Post on 06-May-2015
Secure MashupsKris Zyp
Introduction
Copyright SitePen, Inc. 2008. All Rights Reserved
Interconnectedness
•Web continues to grow in interconnectedness of data
Copyright SitePen, Inc. 2008. All Rights Reserved
Overview
•More services and data sources
•More consumers want utilize this services
•Tools
-ADsafe
-Caja
-dojox.secure
Copyright SitePen, Inc. 2008. All Rights Reserved
Techniques of mashups
•Server Side Mashup
Copyright SitePen, Inc. 2008. All Rights Reserved
Techniques of mashups
•Client Side Mashup
Copyright SitePen, Inc. 2008. All Rights Reserved
Trust between mashup participants
•Exploit between participants
-Consumer gaining excess privileges
-Services exploiting Consumers
Copyright SitePen, Inc. 2008. All Rights Reserved
Server Side Mashups
•Public Content - Easy
•Protected Content - Authorization necessary
Copyright SitePen, Inc. 2008. All Rights Reserved
OAuth
Copyright SitePen, Inc. 2008. All Rights Reserved
Client Side Mashups
•Directly utilize broker (the browser)
•Direct communication
•Exploits:
-Cross site scripting
-Cross site request forgery
Copyright SitePen, Inc. 2008. All Rights Reserved
Providing services for mashups
•Publicly accessible resources are simple, provide as many transports as possible
•Protected resources more complicated
Copyright SitePen, Inc. 2008. All Rights Reserved
Services protecting resources
•Authentication and authorization MUST be differentiated
•Cross site request forgery is a major exploit
•Cookies should be used for authentication
•Authorization
-May require user interaction
-May be based on origin (Referer header or Access-Control-Origin header)
Copyright SitePen, Inc. 2008. All Rights Reserved
JSON Hijacking
•CSRF Vulnerability + top-level Arrays = Exploit
•Modified JSON
-Commenting
-{}&&[...]
•Best to have good CSRF protection
Copyright SitePen, Inc. 2008. All Rights Reserved
Client Side Transports: JSONP
GET /resource/?callback=myfunc
myfunc({“foo”:”bar”});
Copyright SitePen, Inc. 2008. All Rights Reserved
Client Side Transports: Fragment Identifier Messaging
Outer Framehttp://mashup.com/
Inner Framehttp://service.com/#message_for_the_outer_frame
Copyright SitePen, Inc. 2008. All Rights Reserved
Client Side Transport: Subspace
•Sandboxed JSONP
•Very complicated, more requests
•DNS requirements
Copyright SitePen, Inc. 2008. All Rights Reserved
Client Side Transport: window.name
•Data is loaded in a sandboxed frame, the mashup is protected from malicious code
•Client side handling
-UI interaction possible
•Efficient
Copyright SitePen, Inc. 2008. All Rights Reserved
Client Side Transport: postMessage
•Iframe based
•Allows client side handling
-User interaction can be utilized for authorization of resources
•Efficient transport
•Conventions/standards be developed for proxying requests
Copyright SitePen, Inc. 2008. All Rights Reserved
Client Side Transport: Native XHR with W3C CS-AC
•Coming soon
•Efficient
•Secure, no code execution
•More complicated authorization
Copyright SitePen, Inc. 2008. All Rights Reserved
Third party widgets
•We want third part code to execute, but in a controlled manner
•Protect the environment, provide access to a subset of the DOM
•Restrict JavaScript features
Copyright SitePen, Inc. 2008. All Rights Reserved
ADsafe
•Disables features in JavaScript that prevent containment/sandboxing
-Global variables
- [index], this, ==, !=
-Properties:
-apply,call,callee,caller,constructor,eval, prototype,this,unwatch,valueOf,watch, and anything starting or ending with __
-with, eval
Copyright SitePen, Inc. 2008. All Rights Reserved
ADsafe
•ADsafe compliant JavaScript can only access objects that are “given” to it.
•ADsafe scripts can be safely sandboxed, and one can control what objects are accessible.
Copyright SitePen, Inc. 2008. All Rights Reserved
Caja
•Object capability version of JavaScript (same idea as ADsafe)
•Larger set of language features (less major restrictions)
•Uses code translation
Copyright SitePen, Inc. 2008. All Rights Reserved
Dojo Secure
•Full framework for loading, validating, and providing a safe set of library functions and safe access to the DOM.
-Provides loading registry with different loading mechanims
-Uses ADsafe style language constraints
-Provides |this| within class constructors
Copyright SitePen, Inc. 2008. All Rights Reserved
Dojo Secure
-Provides access to the DOM (a facade), with the standard API, that is restricted
-Provides a library API (with no namespacing, no need in a global-less environment)
•Full framework: loading, validation, and DOM sandboxing
Copyright SitePen, Inc. 2008. All Rights Reserved
Using dojox.secure
//Register cross-domain loading mechanismdojox.io.xhrWindowNamePlugin("http://siteA.com");//Create sandboxmySandbox = dojox.secure.sandbox(dojo.byId("sandbox"));//Securely load, validate, and evaluate HTML or JavaScriptmySandbox.loadJS("http://siteA.com/widget.js");mySandbox.loadHTML("http://siteA.com/widget.html");
Copyright SitePen, Inc. 2008. All Rights Reserved
Accompanied by Demo
dojox.secure
•Create HTML or JavaScript
-element and document provides access to the DOM
-innerHTML and DOM methods available
•Follow sanboxing rules (avoid restricted operators and globals)
•Full library available:
-query, byId, style, forEach, Class, fromJson, etc.
•Use Class to build methods with this operator
Secure Mashups
Properly differentiate authorization and
authentication
Avoid insecure loading mechanisms
and cookie only based authorization
Copyright SitePen, Inc. 2008. All Rights Reserved
dojox.secure to create client-side mashups
•Mutually suspicious components can coexist
•Eliminate vulnerabilities between widgets
Copyright SitePen, Inc. 2008. All Rights Reserved
Secure Mashups
Copyright SitePen, Inc. 2008. All Rights Reserved