Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
softwarestudio the web as a platform
for distributed computing
Daniel Jackson 1
clientserver documents only
client browser web server file system
2
clientserver server apps
client browser web server + app database
3
clientserver multiple servers
4
Twitter Facebook Google translate
Wikitravel
Google Maps
Amazon
Flickr
copy 29travels All rights reserved This content is excluded from our Creative Commonslicense For more information see httpocwmitedufairuse
5
clientserver client apps
client browser + app web server + app database
client app uses web service API 6
7
8
cross site scripting (XSS)
censor
dissident
gmailcom
secretcn
9
cross site request forgery (CSRF)
evilcom
bankcom
transferto=evilampamt=1000
customer
10
mitigating attacks
to prevent XSS rsaquo sanitization (in server) rsaquo rejects injected scripts
to prevent CSRF rsaquo server embeds secret key in forms rsaquo only requests containing key accepted
to prevent both SOP rsaquo same origin policy (in browser) rsaquo browser tracks origin of pages rsaquo will only ldquophone homerdquo
SOP stops mashups from working 11
working around SOP in mashups
how to work around rsaquo JSONP a hack exploits script download not being checked rsaquo CORS cross origin resource sharing
how CORS works rsaquo server says itrsquoll accept requests from other sources rsaquo server response has header saying which origins are ok
resource is dropped if doesnrsquot match origin of request rsaquo non-GET requests browser sends ldquopreflight requestrdquo first
12
web services
13
MIT OpenCourseWarehttpocwmitedu
6170 Software StudioSpring 2013
For information about citing these materials or our Terms of Use visit httpocwmiteduterms
clientserver documents only
client browser web server file system
2
clientserver server apps
client browser web server + app database
3
clientserver multiple servers
4
Twitter Facebook Google translate
Wikitravel
Google Maps
Amazon
Flickr
copy 29travels All rights reserved This content is excluded from our Creative Commonslicense For more information see httpocwmitedufairuse
5
clientserver client apps
client browser + app web server + app database
client app uses web service API 6
7
8
cross site scripting (XSS)
censor
dissident
gmailcom
secretcn
9
cross site request forgery (CSRF)
evilcom
bankcom
transferto=evilampamt=1000
customer
10
mitigating attacks
to prevent XSS rsaquo sanitization (in server) rsaquo rejects injected scripts
to prevent CSRF rsaquo server embeds secret key in forms rsaquo only requests containing key accepted
to prevent both SOP rsaquo same origin policy (in browser) rsaquo browser tracks origin of pages rsaquo will only ldquophone homerdquo
SOP stops mashups from working 11
working around SOP in mashups
how to work around rsaquo JSONP a hack exploits script download not being checked rsaquo CORS cross origin resource sharing
how CORS works rsaquo server says itrsquoll accept requests from other sources rsaquo server response has header saying which origins are ok
resource is dropped if doesnrsquot match origin of request rsaquo non-GET requests browser sends ldquopreflight requestrdquo first
12
web services
13
MIT OpenCourseWarehttpocwmitedu
6170 Software StudioSpring 2013
For information about citing these materials or our Terms of Use visit httpocwmiteduterms
clientserver server apps
client browser web server + app database
3
clientserver multiple servers
4
Twitter Facebook Google translate
Wikitravel
Google Maps
Amazon
Flickr
copy 29travels All rights reserved This content is excluded from our Creative Commonslicense For more information see httpocwmitedufairuse
5
clientserver client apps
client browser + app web server + app database
client app uses web service API 6
7
8
cross site scripting (XSS)
censor
dissident
gmailcom
secretcn
9
cross site request forgery (CSRF)
evilcom
bankcom
transferto=evilampamt=1000
customer
10
mitigating attacks
to prevent XSS rsaquo sanitization (in server) rsaquo rejects injected scripts
to prevent CSRF rsaquo server embeds secret key in forms rsaquo only requests containing key accepted
to prevent both SOP rsaquo same origin policy (in browser) rsaquo browser tracks origin of pages rsaquo will only ldquophone homerdquo
SOP stops mashups from working 11
working around SOP in mashups
how to work around rsaquo JSONP a hack exploits script download not being checked rsaquo CORS cross origin resource sharing
how CORS works rsaquo server says itrsquoll accept requests from other sources rsaquo server response has header saying which origins are ok
resource is dropped if doesnrsquot match origin of request rsaquo non-GET requests browser sends ldquopreflight requestrdquo first
12
web services
13
MIT OpenCourseWarehttpocwmitedu
6170 Software StudioSpring 2013
For information about citing these materials or our Terms of Use visit httpocwmiteduterms
clientserver multiple servers
4
Twitter Facebook Google translate
Wikitravel
Google Maps
Amazon
Flickr
copy 29travels All rights reserved This content is excluded from our Creative Commonslicense For more information see httpocwmitedufairuse
5
clientserver client apps
client browser + app web server + app database
client app uses web service API 6
7
8
cross site scripting (XSS)
censor
dissident
gmailcom
secretcn
9
cross site request forgery (CSRF)
evilcom
bankcom
transferto=evilampamt=1000
customer
10
mitigating attacks
to prevent XSS rsaquo sanitization (in server) rsaquo rejects injected scripts
to prevent CSRF rsaquo server embeds secret key in forms rsaquo only requests containing key accepted
to prevent both SOP rsaquo same origin policy (in browser) rsaquo browser tracks origin of pages rsaquo will only ldquophone homerdquo
SOP stops mashups from working 11
working around SOP in mashups
how to work around rsaquo JSONP a hack exploits script download not being checked rsaquo CORS cross origin resource sharing
how CORS works rsaquo server says itrsquoll accept requests from other sources rsaquo server response has header saying which origins are ok
resource is dropped if doesnrsquot match origin of request rsaquo non-GET requests browser sends ldquopreflight requestrdquo first
12
web services
13
MIT OpenCourseWarehttpocwmitedu
6170 Software StudioSpring 2013
For information about citing these materials or our Terms of Use visit httpocwmiteduterms
Twitter Facebook Google translate
Wikitravel
Google Maps
Amazon
Flickr
copy 29travels All rights reserved This content is excluded from our Creative Commonslicense For more information see httpocwmitedufairuse
5
clientserver client apps
client browser + app web server + app database
client app uses web service API 6
7
8
cross site scripting (XSS)
censor
dissident
gmailcom
secretcn
9
cross site request forgery (CSRF)
evilcom
bankcom
transferto=evilampamt=1000
customer
10
mitigating attacks
to prevent XSS rsaquo sanitization (in server) rsaquo rejects injected scripts
to prevent CSRF rsaquo server embeds secret key in forms rsaquo only requests containing key accepted
to prevent both SOP rsaquo same origin policy (in browser) rsaquo browser tracks origin of pages rsaquo will only ldquophone homerdquo
SOP stops mashups from working 11
working around SOP in mashups
how to work around rsaquo JSONP a hack exploits script download not being checked rsaquo CORS cross origin resource sharing
how CORS works rsaquo server says itrsquoll accept requests from other sources rsaquo server response has header saying which origins are ok
resource is dropped if doesnrsquot match origin of request rsaquo non-GET requests browser sends ldquopreflight requestrdquo first
12
web services
13
MIT OpenCourseWarehttpocwmitedu
6170 Software StudioSpring 2013
For information about citing these materials or our Terms of Use visit httpocwmiteduterms
clientserver client apps
client browser + app web server + app database
client app uses web service API 6
7
8
cross site scripting (XSS)
censor
dissident
gmailcom
secretcn
9
cross site request forgery (CSRF)
evilcom
bankcom
transferto=evilampamt=1000
customer
10
mitigating attacks
to prevent XSS rsaquo sanitization (in server) rsaquo rejects injected scripts
to prevent CSRF rsaquo server embeds secret key in forms rsaquo only requests containing key accepted
to prevent both SOP rsaquo same origin policy (in browser) rsaquo browser tracks origin of pages rsaquo will only ldquophone homerdquo
SOP stops mashups from working 11
working around SOP in mashups
how to work around rsaquo JSONP a hack exploits script download not being checked rsaquo CORS cross origin resource sharing
how CORS works rsaquo server says itrsquoll accept requests from other sources rsaquo server response has header saying which origins are ok
resource is dropped if doesnrsquot match origin of request rsaquo non-GET requests browser sends ldquopreflight requestrdquo first
12
web services
13
MIT OpenCourseWarehttpocwmitedu
6170 Software StudioSpring 2013
For information about citing these materials or our Terms of Use visit httpocwmiteduterms
7
8
cross site scripting (XSS)
censor
dissident
gmailcom
secretcn
9
cross site request forgery (CSRF)
evilcom
bankcom
transferto=evilampamt=1000
customer
10
mitigating attacks
to prevent XSS rsaquo sanitization (in server) rsaquo rejects injected scripts
to prevent CSRF rsaquo server embeds secret key in forms rsaquo only requests containing key accepted
to prevent both SOP rsaquo same origin policy (in browser) rsaquo browser tracks origin of pages rsaquo will only ldquophone homerdquo
SOP stops mashups from working 11
working around SOP in mashups
how to work around rsaquo JSONP a hack exploits script download not being checked rsaquo CORS cross origin resource sharing
how CORS works rsaquo server says itrsquoll accept requests from other sources rsaquo server response has header saying which origins are ok
resource is dropped if doesnrsquot match origin of request rsaquo non-GET requests browser sends ldquopreflight requestrdquo first
12
web services
13
MIT OpenCourseWarehttpocwmitedu
6170 Software StudioSpring 2013
For information about citing these materials or our Terms of Use visit httpocwmiteduterms
8
cross site scripting (XSS)
censor
dissident
gmailcom
secretcn
9
cross site request forgery (CSRF)
evilcom
bankcom
transferto=evilampamt=1000
customer
10
mitigating attacks
to prevent XSS rsaquo sanitization (in server) rsaquo rejects injected scripts
to prevent CSRF rsaquo server embeds secret key in forms rsaquo only requests containing key accepted
to prevent both SOP rsaquo same origin policy (in browser) rsaquo browser tracks origin of pages rsaquo will only ldquophone homerdquo
SOP stops mashups from working 11
working around SOP in mashups
how to work around rsaquo JSONP a hack exploits script download not being checked rsaquo CORS cross origin resource sharing
how CORS works rsaquo server says itrsquoll accept requests from other sources rsaquo server response has header saying which origins are ok
resource is dropped if doesnrsquot match origin of request rsaquo non-GET requests browser sends ldquopreflight requestrdquo first
12
web services
13
MIT OpenCourseWarehttpocwmitedu
6170 Software StudioSpring 2013
For information about citing these materials or our Terms of Use visit httpocwmiteduterms
cross site scripting (XSS)
censor
dissident
gmailcom
secretcn
9
cross site request forgery (CSRF)
evilcom
bankcom
transferto=evilampamt=1000
customer
10
mitigating attacks
to prevent XSS rsaquo sanitization (in server) rsaquo rejects injected scripts
to prevent CSRF rsaquo server embeds secret key in forms rsaquo only requests containing key accepted
to prevent both SOP rsaquo same origin policy (in browser) rsaquo browser tracks origin of pages rsaquo will only ldquophone homerdquo
SOP stops mashups from working 11
working around SOP in mashups
how to work around rsaquo JSONP a hack exploits script download not being checked rsaquo CORS cross origin resource sharing
how CORS works rsaquo server says itrsquoll accept requests from other sources rsaquo server response has header saying which origins are ok
resource is dropped if doesnrsquot match origin of request rsaquo non-GET requests browser sends ldquopreflight requestrdquo first
12
web services
13
MIT OpenCourseWarehttpocwmitedu
6170 Software StudioSpring 2013
For information about citing these materials or our Terms of Use visit httpocwmiteduterms
cross site request forgery (CSRF)
evilcom
bankcom
transferto=evilampamt=1000
customer
10
mitigating attacks
to prevent XSS rsaquo sanitization (in server) rsaquo rejects injected scripts
to prevent CSRF rsaquo server embeds secret key in forms rsaquo only requests containing key accepted
to prevent both SOP rsaquo same origin policy (in browser) rsaquo browser tracks origin of pages rsaquo will only ldquophone homerdquo
SOP stops mashups from working 11
working around SOP in mashups
how to work around rsaquo JSONP a hack exploits script download not being checked rsaquo CORS cross origin resource sharing
how CORS works rsaquo server says itrsquoll accept requests from other sources rsaquo server response has header saying which origins are ok
resource is dropped if doesnrsquot match origin of request rsaquo non-GET requests browser sends ldquopreflight requestrdquo first
12
web services
13
MIT OpenCourseWarehttpocwmitedu
6170 Software StudioSpring 2013
For information about citing these materials or our Terms of Use visit httpocwmiteduterms
mitigating attacks
to prevent XSS rsaquo sanitization (in server) rsaquo rejects injected scripts
to prevent CSRF rsaquo server embeds secret key in forms rsaquo only requests containing key accepted
to prevent both SOP rsaquo same origin policy (in browser) rsaquo browser tracks origin of pages rsaquo will only ldquophone homerdquo
SOP stops mashups from working 11
working around SOP in mashups
how to work around rsaquo JSONP a hack exploits script download not being checked rsaquo CORS cross origin resource sharing
how CORS works rsaquo server says itrsquoll accept requests from other sources rsaquo server response has header saying which origins are ok
resource is dropped if doesnrsquot match origin of request rsaquo non-GET requests browser sends ldquopreflight requestrdquo first
12
web services
13
MIT OpenCourseWarehttpocwmitedu
6170 Software StudioSpring 2013
For information about citing these materials or our Terms of Use visit httpocwmiteduterms
working around SOP in mashups
how to work around rsaquo JSONP a hack exploits script download not being checked rsaquo CORS cross origin resource sharing
how CORS works rsaquo server says itrsquoll accept requests from other sources rsaquo server response has header saying which origins are ok
resource is dropped if doesnrsquot match origin of request rsaquo non-GET requests browser sends ldquopreflight requestrdquo first
12
web services
13
MIT OpenCourseWarehttpocwmitedu
6170 Software StudioSpring 2013
For information about citing these materials or our Terms of Use visit httpocwmiteduterms
web services
13
MIT OpenCourseWarehttpocwmitedu
6170 Software StudioSpring 2013
For information about citing these materials or our Terms of Use visit httpocwmiteduterms