[WEB SECURITY] Risky client-side framework?

application.secure application.secure application.secure at gmail.com
Wed Apr 8 02:48:15 EDT 2009


Hello,

Ajax security is very large domain. I've started to study Ajax security at
different levels:
    - "Ajax concepts and Ajax technologies" VS security
    - "Ajax patterns" VS security (and application performances)
    - "Ajax frameworks" VS security

Now, I'm investigating the use of client-side framework and especially
"dojo".
As any other development framework, it introduces a layer(libraries) over
the "base language": Html/javascript
(just as server side frameworks such as Spring, Struts, ... do over Java).

It introduces new kind of injection at client side level in using the "dojo
language"...
Does Cheat Sheet like http://ha.ckers.org/xss.html are obsolete in the
context of applications using ajax framework?

Consider the dojo control sample:
<div dojoType="dijit.Dialog" id="dialog1" title="First Dialog"
    execute="alert('submitted w/args:\n' + dojo.toJson(arguments[0],
true));">...</div>

The "execute" property on div tag is specific to "dojo" and fully
understandable by a dojo application.
Injecting <div ... execute=""/> is a new vector of XSS into a dojo
application...

One time again, classical Black-list filtering are obsolete.
What about WAF black-list filtering? Are they up to date against client-side
framework specific injection?

Another concern is about framework libraries.
Libraries add a layer over the base language functionalities.
The behavior of these libraries is not always under the control of the
developer; and that's the developer want!
It helps the developer against browser compatibilities with javascript.
For example, the dojo.xhrGet(...) will instantiate an XHR object for each
browsers and it is transparent for the developer.

But what about dojo.storage library. It chooses the type of client-side
storage depending on the browser and its configurations.
Each client-side storage mechanism has its specific security concerns
(listen the black-hat webcast about RIA).
Does it mean that my dojo application will be less or more secure depending
on the browser's configuration of the user? It seems "yes"...
Does it mean that upgrading the version of the framework will change the
security of my application? Possibly "yes"...

I really think that using client-side framework is good for application
security but we need to be carefull...

One Base principle: if we want to use client-side framework somewhere in our
set of applications, the import of libraries should be restricted  only for
these applications!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090408/370bf180/attachment.html>


More information about the websecurity mailing list