silverlight security - owasp · 2020-01-17 · silverlight security owasp talk, 24. feb 2009 rené...
TRANSCRIPT
![Page 1: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/1.jpg)
![Page 3: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/3.jpg)
• Silverlight introduction
• Transparency and Fx security
• Connectedness
• Users
![Page 4: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/4.jpg)
• Silverlight introduction• Transparency and Fx security
• Connectedness
• Users
![Page 5: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/5.jpg)
![Page 6: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/6.jpg)
WPF is XAML and Code
And
Silverlight is XAML and Code
![Page 7: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/7.jpg)
JavaScript
HTML
AJAX (XmlHttpRequest)
1.0
<XAML/>
![Page 8: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/8.jpg)
2
Managed Code (C#/VB)
HTML
![Page 9: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/9.jpg)
![Page 10: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/10.jpg)
Code
Controls
![Page 11: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/11.jpg)
NBC Olympics (Media streaming)
Blockbuster
Hardrock (Deepzoom)
...see http://silverlight.tenteo.com/
![Page 12: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/12.jpg)
• Silverlight introduction
• Transparency and Fx security• Connectedness
• Users
![Page 13: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/13.jpg)
1. Transparent
2. SafeCritical
3. Critical
![Page 14: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/14.jpg)
T SC C
Application(T)
mscorlib T SC C
mscorlib
T SC C
System
Application(T)
System.Security.SecuritySafeCritical
![Page 15: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/15.jpg)
• Silverlight introduction
• Transparency and Fx security
• Connectedness• Users
![Page 16: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/16.jpg)
On first call to MyBank.com:
http://MyBank.com/clientaccesspolicy.xml
Does not exist:
SecurityException will be thrown
EvilApps.com MyBank.com
SL app from EvilApps.com
InnocentMashups.com Weather.com
SL app from InnocentMashups.com
On first call to Weather.com:
http://weather.com/clientaccesspolicy.xmlExists:Silverlight will let the call go through (if policy allows)
![Page 17: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/17.jpg)
• Silverlight looks for two policy files:
• Silverlight policy: clientaccesspolicy.xml
• Adobe Flash policy: crossdomain.xml
• Already used by etc…
• All public services that work with Flash –
will also work with Silverlight
![Page 18: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/18.jpg)
• Cross-Domain and HTTP restrictions:
Some services not accessible from rich browser apps (both
Flash and Silverlight)
• Change must come from:
• Browser APIs - IE, NPAPI (Safari & FireFox)
• Service Owners
e.g. Google allows X-Http-Verb-Override:DELETE inst. of HTTP DELETE
• Can use a proxy:
SL app
![Page 19: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/19.jpg)
![Page 20: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/20.jpg)
• WebClient
• Simple to use
• Limited functionality
• HttpWebRequest
• Access to all features
• Future possibility:
Usability Improvements to HTTP client
• Serializer integration, URI templates, etc.
• Available as a sample
http://code.msdn.microsoft.com/SilverlightWS
![Page 21: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/21.jpg)
HttpWebRequest
High-level components and User Code
Browser Plugin APIs
Web Browser- Cookies
- Authenticated sessions
- Caching
- Proxy server to use
Windows/Mac
Networking Layer
Restrictions
Restrictions
![Page 22: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/22.jpg)
• Creating Services for Silverlight• Creating and consuming WCF services
• Securing local services
• Creating public services (safe for cross-domain)
• Accessing Services that Describe Themselves• “Add Service Reference”
• Accessing Services that Don’t Describe Themselves• WebClient / HttpWebRequest, manual work
• Accessing Feeds• RSS/Atom
![Page 23: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/23.jpg)
• Silverlight introduction
• Transparency and Fx security
• Connectedness
• Users
![Page 24: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/24.jpg)
• Silverlight will use auth. information in the browser
HTML
E.g.: ASP.NET login
User:Password:
YourDomain.comCredentials
Auth info (e.g. cookie)
Service calls + Auth info
Silverlight code does not normallydeal with credentials (user, password)
![Page 25: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/25.jpg)
• Silverlight will use auth. information in the browser
• This is exactly what you want!
• Login once for web page + Silverlight
• To get user identity in WCF Services:
• Turn ASP.NET Compat Mode on (template will do this for you)
• HttpContext.Current.User – current user
![Page 26: Silverlight Security - OWASP · 2020-01-17 · Silverlight Security OWASP talk, 24. feb 2009 René Løhde, Microsoft renel@microsoft.com](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2885faeac8c95f593ad0f3/html5/thumbnails/26.jpg)
“Picking the top RIA toolkit of 2008 was no easy task. Our prize goes to Silverlight because it beats Flash in runtime performance; it has a modest download size; the design tools are good; it boasts wonderful .Net language support and a best-of-breed development environment in Visual Studio 2008…”
Infoworld, Jan 2009