Secure Mashups

Secure MashupsKris Zyp

Introduction

Copyright SitePen, Inc. 2008. All Rights Reserved

Interconnectedness

•Web continues to grow in interconnectedness of data


Overview

•More services and data sources

•More consumers want utilize this services

•Tools

-ADsafe

-Caja

-dojox.secure


Techniques of mashups

•Server Side Mashup


Techniques of mashups

•Client Side Mashup


Trust between mashup participants

•Exploit between participants

-Consumer gaining excess privileges

-Services exploiting Consumers


Server Side Mashups

•Public Content - Easy

•Protected Content - Authorization necessary


OAuth


Client Side Mashups

•Directly utilize broker (the browser)

•Direct communication

•Exploits:

-Cross site scripting

-Cross site request forgery


Providing services for mashups

•Publicly accessible resources are simple, provide as many transports as possible

•Protected resources more complicated


Services protecting resources

•Authentication and authorization MUST be differentiated

•Cross site request forgery is a major exploit

•Cookies should be used for authentication

•Authorization

-May require user interaction

-May be based on origin (Referer header or Access-Control-Origin header)


JSON Hijacking

•CSRF Vulnerability + top-level Arrays = Exploit

•Modified JSON

-Commenting

-{}&&[...]

•Best to have good CSRF protection


Client Side Transports: JSONP

GET /resource/?callback=myfunc

myfunc({“foo”:”bar”});


Client Side Transports: Fragment Identifier Messaging

Outer Framehttp://mashup.com/

Inner Framehttp://service.com/#message_for_the_outer_frame

http://mashup.com/

http://mashup.com/


Client Side Transport: Subspace

•Sandboxed JSONP

•Very complicated, more requests

•DNS requirements


Client Side Transport: window.name

•Data is loaded in a sandboxed frame, the mashup is protected from malicious code

•Client side handling

-UI interaction possible

•Efficient


Client Side Transport: postMessage

•Iframe based

•Allows client side handling

-User interaction can be utilized for authorization of resources

•Efficient transport

•Conventions/standards be developed for proxying requests


Client Side Transport: Native XHR with W3C CS-AC

•Coming soon

•Efficient

•Secure, no code execution

•More complicated authorization


Third party widgets

•We want third part code to execute, but in a controlled manner

•Protect the environment, provide access to a subset of the DOM

•Restrict JavaScript features


ADsafe

•Disables features in JavaScript that prevent containment/sandboxing

-Global variables

- [index], this, ==, !=

-Properties:

-apply,call,callee,caller,constructor,eval, prototype,this,unwatch,valueOf,watch, and anything starting or ending with __

-with, eval


ADsafe

•ADsafe compliant JavaScript can only access objects that are “given” to it.

•ADsafe scripts can be safely sandboxed, and one can control what objects are accessible.


Caja

•Object capability version of JavaScript (same idea as ADsafe)

•Larger set of language features (less major restrictions)

•Uses code translation


Dojo Secure

•Full framework for loading, validating, and providing a safe set of library functions and safe access to the DOM.

-Provides loading registry with different loading mechanims

-Uses ADsafe style language constraints

-Provides |this| within class constructors


Dojo Secure

-Provides access to the DOM (a facade), with the standard API, that is restricted

-Provides a library API (with no namespacing, no need in a global-less environment)

•Full framework: loading, validation, and DOM sandboxing


Using dojox.secure

//Register cross-domain loading mechanismdojox.io.xhrWindowNamePlugin("http://siteA.com");//Create sandboxmySandbox = dojox.secure.sandbox(dojo.byId("sandbox"));//Securely load, validate, and evaluate HTML or JavaScriptmySandbox.loadJS("http://siteA.com/widget.js");mySandbox.loadHTML("http://siteA.com/widget.html");

http://siteA.com/

http://siteA.com/widget.js

http://siteA.com/widget.html


Accompanied by Demo

dojox.secure

•Create HTML or JavaScript

-element and document provides access to the DOM

-innerHTML and DOM methods available

•Follow sanboxing rules (avoid restricted operators and globals)

•Full library available:

-query, byId, style, forEach, Class, fromJson, etc.

•Use Class to build methods with this operator

Secure Mashups

Properly differentiate authorization and

authentication

Avoid insecure loading mechanisms

and cookie only based authorization


dojox.secure to create client-side mashups

•Mutually suspicious components can coexist

•Eliminate vulnerabilities between widgets


Secure Mashups


Technology

Secure Mashups