Thursday, June 15th, 2006

AJAX Storage Security

Category: Articles, Security, Storage

>Corey Benninger of Foundstone has written a paper on Ajax Storage Security (pdf):

I wanted to let you know Foundstone has a white paper on their website about AJAX Storage from a security angle. The paper focuses mainly on where Flash shared objects (used in Dojo), and IE persistence user-data, gets stored on the local system. It mentions and links for tools security auditors can use to view or edit those files. Unlike normal HTTP cookies, these two methods can save larger amounts of data, are not cleared when you empty your browser cache, and with the Flash objects can be accessed across domains and across web browsers.

Conclusion

Programmers of AJAX applications are continually finding innovative ways of reusing older web technologies. We are likely to see more frameworks and technology that allow increased amounts of data to be saved locally and across domains. This includes plans for future Firefox releases to implement a new client side storage capabilities based on the Web Hypertext Application Technology Working Group (WHATWG) Web Applications 1.0 specifications. Having an understanding of how data is stored and how it can be used is important for understanding the complete picture of the security risks involved.

Related Content:

Posted by Dion Almaer at 8:40 am
13 Comments

++++-
4.3 rating from 29 votes

13 Comments »

Comments feed TrackBack URI

in Dojo , Backbase, Qooxdoo , and in that jsLINB, I can’t find any elegant way.

Comment by JameKet — June 15, 2006

Don’t forget the clipboard! The Live Clipboard initiative is turning the clipboard on the client into a VERY useful local storage mechanism. The clipboard acually IS secure, by the way, most browsers prevent applications from even looking at it. The I/O is just controlled entirely by the user.

Comment by Jason Kolb — June 15, 2006

Yes JameKet you are right, but i know we can access the clipboard from javascript and if we use that with server side scripting like
PHP-AJAX it can’t be so secure. Think of it.
Btw I lke the live preview. :)

Comment by redcom — June 15, 2006

Having read the paper and having worked in web application security, I don’t understand what new information or analysis has been presented in this paper. Is the point to say “hey, look, file system ACLs matter!”? AFAICT there’s no new threat model being described. Had they talked about various approaches available to applications for further securing data stored in these repositories and the key management problems inherent in doing that, they might have had an interesting paper on their hands.

I hate to say it, but it looks like marketing fluff for Foundstone.

Comment by Alex Russell — June 15, 2006

[...] AJAX Storage Security: “Corey Benninger of Foundstone has written a paper on Ajax Storage Security (pdf): I wanted to let you know Foundstone has a white paper on their website about AJAX Storage from a security angle. The paper focuses mainly on where Flash shared objects (used in Dojo), and IE persistence user-data, gets stored on the local system. It mentions and links for tools security auditors can use to view or edit those files. Unlike normal HTTP cookies, these two methods can save larger amounts of data, are not cleared when you empty your browser cache, and with the Flash objects can be accessed across domains and across web browsers. [...]

Pingback by AJAX Storage Security — June 15, 2006

[...] Ajaxian » AJAX Storage Security June 16th, 2006 | Category: AJAX, Security | [...]

Pingback by Deep Codes » AJAX Storage Security — June 16, 2006

Ajax Projects is now based on a wiki engin…

Comment by Hazem Torab — June 16, 2006

Hi Alex,
Thank you for the feedback. You’re correct that we’re not presenting a new threat model here, but rather looking to raise awareness in the web app security field about how AJAX (particularly in terms of storage in this paper) is changing assessments. For testers, just watching HTTP response headers and metatags use to give you a pretty good picture about what data could end up in the user’s cache and there were a few standard places to check for that data. I think this is clearly expanding and changing, and not many people who are performing assessments or incident response work are aware of this (even in some technology that has been around for a while).

Comment by Corey Benninger — June 16, 2006

If you are interested in feedback on this area I’m available; I created Dojo Storage, AMASS, and other ways of persisting state on the client and have been studying this issue for awhile.

Comment by Brad Neuberg — June 16, 2006

[...] Ajaxian StorageThis includes plans for future Firefox releases to implement a new client side storage capabilities based on the Web Hypertext Application Technology Working Group (WHATWG) Web Applications 1.0 [...]

Pingback by Storage Buildings Central » Blog Archive » Ajaxian Storage — June 25, 2006

[...] Ajaxian SecurityAjax security is on everyone s minds these days, whether it s just a simple internal application or a large, public-facing hulking app. Worrying about the security of your project is never a bad Permalink TrackBack [...]

Pingback by Security » Security — June 26, 2006

[...] Ajaxian StorageThursday, June 15th, 2006. AJAX Storage Security. Category: Articles , Security , Storage. Corey Benninger of Foundstone has written a paper on Ajax Storage Security (pdf) [...]

Pingback by Baby Shower - Ajaxian Storage - Efhutton — August 3, 2006

Excellent thanks

Comment by Tribulus — October 1, 2008

Leave a comment

You must be logged in to post a comment.