that it fails to address (so far)

-Manual JavaScript? Can a brother get some Spidermonkey?
-Captcha?
-Flash? Anyone?
-Two factor?

I need to take this for a spin. Multiple threads, authentication, log out detection, URL aliasing, transparent proxies, load balancers, and thread management are either not mentioned or are *way* too glossed over in the presentation. These are things people think are easy that become Hard Problems(tm) when scaling to enterprise environments.

If you are fingerprinting with HTTPrint you have a lot to learn.

The nod to client-side static analysis of code was nice and sounded very familiar... [looks at open Visual Studio currently in debugging]... very familiar indeed...

Keep your eye on this project.

W3af: Web Application Attack and Audit Framework

On Oct 15, 2007, k wrote:

TOM DOMINATES TIME! TIME IS HIS BITCH!

On Oct 15, 2007, at 2:26 PM, tom@memestreams.net wrote:

> What is a spotter/time master? Do i get to travel through time or am I
> mearly responsible for doing beurocratic things related to time
> measurement?

PhreakNIC 0x0b

PhreakNIC is an annual gathering in Nashville, TN, for hackers, makers, security professionals, and general technology enthusiasts. Hours upon hours of both informative and entertaining presentations are given by volunteers and many areas are set up with the intent of encouraging socialization. In our 11th year, we are now the longest running non-commercial hacker convention in the United States.* PhreakNIC is organized by the Nashville 2600 Organization, which is a 501(c)(3) tax deductible charity. However, it takes many resources to organize, and help is given to PhreakNIC by other 2600 groups in the South East United States, as well as the Nashville Linux Users Group. Our thanks go out to all who contribute.

Phreaknic is this weekend in Nashville. If you have never been to Phreaknic before, or a hacking conference, or are getting burned out on some of the other security conferences I encourage you to make the drive to Nashville and come see the show. I've gone for the last 5 years and it is, without a doubt, my favorite small conference. I love going to Phreaknic because:

Its a hacker conference
Let face it, when you are eating freshly sliced roast beef and drinking at a open bar on Microsoft's tab, you are not at a hacker conference. There is a certain air of authenticity about a conference room full of ugly gray towers covered in peeling stickers with CRT monitors lighting the faces of a group of people huddled around it, typing excitedly on a keyboard. I sure love me my big east and big west cost cons, but most of them replaced this feeling long ago with sponsor tables and free bottled water. And there is something a little sad about that.

It's small.
This is good for many reason. First, you can easily meet up with people which is the big reason I go to cons. The speaker rooms aren't all over the place. Lunch trains don't end up being 20+ people. I'm not standing on a stage in front of 400 people with a good 30 feet between be and the front row. I don't have blinding lights in my eyes. I can see the crowd. I can talk with them, not at them.

It's cheap
I haven't paid to attend a hacker conference, in, well, I can't think of a time. However I do remember being a poor college student saving money so I could fly to NYC for Hope or to San Diego for Toorcon. I remember Tom or Mike or Matt giving me a place to crash on floors and couches and flea bag motels. I remember being poor and getting poorer to go to a conference. Phreaknic's price doesn't prohibit the smart (but poor) from attending and expanding their horizons and they should be saluted for that.

There is one track
I don't have to sacrifice one talk to see another. And if I happen to miss a talk, I can always find the speaker and chat with them. Plus, all the talks are broadcast live over the hotel's TV system into every room.

Speaker Love... [ Read More (0.2k in body) ]

Why I'm going to Phreaknic

aroberts writes "Today is Blog Action Day which means that lots of bloggers will be writing on one general topic for one day in an attempt to see what might be achieved through coordinated posting, and I am one of them so my humble contribution amongst the hundreds of thousands is entitled individual action is not enough. The topic for this year's blog action day is the environment."

You can almost hear the sound of the vacuum created by bloggers thinking that their words matter when the people with control don't even know how to read the tubes. Lick a stamp or march- that's harder to ignore

Awesome!

Optional semicolons in JavaScript makes baby Jesus (and parser writers) cry.

I'm getting real cozy with section 7.9.1 today...

School: Did you really name your son Robert'); Drop Table Students;--?
Mom: Oh. Yes. Little Bobby Tables we call him
School: Well, we've lost this year's student records. I hope your happy.
Mom: and I hope you've learned to sanitize your database inputs.

HAHAHA! Sweet.

To be fair, you shouldn't sanitize user input, you should validate it.

update 10/11/07: Someone posted this to the webappsec mailing list.

And you thought O'Hare was a bad name...