Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A...
Transcript of Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A...
![Page 1: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/1.jpg)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Towards Building Secure Web Mashups
Maarten Decat Philippe De Ryck Lieven Desmet Wouter Joosen Frank Piessens
DistriNet Research Group Katholieke Universiteit Leuven, Belgium
23/06/2010
![Page 2: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/2.jpg)
OWASP 2
Mashups by example
![Page 3: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/3.jpg)
OWASP
Mashups: Definition
A web application that combines content (data/code) or services from multiple origins
to create a new service
3
![Page 4: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/4.jpg)
OWASP
Incentives for mashups
Added value of combined result
Content re-use
Flexible and lightweight applications
4
![Page 5: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/5.jpg)
OWASP
Presentation Overview
1. Mashup Requirements
2. Mashup Security Separation Interaction Communication
3. Future Developments
5
![Page 6: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/6.jpg)
OWASP
Example Case: The Financial Mashup
6
Online Bank
Stock Advisor
E-mart Billing
Smart Advertising
![Page 7: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/7.jpg)
OWASP
Requirements for mashups
Interaction with other components Communication with integrator / provider
Data / code protection Restricted interaction
7
Separation Interaction Communication
![Page 8: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/8.jpg)
OWASP
Same Origin Policy
Basic security policy of the web Constructed for static applications Separates documents from different origins Limits communication to document origin
SOP and HTML IFRAME offers document separation using domains SCRIPT offers script inclusion and interaction
Insufficient for dynamic mashup applications
8
![Page 9: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/9.jpg)
OWASP
Leveraging separation (1)
Restriction of the SOP No interaction between different-origin documents
Mashups have a history of enabling interaction: Fragment Identifier Messaging [1] SMash [2] Subspace [3] postMessage [1]
9
![Page 10: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/10.jpg)
OWASP
Leveraging separation: postMessage
Enables frame communication JavaScript API to send/receive messages Event-driven Mutual authentication
Standardized Part of HTML5 Already supported in major browsers
10
window.addEventListener(“message", rcv, false);
function rcv(event) { if (event.origin !== “http://example.org") return;
//handle event }
var f = frames[1]; f.postMessage(“abc123", "http://frame.example.com");
![Page 11: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/11.jpg)
OWASP
Leveraging separation (2)
Restriction of the SOP No separation between same-origin documents
Stronger separation than IFRAMES: Module-tag [4] MashupOS [5] OMash [6] Sandbox-attribute [7]
11
![Page 12: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/12.jpg)
OWASP
Leveraging separation: sandbox
Provides frame restrictions Unique origin Disable plugins, forms, script, navigation
Standardized Part of HTML5 Not yet supported in major browsers (only Chrome)
Some underspecified behavior Unique origin and cookies Unique origin and interaction/communication
12
<iframe src=“http://example.com” sandbox >…</iframe>
![Page 13: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/13.jpg)
OWASP
Leveraging interaction (1)
Restriction of the SOP No separation between loaded scripts (origin agnostic)
Restriction of script inclusion No control over loaded scripts
Subsetting JavaScript: ADSafe [8] FaceBook JavaScript [9] Caja [10]
13
![Page 14: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/14.jpg)
OWASP
Leveraging interaction: Caja
Goal: object-capability security in JavaScript with a minimal impact Static verification Runtime checks
Allows reasoning about the language [11]
Successfully used on Yahoo Application Platform, iGoogle, …
14
![Page 15: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/15.jpg)
OWASP
Leveraging interaction (2)
Restriction of the SOP No separation between loaded scripts (origin agnostic)
Restriction of script inclusion No control over loaded scripts
Behavior control / Policy enforcement: Browser Enforced Embedded Policies [12]
Self-Protecting JavaScript [13] ConScript [14] Secure Multi-Execution [15]
15
![Page 16: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/16.jpg)
OWASP
Enabling Communication
Restriction of the SOP No communication to different origins
Mashup techniques have proven otherwise: Client/Server-side Proxies [3] Script Communication Plugin Communication (Flash, Java, …) [16] Cross-Origin Resource Sharing [17]
16
![Page 17: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/17.jpg)
OWASP
Enabling Communication: CORS
Enables cross-domain communication Same mechanism as XHR Uses additional headers to supply information Enforcement by browser Protection of legacy code!
About to be standardized W3C Working draft Specifies API and algorithms, not implementation Already supported in major browsers
17
![Page 18: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/18.jpg)
OWASP
Overview
18
Online Bank
Stock Advisor
E-mart Billing
Smart Advertising
Interaction with other components: postMessage Data / code protection: sandbox / caja
Restricted scripts: caja / policy-based techniques Communication with integrator / provider: CORS
![Page 19: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/19.jpg)
OWASP
Future of mashup security
Mashup situations are extremely complex Current techniques are strong foundation, but need
abstractions to become powerful
(Business) requirements
Policy based approach Provided with the application Controls fine-grained aspects (isolation, restriction, …)
19
![Page 20: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/20.jpg)
OWASP
References (1) [1] Securing Frame Communication in Browsers, Barth, A. et al, 2008
[2] SMash: Secure Component Model for Cross-Domain Mashups on Unmodified Browsers, De Keukelaere, F. et al., 2008
[3] Subspace: Secure Cross-Domain Communication for Web Mashups, Jackson, C. et al. 2007
[4] The <module> tag, http://www.json.org/module.html, 2010
[5] MashupOS: Operating System Abstractions for Client Mashups, Howell, J. et al., 2007
[6] OMash: Enabling Secure Web mashups via Object Abstractions, Crites, S., 2008
[7] HTML 5 Working Draft, Hickson, I. et al., 2010
[8] ADSafe, http://www.adsafe.org/, 2010
[9] FBJS - Facebook Developer Wiki, http://wiki.developers.facebook.com/index.php/FBJS, 2010
20
![Page 21: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/21.jpg)
OWASP
References (2)
[10] Caja: Safe active Content in Sanitized JavaScript, Miller, M. et al., 2008
[11] Object Capabilities and Isolation of Untrusted Web Applications, Maffeis, S. et al., 2010
[12] Defeating Script Injection Attacks with Browser-Enforced Embedded Policies, Jim, T., 2007
[13] Lightweight self-protecting JavaScript, Phung, P. et al., 2009
[14] ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser, Livshits, B. et al., 2009
[15] Noninterference Through Secure Multi-Execution, Devriese, D. et al., 2010
[16] Browser Security Handbook, Zalewski, M., 2010
[17] Cross-Origin Resource Sharing, van Kesteren, A., 2009
21
![Page 22: Towards Building Secure Web Mashups - OWASP Foundation€¦ · 23/6/2010 · Mashups: Definition A web application that combines content (data/code) or services from multiple origins](https://reader033.fdocuments.in/reader033/viewer/2022050508/5f9988313b74d505836d3904/html5/thumbnails/22.jpg)
OWASP 22