This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "AJAX Security Cheat Sheet"

From OWASP
Jump to: navigation, search
(Protect against JSON/JavaScript Hijacking)
m (Point to the official site)
 
(7 intermediate revisions by 4 users not shown)
Line 2: Line 2:
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
+
The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
<br/>
 
__TOC__{{TOC hidden}}
 
  
= Introduction =
+
Please visit [https://cheatsheetseries.owasp.org/cheatsheets/AJAX_Security_Cheat_Sheet.html AJAX Security Cheat Sheet] to see the latest version of the cheat sheet.
 
 
There is a complete lack of guidelines for AJAX.  This document will provide a starting point for AJAX security and will hopefully be updated and expanded reasonably often to provide more detailed information about specific frameworks and technologies.
 
 
 
== Client Side (Javascript) ==
 
 
 
=== Use .innerText instead of .innerHtml ===
 
 
 
The use of .innerText will prevent most XSS problems as it will automatically encode the text.
 
 
 
=== Don't use eval ===
 
 
 
Eval is evil, never use it.  Needing to use eval usually indicates a problem in your design.
 
 
 
=== Canonicalize data to consumer (read: encode before use) ===
 
 
 
When using data to build HTML, script, CSS, XML, JSON, etc. make sure you take into account how that data must be presented in a literal sense to keep it's logical meaning.  Data should be properly encoded before used in this manner to prevent injection style issues, and to make sure the logical meaning is preserved.
 
 
 
[[:Category:OWASP_Encoding_Project|Check out the OWASP Encoding Project.]]
 
 
 
=== Don't rely on client logic for security ===
 
 
 
Least ye have forgotten the user controls the client side logic.  I can use a number of browser plugging to set breakpoints, skip code, change values, etc.  Never rely on client logic.
 
 
 
=== Don't rely on client business logic ===
 
 
 
Just like the security one, make sure any interesting business rules/logic is duplicated on the server side less a user bypass needed logic and do something silly, or worse, costly.
 
 
 
=== Avoid writing serialization code ===
 
 
 
This is hard and even a small mistake can cause large security issues.  There are already a lot of frameworks to provide this functionality.  Take a look at the [http://www.json.org/ JSON page] for links.
 
 
 
=== Avoid building XML or JSON dynamically ===
 
 
 
Just like building HTML or SQL you will cause XML injection bugs, so stay way from this or at least use an encoding library or safe JSON or XML library to make attributes and element data safe.
 
 
 
* [[XSS (Cross Site Scripting) Prevention Cheat Sheet|XSS (Cross Site Scripting) Prevention]]
 
* [[SQL Injection Prevention Cheat Sheet|SQL Injection Prevention]]
 
 
 
=== Never transmit secrets to the client ===
 
 
 
Anything the client knows the user will also know, so keep all that secret stuff on the server please.
 
 
 
=== Don't perform encryption in client side code ===
 
 
 
Use TSL/SSL and encrypt on the server!
 
 
 
=== Don't perform security impacting logic on client side ===
 
 
 
This is the overall one that gets me out of trouble in case I missed something :)
 
 
 
== Server Side ==
 
=== Protect against JSON Hijacking for Older Browsers ===
 
====  Use CSRF Protection ====
 
* [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Cross-Site Request Forgery (CSRF) Prevention]]
 
 
 
==== Always return JSON with an Object on the outside ====
 
 
 
Always have the outside primitive be an object for JSON strings:
 
 
 
'''Exploitable:'''
 
<pre>
 
[{"object": "inside an array"}]
 
</pre>
 
 
 
'''Not exploitable:'''
 
<pre>
 
{"object": "not inside an array"}
 
</pre>
 
 
 
'''Also not exploitable:'''
 
<pre>
 
{"result": [{"object": "inside an array"}]}
 
</pre>
 
 
 
=== Avoid writing serialization code. Remember ref vs. value types! ===
 
 
 
Look for an existing library that has been reviewed.
 
 
 
=== Services can be called by users directly ===
 
 
 
Even though you only expect your AJAX client side code to call those services the users can too.  Make sure you validate inputs and treat them like they are under user control (because they are!).
 
 
 
=== Avoid building XML or JSON by hand, use the framework ===
 
 
 
Use the framework and be safe, do it by hand and have security issues.
 
 
 
=== Use JSON And XML Schema for Webservices ===
 
 
 
You need to use a 3rd party library to validate web services.
 
 
 
== Authors and Primary Editors  ==
 
 
 
Til Mas<br/>
 
Michael Eddington
 
 
 
== Other Cheatsheets ==
 
 
 
{{Cheatsheet_Navigation_Body}}
 
[[Category:Cheatsheets]]
 
[[Category:OWASP AJAX Security Project]]
 
[[Category:Cheetsheet]]
 

Latest revision as of 13:54, 15 July 2019

Cheatsheets-header.jpg

The Cheat Sheet Series project has been moved to GitHub!

Please visit AJAX Security Cheat Sheet to see the latest version of the cheat sheet.