wood burning stoves 2.0*
The moose likes HTML, CSS and JavaScript and the fly likes Another HTML5 Security Question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » HTML, CSS and JavaScript
Bookmark "Another HTML5 Security Question" Watch "Another HTML5 Security Question" New topic
Author

Another HTML5 Security Question

steve claflin
Ranch Hand

Joined: Dec 04, 2008
Posts: 54
The current thinking is that urls should be unpredictable. But, it seems to me that any logic to do that is going to have some predictable path to find out what the "extra" information is. It would have to be in a JS variable at some point, and then injected script could access it.

That leads me to think that any code dealing with that unpredictability ought to be wrapped in a self-executing anonymous function in order to provide a variable space that isn't accessible from the outside. Is that a reasonable conclusion, or is there some other way to ensure that the logic related to the token can't be accessed?
Carsten Eilers
author
Greenhorn

Joined: Mar 28, 2013
Posts: 13
steve claflin wrote:The current thinking is that urls should be unpredictable. But, it seems to me that any logic to do that is going to have some predictable path to find out what the "extra" information is. It would have to be in a JS variable at some point, and then injected script could access it.

That leads me to think that any code dealing with that unpredictability ought to be wrapped in a self-executing anonymous function in order to provide a variable space that isn't accessible from the outside. Is that a reasonable conclusion, or is there some other way to ensure that the logic related to the token can't be accessed?


Hi Steve,

I don't unterstand your problem. Which urls should be unpredictable and why?

Kind regards
Carsten


Website: http://www.ceilers-it.de - Blog: http://www.ceilers-news.de (mainly in german)
eBook "HTML5 Security": english - http://developerpress.com/en/html5 # german - http://entwickler-press.de/ep/psecom,id,2,buchid,272.html
steve claflin
Ranch Hand

Joined: Dec 04, 2008
Posts: 54
Sorry about being not very specific - I was thinking of Ajax requests, and the types of preventative measures like that discussed in

http://jazoon.com/portals/0/Content/ArchivWebsite/jazoon.com/jazoon09/download/presentations/7560.pdf (page 29)

or

http://www.denimgroup.com/media/pdfs/DenimGroup_Web20Security_AJAXWorld_20070321.pdf (page 23)

From other posts I've seen (plus the number of sites I go to that now append a junk parameter to the end of the request urls if I view my network traffic), I've been assuming that if the server and I both agree on what the "unpredictable" component is, and it was determined uniquely for this session, then someone reading the code in advance won't know what url we'll actually be using. But, the knowledge of that extra value is still going to be somewhere in the code, like held in a variable (or maybe using a function to adjust the url). So, if they can inject JS code based on the existing code, then they could see that token, or invoke the url-adjusting function, unless those elements aren't part of the window object.
Eric Pascarello
author
Rancher

Joined: Nov 08, 2001
Posts: 15376
    
    6
Any Ajax request is no different than any http request to your site. Would you have this same conversation if you were posting back an entire page? How do you protect an entire page from post back? You verify that the session is active and that the user is able to access the page. Same thing needs to apply to the Ajax call. There is no way to say that request X is definitely from Y.
Carsten Eilers
author
Greenhorn

Joined: Mar 28, 2013
Posts: 13
steve claflin wrote:Sorry about being not very specific - I was thinking of Ajax requests, and the types of preventative measures like that discussed in

http://jazoon.com/portals/0/Content/ArchivWebsite/jazoon.com/jazoon09/download/presentations/7560.pdf (page 29)

or

http://www.denimgroup.com/media/pdfs/DenimGroup_Web20Security_AJAXWorld_20070321.pdf (page 23)


Hi Steve,

now I got it. This unpredictable value defends against JSON hijacking. It's comparable with the token which defends against CSRF. In case of CSRF, only requests with valid tokens are executed, and in case of JSON only requests with valid unpredictable value are executed.

Another way to defend against JSON hijacking is to prevent the execution of the JSON-data. An attacker needs to execute the hijacked JSON-data in a script-Tag, and if you for example set a

before the actual data, the attackers code runs in an endless lope, while your own code can remove the

and decode the data.

steve claflin wrote:From other posts I've seen (plus the number of sites I go to that now append a junk parameter to the end of the request urls if I view my network traffic), I've been assuming that if the server and I both agree on what the "unpredictable" component is, and it was determined uniquely for this session, then someone reading the code in advance won't know what url we'll actually be using. But, the knowledge of that extra value is still going to be somewhere in the code, like held in a variable (or maybe using a function to adjust the url). So, if they can inject JS code based on the existing code, then they could see that token, or invoke the url-adjusting function, unless those elements aren't part of the window object.


If the attacker can inject code you are lost.
The unpredictable values only protect against JSON hijacking and CSRF attacks, where the attacker lures the victim on a page which then sends requests in his name (identified by a session-cookie for example). In this cases, the attacker prepares the request in advance, for example as an img-Tag or a with JavaScript send form, and has no possibility to inject JavaScript in the attacked web app.

Kind regards
Carsten

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Another HTML5 Security Question
 
Similar Threads
how can I get the type of the object ?
Can I use XSLT in place of business logic
Generating XML from template file.
ANT PROBLEM
Error in return statement