ajax securityajaxexperience.techtarget.com/images/presentations/... · fiuse shared secrets in the...
TRANSCRIPT
![Page 1: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/1.jpg)
Ajax SecurityDouglas Crockford
&Chip Morningstar
Yahoo!
![Page 2: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/2.jpg)
Security Matters
![Page 3: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/3.jpg)
Security Is Hard
![Page 4: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/4.jpg)
Weak Foundations
![Page 5: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/5.jpg)
Inadequate Browser Security Model
![Page 6: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/6.jpg)
JavaScript is not a secure programming
language.
There are very few secure programming languages.
![Page 7: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/7.jpg)
DOM
Document Object Model is insecure.
![Page 8: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/8.jpg)
Trust Boundary
![Page 9: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/9.jpg)
Same Origin Policy®Restrictions on access of assets from
other sites.
®No restriction on sending, only on receiving.
®Bad policy: Prohibits some useful actions, permits some dangerous actions.
®Boon to idiot IT managers who rely on firewalls instead of authentication.
![Page 10: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/10.jpg)
Circumvention
®Poorly designed security measures prevent useful activity.
®Developers are required to produce useful activity.
®This leads of the circumvention of security mechanisms.
®Bad security design makes things worse.
![Page 11: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/11.jpg)
The web is accidents waiting to happen.Serious penalties for data
leakage.
![Page 12: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/12.jpg)
Web is significantly safer than desktop
applications.
But not enough safer.
![Page 13: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/13.jpg)
XSS®Cross Site Scripting Attack
(misnamed).
®Evil JavaScript gets into your page.
®All scripts look the same to the browser.
®Good hygiene. Use correct encoding.
®Server must do white box filtering on all user submitted content.
![Page 14: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/14.jpg)
Be Rigorous
Sloppiness aids the Enemy.
Neatness counts.
![Page 15: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/15.jpg)
CSRF
®Cross Site Request Forgery
®Cookies are not sufficient to authenticate requests.
®Use shared secrets in the request.
![Page 16: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/16.jpg)
Cookies
®Cookies were not intended to be an authentication mechanism.
®Cookies are widely used as an authentication mechanism.
![Page 17: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/17.jpg)
SQL
®SQL injection. Be extremely cautious when building query text from external content.
®Remote SQL: Madness.
®Never expose SQL to the network.
![Page 18: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/18.jpg)
JSON is Safe and Effective when used
correctly.
Like everything else, dangerous when used
recklessly.
![Page 19: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/19.jpg)
Script Tag Hack
®Scripts (strangely) are exempt from Same Origin Policy.
®A dynamic script tag can make a GET request to a server.
receiver(jsontext);®Extremely dangerous. It is
impossible to assure that the server did not send an evil script.
![Page 20: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/20.jpg)
eval
®JSON text is JavaScript, so evalcan turn it into data structures.
®Fast, convenient.myData = eval('(' + jsontext + ')');
®Dangerous. If the text is not actually JSON, an evil script can execute.
![Page 21: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/21.jpg)
parseJSON
®Use the string.parseJSON method.
myData = jsontext.parseJSON();®Evil script will cause a syntax error
exception.
®Standard equipment in the next version of JavaScript.
®Available now: http://www.json.org/json.js
![Page 22: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/22.jpg)
Server accepts GET requests with cookies
®Data leakage. A rogue page can send a request to your server that will include your cookies.
®There are holes in browsers that deliver data regardless of Same Origin Policy.
®Require POST. Require explicit tokens of authority.
![Page 23: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/23.jpg)
Don’t wrap JSON text in comments
®Intended to close a browser hole./* jsontext */
®May open a new hole."*/ evil(); /*"
®Security is not obtained by tricks.®Never put data on the wire unless
you intend that it be delivered. Do not rely on Same Origin Policy.
![Page 24: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/24.jpg)
The Future
![Page 25: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/25.jpg)
The Caplet Group®Good research is being done at
IBM, Microsoft, HP, Google, Yahoo, and other places.®A discovery and messaging
system that can safely deliver data across trust boundaries.®Connections between pages,
iframes, worker pools, desktop widgets, web services.
![Page 26: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/26.jpg)
An example of a secure application framework
using today's technology.
![Page 27: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/27.jpg)
Yahoo Ajax Server
®Context & session architecture
®Secure session protocol using JSON and HTTP
®Why?
![Page 28: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/28.jpg)
Why a new kind of server?®Some applications go against the grain
of the conventional web paradigmReal-time interactivity (Ajax!)
anything with short-lived session state on the server
Multi-user interactivitychat, presentations, games, etc.
Server-initiated eventsalerts, auctions, process monitoring, games, etc.
®These are all awkward in a standard web server
![Page 29: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/29.jpg)
Stateful Sessions over HTTP
®HTTP-transported message passing scheme®Messages are:
BidirectionalAsynchronousObject-to-object
®Uses 2 HTTP connections asymmetricallyOne to transmit clientserver messagesOne to poll for serverclient messages
®HTTP requests DO NOT correspond 1-to-1 to object messages!
![Page 30: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/30.jpg)
Stateful Sessions over HTTP
®Open a sessionGET root/connectGET root/connect/randomstuff
®Where root identifies the applicatione.g., http://wingnut.yahoo.com/chat/connect
®Reply is JSON containing unguessablesession identifier{"sessionid": sessionID }
![Page 31: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/31.jpg)
Stateful Sessions over HTTP
® Send messages to the server
POST root/xmit/sessionID/xseqnum® sessionID from the connect request
® xseqnum from previous xmit request, or 1 to begin
http://moonbat.yahoo.com/chat/xmit/hb5t1fhyku42/3
® POST body contains one or more messages being sent
® Reply contains sequence number for next xmit{"seqnum": newxseqnum }
® Post whenever you have something to say to the server
![Page 32: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/32.jpg)
Stateful Sessions over HTTP
® Poll for messages from the serverGET root/select/sessionID/sseqnum
® sessionID from the connect request® sseqnum from previous select request, or 1 to begin
http://wingnut.yahoo.com/chat/select/in5uuf67xjlnogr/47® Reply contains messages and sequence number for
next select{"msgs":[ msg, msg, … ], "seqnum": newsseqnum }
® Request after reply to connect or previous select® Client always has a select pending while session is
live® Reply might contain 0 messages (connection
heartbeat)
![Page 33: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/33.jpg)
JSON Messaging® Simple convention for encoding object-addressed
messages{"to":targetref, "op": verb, params … }
® targetref identifies message target in scope of receiverCan be simple ("foo") or complex ("user.47.3699102")
Can be static or dynamic
Can be known & predictable or random & unguessable
All up to the application protocol designer
® verb identifies the operation, params depend on verbStandard O-O stuff
® All messages are unidirectional and asynchronousNever block, never deadlock
![Page 34: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/34.jpg)
Contexts define Applications
®YAS serves contexts containing objects
®Clients can enter these contexts
®Clients in a context can send messages to the objects in it (and vice-versa)
®The web page whose script initiates a connection contains JavaScript for the client side of the various objects
![Page 35: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/35.jpg)
Multi-user Interactivity®Multiple clients can enter a YAS
context concurrently®Server can fan messages to some or all
of the clients in a context®Server can relay messages between
clients
![Page 36: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/36.jpg)
Server-initiated Events®Autonomous processes running in the
server can send messages to clients
®So the server just sends a message®Yes, it’s that simple
![Page 37: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/37.jpg)
What’s this got to do with Security?
®Our most powerful security tools are modularity and encapsulation®Web paradigm says “abandon
encapsulation”REST dogma actually elevates this to a virtue
®YAS is a scheme to get encapsulation back®In the world of Web 2.0, Ajax, mashups,
etc. we really need it
![Page 38: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/38.jpg)
![Page 39: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/39.jpg)
Where to keep session state?
® In the browser: cookies, form vars, URLsClumsy, Insecure, Limited capacity
Your data is in the hands of the enemy
® In a databaseClumsy, Slow, Inefficient
Reintroduces the bottleneck that motivated a stateless architecture in the first place
® In the server’s memoryFast & EasyConventional web scaling paradigm says do not do
this!
![Page 40: Ajax Securityajaxexperience.techtarget.com/images/Presentations/... · fiUse shared secrets in the request. Cookies fiCookies were not intended to be an authentication mechanism](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea2a02b29c90b7f4b09a0c2/html5/thumbnails/40.jpg)
Scale Differently®Keep session state in RAM on the server® Scale by session, not by page® Browser just keeps talking to same server®Web infrastructure is not optimized for this…®…but it’s not very difficult to do
Route by session rather than by HTTP GET request
Have application page server act like a session-level VIP or HTTP director
Browser is already handshaking with server anyway