Secure Mashups
- 3. Overview More services and data sources More consumers want utilize this services Tools ADsafe Caja dojox.secure
- 6. Trust between mashup participants Exploit between participants Consumer gaining excess privileges Services exploiting Consumers
- 9. Client Side Mashups Directly utilize broker (the browser) Direct communication Exploits: Cross site scripting Cross site request forgery
- 10. Providing services for mashups Publicly accessible resources are simple, provide as many transports as possible Protected resources more complicated
- 11. Services protecting resources Authentication and authorization MUST be differentiated Cross site request forgery is a major exploit Cookies should be used for authentication Authorization May require user interaction May be based on origin (Referer header or Access-Control-Origin header)
- 12. JSON Hijacking CSRF Vulnerability + top-level Arrays = Exploit Modified JSON Commenting {}&&[...] Best to have good CSRF protection
- 14. Client Side Transports: Fragment Identifier Messaging Outer Frame http://mashup.com / Inner Frame http://service.com /#message_for_the_outer_frame
- 16. Client Side Transport: window.name Data is loaded in a sandboxed frame, the mashup is protected from malicious code Client side handling UI interaction possible Efficient
- 17. Client Side Transport: postMessage Iframe based Allows client side handling User interaction can be utilized for authorization of resources Efficient transport Conventions/standards be developed for proxying requests
- 18. Client Side Transport: Native XHR with W3C CS-AC Coming soon Efficient Secure, no code execution More complicated authorization
- 19. Third party widgets We want third part code to execute, but in a controlled manner Protect the environment, provide access to a subset of the DOM Restrict JavaScript features
- 20. ADsafe Disables features in JavaScript that prevent containment/sandboxing Global variables [index], this, ==, != Properties: apply,call,callee,caller,constructor,eval, prototype,this,unwatch,valueOf,watch, and anything starting or ending with __ with, eval
- 21. ADsafe ADsafe compliant JavaScript can only access objects that are “given” to it. ADsafe scripts can be safely sandboxed, and one can control what objects are accessible.
- 22. Caja Object capability version of JavaScript (same idea as ADsafe) Larger set of language features (less major restrictions) Uses code translation
- 23. Dojo Secure Full framework for loading, validating, and providing a safe set of library functions and safe access to the DOM. Provides loading registry with different loading mechanims Uses ADsafe style language constraints Provides |this| within class constructors
- 24. Dojo Secure Provides access to the DOM (a facade), with the standard API, that is restricted Provides a library API (with no namespacing, no need in a global-less environment) Full framework: loading, validation, and DOM sandboxing
- 25. Using dojox.secure //Register cross-domain loading mechanism dojox.io.xhrWindowNamePlugin(" http://siteA.com "); //Create sandbox mySandbox = dojox.secure.sandbox(dojo.byId("sandbox")); //Securely load, validate, and evaluate HTML or JavaScript mySandbox.loadJS(" http://siteA.com/widget.js "); mySandbox.loadHTML(" http://siteA.com/widget.html ");
- 26. dojox.secure Create HTML or JavaScript element and document provides access to the DOM innerHTML and DOM methods available Follow sanboxing rules (avoid restricted operators and globals) Full library available: query, byId, style, forEach, Class, fromJson , etc. Use Class to build methods with this operator Accompanied by Demo
- 30. dojox.secure to create client-side mashups Mutually suspicious components can coexist Eliminate vulnerabilities between widgets