Web Application Security Issues - World Wide Web Consortium (W3C)
Transcript of Web Application Security Issues - World Wide Web Consortium (W3C)
![Page 1: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/1.jpg)
Web Application Security Issues
![Page 2: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/2.jpg)
What happens when people start building security critical applications on top ofHTML+CSS+JavaScript?
![Page 3: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/3.jpg)
What can we learn from that for the technologies that we design?
![Page 4: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/4.jpg)
1. Widgets
2. Mash-ups
![Page 5: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/5.jpg)
<1>Widgets
![Page 6: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/6.jpg)
e.g., MacOS Dashboard
![Page 7: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/7.jpg)
![Page 8: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/8.jpg)
![Page 9: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/9.jpg)
![Page 10: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/10.jpg)
convenientsafe
secure
![Page 11: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/11.jpg)
convenientsafe
secureFAIL
![Page 12: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/12.jpg)
http://flickr.com/photos/good-karma/571971015/
![Page 13: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/13.jpg)
XMLHttpRequest
to any destinationwith cookies
![Page 14: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/14.jpg)
widget.system
arbitrary shell scripts
![Page 15: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/15.jpg)
Widget plugins: Extending what
JavaScript can do.
![Page 16: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/16.jpg)
A Widget can control your system.
![Page 17: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/17.jpg)
Your system’s security depends on the correctness of JavaScript code.
![Page 18: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/18.jpg)
Attacker’s goal:Control the Widget’s
DOM.
![Page 19: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/19.jpg)
Controlling the DOM means executing arbitrary code.
![Page 20: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/20.jpg)
Code Quality?
![Page 21: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/21.jpg)
Parsing a number.
![Page 22: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/22.jpg)
featured download in January 2008
![Page 23: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/23.jpg)
![Page 24: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/24.jpg)
update checks: JSON
![Page 25: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/25.jpg)
JavaScript Object
Notation
![Page 26: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/26.jpg)
![Page 27: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/27.jpg)
this._checkVersion (transport. responseText. evalJSON());
![Page 28: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/28.jpg)
sanity checks turned off by
default
![Page 29: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/29.jpg)
eval()
![Page 30: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/30.jpg)
this._checkVersion (transport. responseText. evalJSON());
![Page 31: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/31.jpg)
Executing arbitrary code retrieved through HTTP.
![Page 32: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/32.jpg)
Executing arbitrary code retrieved through HTTP.FAIL
![Page 33: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/33.jpg)
Writing a string to the
user interface.
![Page 34: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/34.jpg)
![Page 35: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/35.jpg)
![Page 36: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/36.jpg)
privileged
![Page 37: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/37.jpg)
.innerHTML
![Page 38: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/38.jpg)
Script injection through e-mail
possible.
![Page 39: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/39.jpg)
Just put HTML into a Subject.
![Page 40: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/40.jpg)
Script injection through e-mail
possible.FAIL
![Page 41: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/41.jpg)
Code Quality?
![Page 42: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/42.jpg)
![Page 43: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/43.jpg)
Code Quality?FAIL
![Page 44: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/44.jpg)
Widgets enable
creativity
![Page 45: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/45.jpg)
Widgets enable
creativityGOOD!
![Page 46: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/46.jpg)
But: We need security
despite bad code quality.
![Page 47: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/47.jpg)
What do APIs invite
programmers to do?
![Page 48: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/48.jpg)
<2>Mash-ups
![Page 49: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/49.jpg)
Client-side code processes confidential
data.
![Page 50: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/50.jpg)
http://flickr.com/photos/onaliencinema/298243188/http://flickr.com/photos/nickdawson/1484934955/
![Page 51: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/51.jpg)
http://flickr.com/photos/onaliencinema/298243188/http://flickr.com/photos/nickdawson/1484934955/
![Page 52: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/52.jpg)
http://flickr.com/photos/mwboeckmann/2313632431/
![Page 53: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/53.jpg)
<script>XMLHttpRequest
JSONRequestXDomainRequest
postMessage
![Page 54: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/54.jpg)
<script src=”http://good.foo/...”/>
<script src=”http://evil.foo/...”/>
![Page 55: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/55.jpg)
two sitesone DOM
![Page 56: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/56.jpg)
widely popular!
![Page 57: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/57.jpg)
<script src=”http://good.foo/...”/>
<script src=”http://evil.foo/...”/>FAIL
![Page 58: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/58.jpg)
XMLHttpRequest
place HTTP requests from browser-side
code
![Page 59: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/59.jpg)
cross-site requests:XMLHttpReq’ Level 2
access-control
![Page 60: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/60.jpg)
XML data
responseXML
![Page 61: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/61.jpg)
non-XML formats?
![Page 62: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/62.jpg)
responseTextresponseBody
![Page 63: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/63.jpg)
responseTextresponseBody
raw data!
![Page 64: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/64.jpg)
non-XML formats?FAIL
![Page 65: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/65.jpg)
JSONRequest
place HTTP request from client-side code
![Page 66: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/66.jpg)
application/jsonrequest
![Page 67: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/67.jpg)
anonymous
![Page 68: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/68.jpg)
GETPOST
![Page 69: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/69.jpg)
API: object is passed to call-back function.
![Page 70: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/70.jpg)
advanced RESTful APIs?
![Page 71: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/71.jpg)
advanced RESTful APIs?FAIL
![Page 72: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/72.jpg)
XDomainRequest
cross-site HTTP requests
![Page 73: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/73.jpg)
anonymous
![Page 74: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/74.jpg)
GETPOST
![Page 75: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/75.jpg)
advanced RESTful APIs?FAIL
![Page 76: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/76.jpg)
text/plain only
API string-based
![Page 77: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/77.jpg)
invites eval+JSON
![Page 78: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/78.jpg)
two sitesone DOM
![Page 79: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/79.jpg)
invites eval+JSONFAIL
![Page 80: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/80.jpg)
postMessage
cross-window communication
![Page 81: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/81.jpg)
cause a “message” event in another DOM
![Page 82: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/82.jpg)
“just strings”
![Page 83: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/83.jpg)
how about structured data?
![Page 84: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/84.jpg)
invites eval+JSON
![Page 85: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/85.jpg)
two sitesone DOM
![Page 86: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/86.jpg)
invites eval+JSONFAIL
![Page 87: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/87.jpg)
The good news: probably fixable
![Page 88: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/88.jpg)
![Page 89: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/89.jpg)
Lots of people write JavaScript code.
![Page 90: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/90.jpg)
Widgets, Mash-ups and Web Applications let
more people be creative.
![Page 91: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/91.jpg)
BUT
![Page 92: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/92.jpg)
They need sane and safe
APIs.
![Page 93: Web Application Security Issues - World Wide Web Consortium (W3C)](https://reader035.fdocuments.us/reader035/viewer/2022071600/613d23ff736caf36b759cb95/html5/thumbnails/93.jpg)
Let’s consider that in spec
development.