Thursday, June 15th, 2006
AJAX Storage Security
Category: Articles, Security
, Storage
I wanted to let you know Foundstone has a white paper on their website about AJAX Storage from a security angle. The paper focuses mainly on where Flash shared objects (used in Dojo), and IE persistence user-data, gets stored on the local system. It mentions and links for tools security auditors can use to view or edit those files. Unlike normal HTTP cookies, these two methods can save larger amounts of data, are not cleared when you empty your browser cache, and with the Flash objects can be accessed across domains and across web browsers.
Conclusion
Programmers of AJAX applications are continually finding innovative ways of reusing older web technologies. We are likely to see more frameworks and technology that allow increased amounts of data to be saved locally and across domains. This includes plans for future Firefox releases to implement a new client side storage capabilities based on the Web Hypertext Application Technology Working Group (WHATWG) Web Applications 1.0 specifications. Having an understanding of how data is stored and how it can be used is important for understanding the complete picture of the security risks involved.
Related Content:
in Dojo , Backbase, Qooxdoo , and in that jsLINB, I can’t find any elegant way.
Don’t forget the clipboard! The Live Clipboard initiative is turning the clipboard on the client into a VERY useful local storage mechanism. The clipboard acually IS secure, by the way, most browsers prevent applications from even looking at it. The I/O is just controlled entirely by the user.
Yes JameKet you are right, but i know we can access the clipboard from javascript and if we use that with server side scripting like
PHP-AJAX it can’t be so secure. Think of it.
Btw I lke the live preview. :)
Having read the paper and having worked in web application security, I don’t understand what new information or analysis has been presented in this paper. Is the point to say “hey, look, file system ACLs matter!”? AFAICT there’s no new threat model being described. Had they talked about various approaches available to applications for further securing data stored in these repositories and the key management problems inherent in doing that, they might have had an interesting paper on their hands.
I hate to say it, but it looks like marketing fluff for Foundstone.
[...] AJAX Storage Security: “Corey Benninger of Foundstone has written a paper on Ajax Storage Security (pdf): I wanted to let you know Foundstone has a white paper on their website about AJAX Storage from a security angle. The paper focuses mainly on where Flash shared objects (used in Dojo), and IE persistence user-data, gets stored on the local system. It mentions and links for tools security auditors can use to view or edit those files. Unlike normal HTTP cookies, these two methods can save larger amounts of data, are not cleared when you empty your browser cache, and with the Flash objects can be accessed across domains and across web browsers. [...]
[...] Ajaxian » AJAX Storage Security June 16th, 2006 | Category: AJAX, Security | [...]
Ajax Projects is now based on a wiki engin…
Hi Alex,
Thank you for the feedback. You’re correct that we’re not presenting a new threat model here, but rather looking to raise awareness in the web app security field about how AJAX (particularly in terms of storage in this paper) is changing assessments. For testers, just watching HTTP response headers and metatags use to give you a pretty good picture about what data could end up in the user’s cache and there were a few standard places to check for that data. I think this is clearly expanding and changing, and not many people who are performing assessments or incident response work are aware of this (even in some technology that has been around for a while).
If you are interested in feedback on this area I’m available; I created Dojo Storage, AMASS, and other ways of persisting state on the client and have been studying this issue for awhile.
[...] Ajaxian StorageThis includes plans for future Firefox releases to implement a new client side storage capabilities based on the Web Hypertext Application Technology Working Group (WHATWG) Web Applications 1.0 [...]
[...] Ajaxian SecurityAjax security is on everyone s minds these days, whether it s just a simple internal application or a large, public-facing hulking app. Worrying about the security of your project is never a bad Permalink TrackBack [...]
[...] Ajaxian StorageThursday, June 15th, 2006. AJAX Storage Security. Category: Articles , Security , Storage. Corey Benninger of Foundstone has written a paper on Ajax Storage Security (pdf) [...]
Excellent thanks