Silverlight Security - OWASP · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft [email protected] • Silverlight introduction ... WPF is XAML and Code And

Silverlight Security

OWASP talk, 24. feb 2009

René Løhde, Microsoft

[email protected]

• Silverlight introduction

• Transparency and Fx security

• Connectedness

• Users

• Silverlight introduction• Transparency and Fx security

• Connectedness

• Users

WPF is XAML and Code

And

Silverlight is XAML and Code

JavaScript

HTML

AJAX (XmlHttpRequest)

1.0

<XAML/>

2

Managed Code (C#/VB)

HTML

Code

Controls

NBC Olympics (Media streaming)

Blockbuster

Hardrock (Deepzoom)

...see http://silverlight.tenteo.com/


• Transparency and Fx security• Connectedness

• Users

1. Transparent

2. SafeCritical

3. Critical

T SC C

Application(T)

mscorlib T SC C

mscorlib

T SC C

System

Application(T)

System.Security.SecuritySafeCritical



• Connectedness• Users

On first call to MyBank.com:

http://MyBank.com/clientaccesspolicy.xml

Does not exist:

SecurityException will be thrown

EvilApps.com MyBank.com

SL app from EvilApps.com

InnocentMashups.com Weather.com

SL app from InnocentMashups.com

On first call to Weather.com:

http://weather.com/clientaccesspolicy.xmlExists:Silverlight will let the call go through (if policy allows)

• Silverlight looks for two policy files:

• Silverlight policy: clientaccesspolicy.xml

• Adobe Flash policy: crossdomain.xml

• Already used by etc…

• All public services that work with Flash –

will also work with Silverlight

http://en.wikipedia.org/wiki/Image:EBay_Logo.svg

http://en.wikipedia.org/wiki/Image:Flickr_gamma_Logo.svg

http://images.google.com/imgres?imgurl=http://www.hotrodscustomstuff.com/Cars/61yahooOlds/yahoo_logo.gif&imgrefurl=http://www.hotrodscustomstuff.com/yahoo-01.html&h=142&w=750&sz=9&hl=en&start=2&tbnid=cqNEWI4HwY94cM:&tbnh=27&tbnw=141&prev=/images?q=yahoo+logo&gbv=2&svnum=10&hl=en

• Cross-Domain and HTTP restrictions:

Some services not accessible from rich browser apps (both

Flash and Silverlight)

• Change must come from:

• Browser APIs - IE, NPAPI (Safari & FireFox)

• Service Owners

e.g. Google allows X-Http-Verb-Override:DELETE inst. of HTTP DELETE

• Can use a proxy:

SL app

• WebClient

• Simple to use

• Limited functionality

• HttpWebRequest

• Access to all features

• Future possibility:

Usability Improvements to HTTP client

• Serializer integration, URI templates, etc.

• Available as a sample

http://code.msdn.microsoft.com/SilverlightWS

HttpWebRequest

High-level components and User Code

Browser Plugin APIs

Web Browser- Cookies

- Authenticated sessions

- Caching

- Proxy server to use

Windows/Mac

Networking Layer

Restrictions

Restrictions

http://images.google.com/imgres?imgurl=http://media.bestofmicro.com/internet-explorer-logo,6-Q-242-3.jpg&imgrefurl=http://www.lonelyplanet.com/thorntree/thread.jspa?threadID=1539687&start=0&tstart=0&h=242&w=235&sz=35&hl=en&start=2&tbnid=apxv-wSvMpsyUM:&tbnh=110&tbnw=107&prev=/images?q=explorer+logo&gbv=2&hl=en

http://images.google.com/imgres?imgurl=http://www.electionsquebec.qc.ca/img/aide/logos/firefox_logo.jpg&imgrefurl=http://www.electionsquebec.qc.ca/en/help.asp&h=221&w=230&sz=10&hl=en&start=12&tbnid=CfiyBsuC17umxM:&tbnh=104&tbnw=108&prev=/images?q=firefox+logo&gbv=2&hl=en

http://images.google.com/imgres?imgurl=http://www.gomojo.info/wp-content/uploads/2007/06/safari-logo-big.jpg&imgrefurl=http://www.gomojo.info/category/web-20-mojo/&h=480&w=423&sz=38&hl=en&start=1&tbnid=UQwElydFkGrjtM:&tbnh=129&tbnw=114&prev=/images?q=safari+logo&gbv=2&hl=en

http://images.google.com/imgres?imgurl=http://connected.typepad.com/photos/uncategorized/windowslogo_1.jpg&imgrefurl=http://connected.typepad.com/connected/2007/02/index.html&h=293&w=280&sz=13&hl=en&start=3&tbnid=zJkVF1aGkQsfAM:&tbnh=115&tbnw=110&prev=/images?q=windowslogo&gbv=2&hl=en

http://images.google.com/imgres?imgurl=http://www.nathanbolender.com/eyetoy/Mac_Logo.png&imgrefurl=http://www.nathanbolender.com/eyetoy/&h=150&w=150&sz=13&hl=en&start=6&tbnid=10Wu4UdZNXUKiM:&tbnh=96&tbnw=96&prev=/images?q=mac+logo&gbv=2&hl=en

• Creating Services for Silverlight• Creating and consuming WCF services

• Securing local services

• Creating public services (safe for cross-domain)

• Accessing Services that Describe Themselves• “Add Service Reference”

• Accessing Services that Don’t Describe Themselves• WebClient / HttpWebRequest, manual work

• Accessing Feeds• RSS/Atom

http://images.google.com/imgres?imgurl=http://www.precisiongears.com/images/spur_gear.jpg&imgrefurl=http://www.precisiongears.com/spur_gears.php&h=347&w=318&sz=56&hl=en&start=2&um=1&tbnid=jMu21Vhy4eKCjM:&tbnh=120&tbnw=110&prev=/images?q=gear&svnum=10&um=1&hl=en



• Connectedness

• Users

• Silverlight will use auth. information in the browser

HTML

E.g.: ASP.NET login

User:Password:

YourDomain.comCredentials

Auth info (e.g. cookie)

Service calls + Auth info

Silverlight code does not normallydeal with credentials (user, password)

• Silverlight will use auth. information in the browser

• This is exactly what you want!

• Login once for web page + Silverlight

• To get user identity in WCF Services:

• Turn ASP.NET Compat Mode on (template will do this for you)

• HttpContext.Current.User – current user

“Picking the top RIA toolkit of 2008 was no easy task. Our prize goes to Silverlight because it beats Flash in runtime performance; it has a modest download size; the design tools are good; it boasts wonderful .Net language support and a best-of-breed development environment in Visual Studio 2008…”

Infoworld, Jan 2009

http://www.infoworld.com/article/09/01/02/53TC-ria-rollup_1.html

Documents

Silverlight Security - OWASP · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft [email protected] • Silverlight introduction ... WPF is XAML and Code And