The web is extremely colorful but it was never meant to be what it is. Its inherent flexibility and popularity has just kept it growing. Over the years, number of pieces of technologies got cobbled to make it incredibly powerful app delivery platform. Something that can achieve unbelievable things today.However it grew in a hotchypotchy manner not accounting for things that make it inherently vulnerable to plethora of attacks.
Attackers on the Web (and generally on any system, including Internet) are of 3 kinds:Script Kiddies – the kind who lives on the power of others (2&3). They piggyback their tools, techniques, scripts and methods in their attacks (Like Boss Wolf)Crackers – they are smart, gifted, in some cases even blessed. They are mostly either behind money or fame (like Tai Lung behind the scroll).Unethical 3rd parties. They want all you have. Your users(cookies and private data). Your sites trust (phishing). They are like Lord Shen. They are obsessed with ruling all over.
In-band signaling was used intelcos that sent metadata and control information in the same band used for data like in the web sending punctuation with data.It was inherently insecure because it exposes control signals, protocols and management systems to the users, which resulted in falsing. In 1960’s the blue boxes were used for falsingto make free long-distance calls using a 2600Hz cereal whistle.
In-band signaling also leads to another class of vulnerability in the backend- the database. It has several categories but the most exploited one is SQL Injection.
Mashup is an app that combines services from multiple origins to create new experiences.Mostly based on DHTML. The most popular approach is client-side where browser retrieves and aggregates as per the provided template. Why need?1/ Ads2/ Analytics3/ Social plug-ins /3rd party widgets (FB Like) help drive engagement4/ Rich user experience – maps5/ App platforms. The ultimate manifestation of user generated content in mashups – FB iframe tabs, YAP, iGoogle GadgetsTwo solutions: Scripts and iframesScript basedOffers NO separation but provides FULL interactionInteraction not authenticated, nor can confidentiality or integrity be ensuredIframe basedFULL separation between cross originsNO separation within the same originNO provision for interaction between components
Mashup Vulnerabilities: iframe based1. Malicious Redirectiontop.location = http://s0m3phishing.com2. Fake / Malicious UI<form method=…>, window.open()3. Drive-by Downloads/MalwareContent-Disposition: attachment4. Denial of Service (DoS) and NoiseInfinite alert()and while loops5. History Sniffing/MininggetComputedStyle()6. Referrer LeakReferrer: http://<ip>/r.html?a=secret&b=private7. LAN Scanning<imgsrc=http://10.0.0.1 onerror=...>
Mashup Vulnerabilities: Script based1. Steal Username, Password and other secret data by calling, intercepting or spoofing DOM events like onsumbit2. Steal cookies via document.cookie3. Malicious GET and POST via xhr.open4. Abuse features like autocomplete5. All iframe vulnerabilities like drive by downloads / malware6. And, many more……
The road is not easy. But when you know your problems well. And start solving them one by one. You can rest in peace. Well, till the next one arrives.
The Enemy On The Web
THE ENEMY ON THE WEBhttp://www.flickr.com/photos/8407953@N03/5990642198/
The web is extremely popular. (Web1.0, Web 2.0, Web 3.0)
It was not suppose to be. It was destined to be. (Web 1.0 -> Web 2.0 -> Web 3.0?)
numerous tech cobbled to make an incredible app delivery platform(HTML5+CSS3+ES5+DOM+Node/PHP/Java+MongoDB/ MySQL)
Today Web is extremely dominant. And anything dominant getsscrutinized, misused, worse attacked. So, WHO ARE THEY?