Comments on: Simon Willison, @Media Ajax http://ajaxian.com/archives/simon-willison-media-ajax Cleaning up the web with Ajax Thu, 09 Feb 2012 06:55:33 +0000 hourly 1 http://wordpress.org/?v=3.2 By: rbondi http://ajaxian.com/archives/simon-willison-media-ajax/comment-page-1#comment-267722 rbondi Sun, 28 Sep 2008 13:48:42 +0000 http://ajaxian.com/?p=4486#comment-267722 Simon suggests making the crumb an MD5 hash of the session id. Obviously though an attacker could just get a session id by loading any page, and MD5 it themselves. In other words, an MD5 hash of the session id is very guessable. A better way is to use a MAC = Message Authentication Code. This is a hash that uses a cryptographic key. There are many kinds of MACs, but a simple and very effective is just to encrypt your input with a block cipher and use the last block as your crumb (a session id is so small you could use the whole cipher text, not just the last block). Now an attacker can't figure out what your crumb is unless she knows your encryption key (which you'll keep on the server, not on the page). To minimize replay attacks, change the key frequently. For more information, see Bruce Schneier's classic Applied Cryptography (although many MACs were invented after the last edition, including HMAC). A perfectly good block cipher to use would be RC2. Simon suggests making the crumb an MD5 hash of the session id. Obviously though an attacker could just get a session id by loading any page, and MD5 it themselves. In other words, an MD5 hash of the session id is very guessable.

A better way is to use a MAC = Message Authentication Code. This is a hash that uses a cryptographic key. There are many kinds of MACs, but a simple and very effective is just to encrypt your input with a block cipher and use the last block as your crumb (a session id is so small you could use the whole cipher text, not just the last block). Now an attacker can’t figure out what your crumb is unless she knows your encryption key (which you’ll keep on the server, not on the page). To minimize replay attacks, change the key frequently.

For more information, see Bruce Schneier’s classic Applied Cryptography (although many MACs were invented after the last edition, including HMAC). A perfectly good block cipher to use would be RC2.

]]> By: Michael Hendrickx http://ajaxian.com/archives/simon-willison-media-ajax/comment-page-1#comment-267527 Michael Hendrickx Fri, 19 Sep 2008 13:54:59 +0000 http://ajaxian.com/?p=4486#comment-267527 You mispelled the link to Simon's website, it should be: http://simonwillison.net/tags/security/ You mispelled the link to Simon’s website, it should be: http://simonwillison.net/tags/security/

]]> By: x00mario http://ajaxian.com/archives/simon-willison-media-ajax/comment-page-1#comment-267433 x00mario Tue, 16 Sep 2008 16:21:58 +0000 http://ajaxian.com/?p=4486#comment-267433 1/5 <q>Another solution with Ajax - X-Requested-By: XMLHttpRequest tells you its an XHR call, which means it came from the same domain.</q> You must never rely on HTTP header fields as security measurement. <q>httpOnly cookies also not so useful because many attacks don’t rely on attacker seeing cookie.</q> Plus you can read out httpOnly cookies via XHR <q>Crumb is specific to the user and could be a cookie value, in the simplest case.</q> Don't encourage users to use solutions that can be easily circumvented. Also one single XSS makes ANY token based protection useless on the whole site (domain). 1/5

Another solution with Ajax – X-Requested-By: XMLHttpRequest tells you its an XHR call, which means it came from the same domain.
You must never rely on HTTP header fields as security measurement.

httpOnly cookies also not so useful because many attacks don’t rely on attacker seeing cookie.
Plus you can read out httpOnly cookies via XHR

Crumb is specific to the user and could be a cookie value, in the simplest case.
Don’t encourage users to use solutions that can be easily circumvented. Also one single XSS makes ANY token based protection useless on the whole site (domain).

]]> By: kriszyp http://ajaxian.com/archives/simon-willison-media-ajax/comment-page-1#comment-267432 kriszyp Tue, 16 Sep 2008 15:50:37 +0000 http://ajaxian.com/?p=4486#comment-267432 The <a href="http://www.sitepen.com/blog/2008/07/22/windowname-transport/" rel="nofollow">window.name technique</a> is a great alternative to JSONP because it is secure for the consumer and allows the provider to <a href="http://www.sitepen.com/blog/2008/08/18/protected-cross-domain-access-with-dojos-windowname/" rel="nofollow">authorize access</a>. Dojo uses this for a <a href="http://www.sitepen.com/blog/2008/08/01/secure-mashups-with-dojoxsecure/" rel="nofollow">full framework</a> for loading untrusted widgets. Also, for JSON, if you are using proper authorization (like tokens), hijacking is impossible, but if you insist on relying on the browser to provide security for you, it is better to prefix your JSON with {}&& rather than \* or while(true), because it doesn't require any stripping in the JSON eval, but is still an invalid script on it's own. The window.name technique is a great alternative to JSONP because it is secure for the consumer and allows the provider to authorize access. Dojo uses this for a full framework for loading untrusted widgets.
Also, for JSON, if you are using proper authorization (like tokens), hijacking is impossible, but if you insist on relying on the browser to provide security for you, it is better to prefix your JSON with {}&& rather than \* or while(true), because it doesn’t require any stripping in the JSON eval, but is still an invalid script on it’s own.

]]>