Secure Mashups Kris Zyp Introduction

Introduction

Interconnectedness Web continues to grow in interconnectedness of data

Web continues to grow in interconnectedness of data

Overview More services and data sources More consumers want utilize this services Tools ADsafe Caja dojox.secure

More services and data sources

More consumers want utilize this services

Tools

ADsafe

Caja

dojox.secure

Techniques of mashups Server Side Mashup

Server Side Mashup

Techniques of mashups Client Side Mashup

Client Side Mashup

Trust between mashup participants Exploit between participants Consumer gaining excess privileges Services exploiting Consumers

Exploit between participants

Consumer gaining excess privileges

Services exploiting Consumers

Server Side Mashups Public Content - Easy Protected Content - Authorization necessary

Public Content - Easy

Protected Content - Authorization necessary

OAuth

Client Side Mashups Directly utilize broker (the browser)‏ Direct communication Exploits: Cross site scripting Cross site request forgery

Directly utilize broker (the browser)‏

Direct communication

Exploits:

Cross site scripting

Cross site request forgery

Providing services for mashups Publicly accessible resources are simple, provide as many transports as possible Protected resources more complicated

Publicly accessible resources are simple, provide as many transports as possible

Protected resources more complicated

Services protecting resources Authentication and authorization MUST be differentiated Cross site request forgery is a major exploit Cookies should be used for authentication Authorization May require user interaction May be based on origin (Referer header or Access-Control-Origin header)‏

Authentication and authorization MUST be differentiated

Cross site request forgery is a major exploit

Cookies should be used for authentication

Authorization

May require user interaction

May be based on origin (Referer header or Access-Control-Origin header)‏

JSON Hijacking CSRF Vulnerability + top-level Arrays = Exploit Modified JSON Commenting {}&&[...] Best to have good CSRF protection

CSRF Vulnerability + top-level Arrays = Exploit

Modified JSON

Commenting

{}&&[...]

Best to have good CSRF protection

Client Side Transports: JSONP GET /resource/?callback=myfunc myfunc({“foo”:”bar”});

GET /resource/?callback=myfunc

myfunc({“foo”:”bar”});

Client Side Transports: Fragment Identifier Messaging Outer Frame http://mashup.com / Inner Frame http://service.com /#message_for_the_outer_frame

Outer Frame

http://mashup.com /

Client Side Transport: Subspace Sandboxed JSONP Very complicated, more requests DNS requirements

Sandboxed JSONP

Very complicated, more requests

DNS requirements

Client Side Transport: window.name Data is loaded in a sandboxed frame, the mashup is protected from malicious code Client side handling UI interaction possible Efficient

Data is loaded in a sandboxed frame, the mashup is protected from malicious code

Client side handling

UI interaction possible

Efficient

Client Side Transport: postMessage Iframe based Allows client side handling User interaction can be utilized for authorization of resources Efficient transport Conventions/standards be developed for proxying requests

Iframe based

Allows client side handling

User interaction can be utilized for authorization of resources

Efficient transport

Conventions/standards be developed for proxying requests

Client Side Transport: Native XHR with W3C CS-AC Coming soon Efficient Secure, no code execution More complicated authorization

Coming soon

Efficient

Secure, no code execution

More complicated authorization

Third party widgets We want third part code to execute, but in a controlled manner Protect the environment, provide access to a subset of the DOM Restrict JavaScript features

We want third part code to execute, but in a controlled manner

Protect the environment, provide access to a subset of the DOM

Restrict JavaScript features

ADsafe Disables features in JavaScript that prevent containment/sandboxing Global variables [index], this, ==, != Properties: apply,call,callee,caller,constructor,eval, prototype,this,unwatch,valueOf,watch, and anything starting or ending with __ with, eval

Disables features in JavaScript that prevent containment/sandboxing

Global variables

[index], this, ==, !=

Properties:

apply,call,callee,caller,constructor,eval, prototype,this,unwatch,valueOf,watch, and anything starting or ending with __

with, eval

ADsafe ADsafe compliant JavaScript can only access objects that are “given” to it. ADsafe scripts can be safely sandboxed, and one can control what objects are accessible.

ADsafe compliant JavaScript can only access objects that are “given” to it.

ADsafe scripts can be safely sandboxed, and one can control what objects are accessible.

Caja Object capability version of JavaScript (same idea as ADsafe)‏ Larger set of language features (less major restrictions)‏ Uses code translation

Object capability version of JavaScript (same idea as ADsafe)‏

Larger set of language features (less major restrictions)‏

Uses code translation

Dojo Secure Full framework for loading, validating, and providing a safe set of library functions and safe access to the DOM. Provides loading registry with different loading mechanims Uses ADsafe style language constraints Provides |this| within class constructors

Full framework for loading, validating, and providing a safe set of library functions and safe access to the DOM.

Provides loading registry with different loading mechanims

Uses ADsafe style language constraints

Provides |this| within class constructors

Dojo Secure Provides access to the DOM (a facade), with the standard API, that is restricted Provides a library API (with no namespacing, no need in a global-less environment)‏ Full framework: loading, validation, and DOM sandboxing

Provides access to the DOM (a facade), with the standard API, that is restricted

Provides a library API (with no namespacing, no need in a global-less environment)‏

Full framework: loading, validation, and DOM sandboxing

Using dojox.secure //Register cross-domain loading mechanism dojox.io.xhrWindowNamePlugin(" http://siteA.com "); //Create sandbox mySandbox = dojox.secure.sandbox(dojo.byId("sandbox")); //Securely load, validate, and evaluate HTML or JavaScript mySandbox.loadJS(" http://siteA.com/widget.js "); mySandbox.loadHTML(" http://siteA.com/widget.html ");

//Register cross-domain loading mechanism

dojox.io.xhrWindowNamePlugin(" http://siteA.com ");

//Create sandbox

mySandbox = dojox.secure.sandbox(dojo.byId("sandbox"));

//Securely load, validate, and evaluate HTML or JavaScript

mySandbox.loadJS(" http://siteA.com/widget.js ");

mySandbox.loadHTML(" http://siteA.com/widget.html ");

dojox.secure Create HTML or JavaScript element and document provides access to the DOM innerHTML and DOM methods available Follow sanboxing rules (avoid restricted operators and globals)‏ Full library available: query, byId, style, forEach, Class, fromJson , etc. Use Class to build methods with this operator Accompanied by Demo

Create HTML or JavaScript

element and document provides access to the DOM

innerHTML and DOM methods available

Follow sanboxing rules (avoid restricted operators and globals)‏

Full library available:

query, byId, style, forEach, Class, fromJson , etc.

Use Class to build methods with this operator

Secure Mashups

Properly differentiate authorization and authentication

Avoid insecure loading mechanisms and cookie only based authorization

dojox.secure to create client-side mashups Mutually suspicious components can coexist Eliminate vulnerabilities between widgets

Mutually suspicious components can coexist

Eliminate vulnerabilities between widgets

Secure Mashups