1 RIA Implementation RIA Data and Security Data Transactions This section describes couple of technologies that can be used for data transactions within client/server RIA application REST REST is an acronym standing for Representational State Transfer. REST is a model for distributed computing. It is the one used by the worlds biggest distributed computing application, the Web. When applied to web services technologies, it usually depends on a trio of technologies designed to be extremely extensible: XML, URIs, and HTTP. XMLs extensibility should be obvious to most, but the other two may not be. URIs are also extensible: there are an infinite number of possible URIs. More importantly, they can apply to an infinite number of logical entities called "resources." URIs are just the names and addresses of resources. Some REST advocates call the process of bringing your applications into this model "resource modeling." This process is not yet as formal as object oriented modeling or entity-‐relation modeling, but it is related. The strength and flexibility of REST comes from the pervasive use of URIs. This point cannot be over-‐ emphasized. When the Web was invented it had three components: HTML, which was about the worst markup language of its day (other than being simple); HTTP, which was the most primitive protocol of its day (other than being simple), and URIs (then called URLs), which were the only generalized, universal naming and addressing mechanism in use on the Internet. Why did the Web succeed? Not because of HTML and not because of HTTP. Those standards were merely shells for URIs. HTTPs extensibility stems primarily from the ability to distribute any payload with headers, using predefined or (occasionally) new methods. What makes HTTP really special among all protocols, however, is its built-‐in support for URIs and resources. URIs are the defining characteristic of the Web: F e b r u a r y 1 6 , 2 0 0 7 the mojo that makes it work and scale. HTTP as a protocol keeps them front and center by defining all methods as operations on URI-‐addressed resources. AMF AMF is the Action Message Format. AMF is a proprietary data format created by Macromedia and used by different mediums: Flash Remoting, FlashComm, LocalConnection and Shared Objects. Skitsanos Inc.
3 RIA Implementation providing a basic messaging framework that more abstract layers can build on. The original acronym was dropped with Version 1.2 of the standard, which became a W3C Recommendation on June 24, 2003, as it was considered to be misleading. There are several different types of messaging patterns in SOAP, but by far the most common is the Remote Procedure Call (RPC) pattern, in which one network node (the client) sends a request message to another node (the server), and the server immediately sends a response message to the client. SOAP is the successor of XML-‐RPC, though it borrows its transport and interaction neutrality and the envelope/header/body from elsewhere. F e b r u a r y 1 6 , 2 0 0 7 Skitsanos Inc.
6 RIA Implementation messages traveling between two end points. This can be a serious security breach for SOAP messages. As Web applications move to adopt the Web services framework, focus shifts to these new protocols and new attack vectors are generated. 8. Parameter manipulation with SOAP Web services consume information and variables from SOAP messages. It is possible to manipulate these variables. For example, “10” is one of the nodes in SOAP messages. An attacker can start manipulating this node and try different injections – SQL, LDAP, XPATH, command shell – and explore possible attack vectors to get a hold of internal machines. Incorrect or insufficient input validation in Web services code leaves the Web services application open to compromise. This is a new available attack vector to target Web applications running with Web services. 9. XPATH injection in SOAP message XPATH is a language for querying XML documents and is similar to SQL statements where we can supply certain information (parameters) and fetch rows from the database. XPATH parsing capabilities are supported by many languages. Web applications consume large XML documents and many times these applications take inputs from the end user and form XPATH statements. These sections of code are vulnerable to XPATH injection. If XPATH injection gets executed successfully, an attacker can bypass authentication mechanisms or cause the loss of confidential information. There are few known flaws in XPATH that can be leverage by an attacker. The only way to block this attack vector is by providing proper input validation before passing values to an XPATH statement. 10. RIA thick client binary manipulation Rich Internet Applications (RIA) use very rich UI features such as Flash, ActiveX Controls or Applets as their primary interfaces to Web applications. There are a few security issues with this framework. One of the major issues is with session management since it is running in browser and sharing same session. At the same time since the entire binary component is downloaded to the client location, an attacker can reverse engineer the binary file and decompile the code. It is possible to patch these binaries and bypass some of the authentication logic contained in the code. This is another interesting attack vector for WEB 2.0 frameworks. F e b r u a r y 1 6 , 2 0 0 7 Skitsanos Inc.
9 RIA Implementation aSSL protects against these sniffers. When a server exchanges account information in clear HTTP, a sniffer can simply intercept all the data, but if the server exchanges the data via aSSL it is not possible to decode the passed data and so the level of security of the site is notably better. F e b r u a r y 1 6 , 2 0 0 7 Skitsanos Inc.
10 RIA Implementation References REST Links • http://en.wikipedia.org/wiki/Representational_State_Transfer • http://webservices.xml.com/pub/a/ws/2002/02/20/rest.html • http://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm • http://www.xfront.com/REST-‐Web-‐Services.html AMF Links • http://www.adobe.com/devnet/flex/articles/intro_fms_08.html • http://livedocs.adobe.com/flashremoting/mx/Using_Flash_Remoting_MX/intro2.htm • http://web.archive.org/web/20040603100453/chattyfig.figleaf.com/flashcoders-‐ wiki/index.php?SharedObjectFile FLEX-‐AJAX Bridge • http://labs.adobe.com/wiki/index.php/Flex_Framework:FABridge • http://www.flex.org/ • http://www.adobe.com/devnet/flex/articles/flex_security_wp/flex_security_wp.html • http://www.adobe.com/devnet/security/ • http://www.adobe.com/cfusion/exchange/index.cfm?view=sn610 JSON • http://www.softwaresecretweapons.com/jspwiki/Wiki.jsp?page=AJAXWithoutXML JSONRequest • http://json.org/JSONRequest.html BISON • http://www.kaijaeger.com/articles/introducing-‐bison-‐binary-‐interchange-‐standard.html SOAP Links • http://en.wikipedia.org/wiki/SOAP Security F e b r u a r y 1 6 , 2 0 0 7 • http://news.com.com/The+security+risk+in+Web+2.0/2100-‐1002_3-‐6099228.html • http://www.spidynamics.com/assets/documents/HackingFeeds.pdf • http://www.net-‐security.org/article.php?id=949&p=1 • http://assl.sullof.com/assl/ Skitsanos Inc.