Philly Java Users Group Security and Usability URL-rewriting for the next-generation web user Lincoln Baxter, III Senior S...
What is URL-rewriting?Any manipulation of the HTTP Request/Response                    life-cycle.
Mind the gap.●   Gap #1: “Relocated” or missing resources●   Gap #2: Readability & Clutter●   Gap #3: Revealing sensitive ...
One big thing.“Without URL-rewriting, our life would be            $#@!ing hell.”
Gap #1: “Relocated” or missing          resources
404slide not found
wtf?
robo.to
github.com
blippy.com
What does it mean?
Distraction from failure.
1. The content existed and now does not.2. The content never existed, fool.
Translated.“Either the website sucks or you suck, and neither is going to make anyone happy.”
2 ways to havea magical 404experience ...
301 Moved Permanently302 Moved Temporarily
Google says, “Redirect to the new URL for at              least 180 days.”
Gap #2: URL-readability           http://www.amazon.com/Kin           dle-Touch-Wi-Fi-Ink-           Display/dp/B005890G8Y...
We are friends.
http://amazon.com/shop/kindle-touch
Tired of trash in your face?       http://www.amazon.com/Kindle-Touch-Wi-Fi-Ink-      Display/dp/B005890G8Y/ref=amb_link_3...
Theres plenty of space out           in space! http://amazon.com/shop/kindle-touch?tracker=AAasfds3r32ydkl6fd854kdjf84hfid...
Gap #3: Revealing sensitive      information Visit: http://microsoft.com/genuine/downloads/faq.aspx  You will be redirecte...
.xhtml  .do .asp  .jsp  / .php  .cgi  .jsf
A good magician never reveals the       implementation.
Gap #4: Formatting of useful        informationhttp://example.com/buy/1/shoes/store
Be cool.http://example.com/store/shoes/1http://example.com/store/shoes/1/buyhttp://example.com/store?buy=true&category=sho...
Why are people afraid of buying used cars?
You never know what you are       going to get.
Trust me?http://www.youtube.com/watch?v=oHg5SJYRHA0
Built trust by reducing clutter &         using clean URLs                  Before:http://example.com/news.xhtml?p=my-new-...
Gap #5: Validation of user input URLs are user-input and your website is              vulnerable!
Aspect Security says:          Two of three recent security vulnerabilities in             web-frameworks are URL-based. *...
Real Life...http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay?  categoryId=28&storeId=1&catalogId=1&langId=-...
http://llbean.com/kids
Vulnerable!wtf?http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay?   categoryId=28&storeId=1&catalogId=1&lang...
Mind the gap.●   Gap #1: “Relocated” resources (404)●   Gap #2: Readability & Clutter●   Gap #3: Revealing sensitive infor...
URL-rewriting
Basic things we can do with all          types of URL-rewriting●   Redirection & Relocation●   Parameterization           ...
URL-rewriting: Proxy based       (Non-Java)
Inbound only.
URL-rewriting: Filter Based      (Native Java)
blatant lie“I have no personal investment in any of these                    tools.”                         - Me
Cool things we can do with Filter-         based Java URL-rewriting●   Transformation and Canonicalization●   Complex Vali...
Some things you should NOT do,     with Java URL-rewritingIf it needs to run when your app doesnt...you probably dont want...
Demos(Its *barcode time)
Access Control / Timer Demo           ( http://access-rewrite.rhcloud.com/ )●   Problem #1: “Relocated”    resources (404)...
Rest Validation/Conversion Demo             ( http://rest-rewrite.rhcloud.com )●   Problem #1: “Relocated”    resources (4...
Composite Query Demo         ( http://composite-rewrite.rhcloud.com )●   Problem #1: “Relocated”    resources (404)●   Pro...
Bonus round! But client-side web applications are the future,cant I just ignore the URL and use WebSockets?!
Client side browser applications                     http://twitter.com/#!/lincolnthree         requests                  ...
How can we clean it up?                       http://example.com/                   t              u es        req        ...
Handling bookmarks                example.com/                example.com/login            t   example.com/lincoln/myproje...
Where am I?   example.com/   example.com/lincoln   example.com/lincoln/myproject   example.com/lincoln/lincoln  How do you...
Resolve the Context Root                          http://example.com/lincoln                   t                es        ...
Demos●   Access control (Request Interception)●   REST (Validation and Conversion)●   Composite Query (Security and Usabil...
Mind the gap.●   Gap #1: “Relocated” resources (404)●   Gap #2: Readability & Clutter●   Gap #3: Revealing sensitive infor...
One big thing.“Without URL-rewriting, our life would be            $#@!ing hell.”
/questions
@lincolnthree  @lincolnthree    @lincolnthree
You have options, but if you liked what you                      saw...●   Try it now: ocpsoft.org/rewrite●   Get involved...
2012 03 27_philly_jug_rewrite_static
2012 03 27_philly_jug_rewrite_static
2012 03 27_philly_jug_rewrite_static
2012 03 27_philly_jug_rewrite_static
2012 03 27_philly_jug_rewrite_static
2012 03 27_philly_jug_rewrite_static
2012 03 27_philly_jug_rewrite_static
2012 03 27_philly_jug_rewrite_static
2012 03 27_philly_jug_rewrite_static
2012 03 27_philly_jug_rewrite_static
2012 03 27_philly_jug_rewrite_static
Upcoming SlideShare
Loading in...5
×

2012 03 27_philly_jug_rewrite_static

692

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
692
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2012 03 27_philly_jug_rewrite_static

  1. 1. Philly Java Users Group Security and Usability URL-rewriting for the next-generation web user Lincoln Baxter, III Senior Software Engineer Founder Red Hat, Inc. http://ocpsoft.org/ 2012-03-27 “Simpler is better.”
  2. 2. What is URL-rewriting?Any manipulation of the HTTP Request/Response life-cycle.
  3. 3. Mind the gap.● Gap #1: “Relocated” or missing resources● Gap #2: Readability & Clutter● Gap #3: Revealing sensitive information● Gap #4: Formatting of useful information● Gap #5: Validation of user input● … (and actually many more)
  4. 4. One big thing.“Without URL-rewriting, our life would be $#@!ing hell.”
  5. 5. Gap #1: “Relocated” or missing resources
  6. 6. 404slide not found
  7. 7. wtf?
  8. 8. robo.to
  9. 9. github.com
  10. 10. blippy.com
  11. 11. What does it mean?
  12. 12. Distraction from failure.
  13. 13. 1. The content existed and now does not.2. The content never existed, fool.
  14. 14. Translated.“Either the website sucks or you suck, and neither is going to make anyone happy.”
  15. 15. 2 ways to havea magical 404experience ...
  16. 16. 301 Moved Permanently302 Moved Temporarily
  17. 17. Google says, “Redirect to the new URL for at least 180 days.”
  18. 18. Gap #2: URL-readability http://www.amazon.com/Kin dle-Touch-Wi-Fi-Ink- Display/dp/B005890G8Y/ref =amb_link_357575542_6? pf_rd_m=ATVPDKIKX0DER&pf_ rd_s=gateway-center- column&pf_rd_r=1T2J5PYBVZ ZWBHWN1BP1&pf_rd_t=101&pf _rd_p=1321408942&pf_rd_i= 507846 wtf?
  19. 19. We are friends.
  20. 20. http://amazon.com/shop/kindle-touch
  21. 21. Tired of trash in your face? http://www.amazon.com/Kindle-Touch-Wi-Fi-Ink- Display/dp/B005890G8Y/ref=amb_link_357575542_6? pf_rd_m=ATVPDKIKX0DER&pf_rd_s=gateway-center-column&pf_rd_r=1T2J5PYBVZZWBHWN1BP1&pf_rd_t=101&pf_rd_p=132 1408942&pf_rd_i=507846
  22. 22. Theres plenty of space out in space! http://amazon.com/shop/kindle-touch?tracker=AAasfds3r32ydkl6fd854kdjf84hfidbdgv64n0curnoxydkl6fd854kdjf84hfidb dgv64n0ge8nfbh...
  23. 23. Gap #3: Revealing sensitive information Visit: http://microsoft.com/genuine/downloads/faq.aspx You will be redirected to a page without .aspx suffix
  24. 24. .xhtml .do .asp .jsp / .php .cgi .jsf
  25. 25. A good magician never reveals the implementation.
  26. 26. Gap #4: Formatting of useful informationhttp://example.com/buy/1/shoes/store
  27. 27. Be cool.http://example.com/store/shoes/1http://example.com/store/shoes/1/buyhttp://example.com/store?buy=true&category=shoes&item=135
  28. 28. Why are people afraid of buying used cars?
  29. 29. You never know what you are going to get.
  30. 30. Trust me?http://www.youtube.com/watch?v=oHg5SJYRHA0
  31. 31. Built trust by reducing clutter & using clean URLs Before:http://example.com/news.xhtml?p=my-new-post After: http://example.com/news/my-new-post/
  32. 32. Gap #5: Validation of user input URLs are user-input and your website is vulnerable!
  33. 33. Aspect Security says: Two of three recent security vulnerabilities in web-frameworks are URL-based. ** https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf
  34. 34. Real Life...http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay? categoryId=28&storeId=1&catalogId=1&langId=-1&nav=hp-gndp
  35. 35. http://llbean.com/kids
  36. 36. Vulnerable!wtf?http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay? categoryId=28&storeId=1&catalogId=1&langId=-1&nav=hp-gndp validate?Cluttered!
  37. 37. Mind the gap.● Gap #1: “Relocated” resources (404)● Gap #2: Readability & Clutter● Gap #3: Revealing sensitive information● Gap #4: Formatting of useful information● Gap #5: Validation of user input
  38. 38. URL-rewriting
  39. 39. Basic things we can do with all types of URL-rewriting● Redirection & Relocation● Parameterization /store/{category}/{item} Accept-Charset: UTF-8 /store/$attack-%3/begin● Simple URL validation● Add/Remove Headers
  40. 40. URL-rewriting: Proxy based (Non-Java)
  41. 41. Inbound only.
  42. 42. URL-rewriting: Filter Based (Native Java)
  43. 43. blatant lie“I have no personal investment in any of these tools.” - Me
  44. 44. Cool things we can do with Filter- based Java URL-rewriting● Transformation and Canonicalization● Complex Validation● Data Conversion example.com/project/FOO● Request interception("/store/product/{pid}") .when(Path.matches example.com/project/foo .where("pid")● And more... property("productBean.product") .bindsTo(El. .convertedBy(ProductConverter.class) .validatedBy(ProductValidator.class)))
  45. 45. Some things you should NOT do, with Java URL-rewritingIf it needs to run when your app doesnt...you probably dont want to put it in your app.
  46. 46. Demos(Its *barcode time)
  47. 47. Access Control / Timer Demo ( http://access-rewrite.rhcloud.com/ )● Problem #1: “Relocated” resources (404)● Problem #2: Readability & Clutter● Problem #3: Revealing sensitive information● Problem #4: Formatting useful information● Problem #5: Validation of user input
  48. 48. Rest Validation/Conversion Demo ( http://rest-rewrite.rhcloud.com )● Problem #1: “Relocated” resources (404)● Problem #2: Readability & Clutter● Problem #3: Revealing sensitive information● Problem #4: Formatting useful information● Problem #5: Validation of user input
  49. 49. Composite Query Demo ( http://composite-rewrite.rhcloud.com )● Problem #1: “Relocated” resources (404)● Problem #2: Readability & Clutter● Problem #3: Revealing sensitive information● Problem #4: Formatting useful information● Problem #5: Validation of user input
  50. 50. Bonus round! But client-side web applications are the future,cant I just ignore the URL and use WebSockets?!
  51. 51. Client side browser applications http://twitter.com/#!/lincolnthree requests #!/lincolnthree #!/connect serves #!/discover #!/lincolnthree/status/180 710662975143936 #!/li
  52. 52. How can we clean it up? http://example.com/ t u es req e ns po res example.com/login example.com/signup request example.com/lincoln/myproject resp ? ons e
  53. 53. Handling bookmarks example.com/ example.com/login t example.com/lincoln/myproject ues req serves inspec ts / login lincoln/... profile
  54. 54. Where am I? example.com/ example.com/lincoln example.com/lincoln/myproject example.com/lincoln/lincoln How do you determine the Context Root? example.com/ ? example.com/lincoln ? example.com/lincoln/lincoln ?
  55. 55. Resolve the Context Root http://example.com/lincoln t es req u + / e ns po res HEAD /lincoln?org.ocpsoft.rewrite.history.ContextPath st reque respons 200 OK - Set Header: ContextPath = / e
  56. 56. Demos● Access control (Request Interception)● REST (Validation and Conversion)● Composite Query (Security and Usability)● SocialPM Rich Client (Browser Applications)
  57. 57. Mind the gap.● Gap #1: “Relocated” resources (404)● Gap #2: Readability & Clutter● Gap #3: Revealing sensitive information● Gap #4: Formatting useful information● Gap #5: Validation of URLs● … (and actually many more)
  58. 58. One big thing.“Without URL-rewriting, our life would be $#@!ing hell.”
  59. 59. /questions
  60. 60. @lincolnthree @lincolnthree @lincolnthree
  61. 61. You have options, but if you liked what you saw...● Try it now: ocpsoft.org/rewrite● Get involved: github.com/ocpsoft/rewrite
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×