Small white diary 54:kali Penetration Testing WEB penetration-complementary concepts (Ajax,web Service)

Complementary concepts

AJAX (Asynchronous JavaScript and XML)

Asynchronous JavaScript and XML

is a concept, not a new programming language, is a combination of a set of existing technologies

Dynamically update part of the page, rather than the entire page, through client script

Reduce bandwidth usage and increase speed

Enhance the user experience

Background asynchronous access

Ajax components

The core component of Javascript:ajax, which uses the XMLHttpRequest object interface to initiate requests to the server to accept and process server response data

Dynamic HTML (DHTML)

Prior to the advent of Ajax, through JavaScript, CSS, etc. in the client to modify the HTML page element, the disadvantage is completely dependent on the client Code modification page, the interaction with the server is done by JavaScript applets, Ajax's xhr make up for his shortcomings (e.g., registered users)

Document Object Model (DOM)

The framework for working with HTML, XML document objects, DHTML is a browser, and Dom acts as an interface for its implementation, defining and managing each page element obj's properties, method, event

Ajax-based Web application workflow

XMLHttpRequest API Create object XMLHTTP for access

What to return: XML, JSON, HTML, text, pictures

Multiple asynchronous requests for independent communication, non-dependent

Ajax framework

Jquery

Dojo Toolkit

Google Web Toolkit (GWT)

Microsoft AJAX Library

There is no common Ajax security best practice, and the attack surface is not known to most people

Security issues with Ajax

Multiple technology mixes, increasing the attack surface, each of which may form an independent attack process

The Ajax engine is a full-featured scripting interpreter, and visiting a malicious site can be disastrous, although the browser has sandbox and SOP, but can be bypassed

Server, client code in combination with confusion, improper server access control, information disclosure

Storm Drain Application Logic

Ajax's challenge to penetration testing "cannot be ignored"

Large number of asynchronous requests and concealment

The condition of triggering an AJAX request is irregular

Manual and truncated agent crawls can cause a large number of omissions

Ajax Crawl Tool

ZAP

Client code Auditing

Source code "not necessarily efficient"

Firebug

WEB Service

A service-oriented architecture (oriented architecture) for easy integration of shared data and functionality across systems

Ideal for scenarios where you don't want to leak data models and program logic to access data

No page, just a Web interface, via HTTP protocol

Two types of Web Service

Simple Object Access Protocol (SOAP)

Traditional Web Service development method, XML is the only data interchange format

Applications that require security more adoption

RESTful (Representational state Transfer architecture-rest)

Currently more lightweight web Service,json are preferred data interchange formats

WEB Service Security Considerations

1. Implement and track identity authentication using API key or session token
2. Authentication is done by the server, not the client (because the client source can be viewed)
3. API key, username, Session token never sent via URL
4. RESTful by default does not provide any security mechanisms and requires SSL/TLS protection to transmit data security
5. SOAP provides a ws-security mechanism that is stronger than HTTPS
6. Use OAuth or HMAC for authentication, HMAC authentication using the C/S shared key encryption API key
7. RESTful should allow only authenticated users to use the PUT, delete method
8. Use random tokens to prevent CSRF attacks
9. Recommended to deploy a strict whitelist-based approach to user-submitted parameter filtering
10. Disinfection of error messages
11. Direct object references should be strictly authenticated (the e-commerce company takes the product ID as the primary index)

Small white diary 54:kali Penetration Testing WEB penetration-complementary concepts (Ajax,web Service)