Secure Mashups Kris Zyp <ul><li>Introduction </li></ul>
Interconnectedness <ul><li>Web continues to grow in interconnectedness    of data </li></ul>
Overview <ul><li>More services and data sources </li></ul><ul><li>More consumers want utilize this services </li></ul><ul>...
Techniques of mashups <ul><li>Server Side Mashup </li></ul>
Techniques of mashups <ul><li>Client Side Mashup </li></ul>
Trust between mashup participants <ul><li>Exploit between participants </li></ul><ul><ul><li>Consumer gaining excess privi...
Server Side Mashups <ul><li>Public Content - Easy </li></ul><ul><li>Protected Content - Authorization necessary </li></ul>
OAuth
Client Side Mashups <ul><li>Directly utilize broker (the browser)‏ </li></ul><ul><li>Direct communication </li></ul><ul><l...
Providing services for mashups <ul><li>Publicly accessible resources are simple, provide as many transports as possible </...
Services protecting resources <ul><li>Authentication and authorization MUST be differentiated </li></ul><ul><li>Cross site...
JSON Hijacking <ul><li>CSRF Vulnerability + top-level Arrays = Exploit </li></ul><ul><li>Modified JSON </li></ul><ul><ul><...
Client Side Transports: JSONP <ul><li>GET /resource/?callback=myfunc </li></ul><ul><li>myfunc({“foo”:”bar”}); </li></ul>
Client Side Transports: Fragment Identifier Messaging <ul><li>Outer Frame </li></ul><ul><li>http://mashup.com / </li></ul>...
Client Side Transport: Subspace <ul><li>Sandboxed JSONP </li></ul><ul><li>Very complicated, more requests </li></ul><ul><l...
Client Side Transport: window.name <ul><li>Data is loaded in a sandboxed frame, the mashup is protected from malicious cod...
Client Side Transport: postMessage <ul><li>Iframe based </li></ul><ul><li>Allows client side handling </li></ul><ul><ul><l...
Client Side Transport: Native XHR with W3C CS-AC <ul><li>Coming soon </li></ul><ul><li>Efficient </li></ul><ul><li>Secure,...
Third party widgets <ul><li>We want third part code to execute, but in a controlled manner </li></ul><ul><li>Protect the e...
ADsafe <ul><li>Disables features in JavaScript that prevent containment/sandboxing </li></ul><ul><ul><li>Global variables ...
ADsafe <ul><li>ADsafe compliant JavaScript can only access objects that are “given” to it. </li></ul><ul><li>ADsafe script...
Caja <ul><li>Object capability version of JavaScript (same idea as ADsafe)‏ </li></ul><ul><li>Larger set of language featu...
Dojo Secure <ul><li>Full framework for loading, validating, and providing a safe set of library functions and safe access ...
Dojo Secure <ul><ul><li>Provides access to the DOM (a facade), with the standard API, that is restricted </li></ul></ul><u...
Using dojox.secure <ul><li>//Register cross-domain loading mechanism </li></ul><ul><li>dojox.io.xhrWindowNamePlugin(&quot;...
dojox.secure <ul><li>Create HTML or JavaScript </li></ul><ul><ul><li>element  and  document  provides access to the DOM </...
Secure Mashups
Properly differentiate authorization and authentication
Avoid insecure loading mechanisms and cookie only based authorization
dojox.secure to create client-side mashups <ul><li>Mutually suspicious components can coexist </li></ul><ul><li>Eliminate ...
Secure Mashups
 
Upcoming SlideShare
Loading in …5
×

Secure Mashups

2,327 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,327
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
41
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Secure Mashups

    1. 1. Secure Mashups Kris Zyp <ul><li>Introduction </li></ul>
    2. 2. Interconnectedness <ul><li>Web continues to grow in interconnectedness of data </li></ul>
    3. 3. Overview <ul><li>More services and data sources </li></ul><ul><li>More consumers want utilize this services </li></ul><ul><li>Tools </li></ul><ul><ul><li>ADsafe </li></ul></ul><ul><ul><li>Caja </li></ul></ul><ul><ul><li>dojox.secure </li></ul></ul>
    4. 4. Techniques of mashups <ul><li>Server Side Mashup </li></ul>
    5. 5. Techniques of mashups <ul><li>Client Side Mashup </li></ul>
    6. 6. Trust between mashup participants <ul><li>Exploit between participants </li></ul><ul><ul><li>Consumer gaining excess privileges </li></ul></ul><ul><ul><li>Services exploiting Consumers </li></ul></ul>
    7. 7. Server Side Mashups <ul><li>Public Content - Easy </li></ul><ul><li>Protected Content - Authorization necessary </li></ul>
    8. 8. OAuth
    9. 9. Client Side Mashups <ul><li>Directly utilize broker (the browser)‏ </li></ul><ul><li>Direct communication </li></ul><ul><li>Exploits: </li></ul><ul><ul><li>Cross site scripting </li></ul></ul><ul><ul><li>Cross site request forgery </li></ul></ul>
    10. 10. Providing services for mashups <ul><li>Publicly accessible resources are simple, provide as many transports as possible </li></ul><ul><li>Protected resources more complicated </li></ul>
    11. 11. Services protecting resources <ul><li>Authentication and authorization MUST be differentiated </li></ul><ul><li>Cross site request forgery is a major exploit </li></ul><ul><li>Cookies should be used for authentication </li></ul><ul><li>Authorization </li></ul><ul><ul><li>May require user interaction </li></ul></ul><ul><ul><li>May be based on origin (Referer header or Access-Control-Origin header)‏ </li></ul></ul>
    12. 12. JSON Hijacking <ul><li>CSRF Vulnerability + top-level Arrays = Exploit </li></ul><ul><li>Modified JSON </li></ul><ul><ul><li>Commenting </li></ul></ul><ul><ul><li>{}&&[...] </li></ul></ul><ul><li>Best to have good CSRF protection </li></ul>
    13. 13. Client Side Transports: JSONP <ul><li>GET /resource/?callback=myfunc </li></ul><ul><li>myfunc({“foo”:”bar”}); </li></ul>
    14. 14. Client Side Transports: Fragment Identifier Messaging <ul><li>Outer Frame </li></ul><ul><li>http://mashup.com / </li></ul>Inner Frame http://service.com /#message_for_the_outer_frame
    15. 15. Client Side Transport: Subspace <ul><li>Sandboxed JSONP </li></ul><ul><li>Very complicated, more requests </li></ul><ul><li>DNS requirements </li></ul>
    16. 16. Client Side Transport: window.name <ul><li>Data is loaded in a sandboxed frame, the mashup is protected from malicious code </li></ul><ul><li>Client side handling </li></ul><ul><ul><li>UI interaction possible </li></ul></ul><ul><li>Efficient </li></ul>
    17. 17. Client Side Transport: postMessage <ul><li>Iframe based </li></ul><ul><li>Allows client side handling </li></ul><ul><ul><li>User interaction can be utilized for authorization of resources </li></ul></ul><ul><li>Efficient transport </li></ul><ul><li>Conventions/standards be developed for proxying requests </li></ul>
    18. 18. Client Side Transport: Native XHR with W3C CS-AC <ul><li>Coming soon </li></ul><ul><li>Efficient </li></ul><ul><li>Secure, no code execution </li></ul><ul><li>More complicated authorization </li></ul>
    19. 19. Third party widgets <ul><li>We want third part code to execute, but in a controlled manner </li></ul><ul><li>Protect the environment, provide access to a subset of the DOM </li></ul><ul><li>Restrict JavaScript features </li></ul>
    20. 20. ADsafe <ul><li>Disables features in JavaScript that prevent containment/sandboxing </li></ul><ul><ul><li>Global variables </li></ul></ul><ul><ul><li>[index], this, ==, != </li></ul></ul><ul><ul><li>Properties: </li></ul></ul><ul><ul><ul><li>apply,call,callee,caller,constructor,eval, prototype,this,unwatch,valueOf,watch, and anything starting or ending with __ </li></ul></ul></ul><ul><ul><li>with, eval </li></ul></ul>
    21. 21. ADsafe <ul><li>ADsafe compliant JavaScript can only access objects that are “given” to it. </li></ul><ul><li>ADsafe scripts can be safely sandboxed, and one can control what objects are accessible. </li></ul>
    22. 22. Caja <ul><li>Object capability version of JavaScript (same idea as ADsafe)‏ </li></ul><ul><li>Larger set of language features (less major restrictions)‏ </li></ul><ul><li>Uses code translation </li></ul>
    23. 23. Dojo Secure <ul><li>Full framework for loading, validating, and providing a safe set of library functions and safe access to the DOM. </li></ul><ul><ul><li>Provides loading registry with different loading mechanims </li></ul></ul><ul><ul><li>Uses ADsafe style language constraints </li></ul></ul><ul><ul><li>Provides |this| within class constructors </li></ul></ul>
    24. 24. Dojo Secure <ul><ul><li>Provides access to the DOM (a facade), with the standard API, that is restricted </li></ul></ul><ul><ul><li>Provides a library API (with no namespacing, no need in a global-less environment)‏ </li></ul></ul><ul><li>Full framework: loading, validation, and DOM sandboxing </li></ul>
    25. 25. Using dojox.secure <ul><li>//Register cross-domain loading mechanism </li></ul><ul><li>dojox.io.xhrWindowNamePlugin(&quot; http://siteA.com &quot;); </li></ul><ul><li>//Create sandbox </li></ul><ul><li>mySandbox = dojox.secure.sandbox(dojo.byId(&quot;sandbox&quot;)); </li></ul><ul><li>//Securely load, validate, and evaluate HTML or JavaScript </li></ul><ul><li>mySandbox.loadJS(&quot; http://siteA.com/widget.js &quot;); </li></ul><ul><li>mySandbox.loadHTML(&quot; http://siteA.com/widget.html &quot;); </li></ul>
    26. 26. dojox.secure <ul><li>Create HTML or JavaScript </li></ul><ul><ul><li>element and document provides access to the DOM </li></ul></ul><ul><ul><li>innerHTML and DOM methods available </li></ul></ul><ul><li>Follow sanboxing rules (avoid restricted operators and globals)‏ </li></ul><ul><li>Full library available: </li></ul><ul><ul><li>query, byId, style, forEach, Class, fromJson , etc. </li></ul></ul><ul><li>Use Class to build methods with this operator </li></ul>Accompanied by Demo
    27. 27. Secure Mashups
    28. 28. Properly differentiate authorization and authentication
    29. 29. Avoid insecure loading mechanisms and cookie only based authorization
    30. 30. dojox.secure to create client-side mashups <ul><li>Mutually suspicious components can coexist </li></ul><ul><li>Eliminate vulnerabilities between widgets </li></ul>
    31. 31. Secure Mashups

    ×