RIA Security - Broken By Design. Joonas Lehtinen IT Mill - CEO

Similar documents
Rich Web Applications in Server-side Java without. Plug-ins or JavaScript

Rich Web Applications in Server-side Java without. Plug-ins or JavaScript

Google Web Toolkit (GWT)

Tooling for Ajax-Based Development. Craig R. McClanahan Senior Staff Engineer Sun Microsystems, Inc.

IBM JZOS Meets Web 2.0

Developing Ajax Web Apps with GWT. Session I

Human vs Artificial intelligence Battle of Trust

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Web 2.0 Käyttöliittymätekniikat

Designing Reusable Web Components

Introduction Haim Michael. All Rights Reserved.

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Creating an Online Catalogue Search for CD Collection with AJAX, XML, and PHP Using a Relational Database Server on WAMP/LAMP Server

Credits: Some of the slides are based on material adapted from

Attacking Web2.0. Daiki Fukumori Secure Sky Technology Inc.

Web Frameworks MMIS 2 VU SS Denis Helic. March 10, KMI, TU Graz. Denis Helic (KMI, TU Graz) Web Frameworks March 10, / 18

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

C1: Define Security Requirements

GRITS AJAX & GWT. Trey Roby. GRITS 5/14/09 Roby - 1

JavaServer Faces Technology, AJAX, and Portlets: It s Easy if You Know How!

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

eclipse rich ajax platform (rap)

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Some Facts Web 2.0/Ajax Security

,

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

AJAX Programming Chris Seddon

AJAX: Rich Internet Applications

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Java EE 7 is ready What to do next? Peter Doschkinow Senior Java Architect

Sichere Software vom Java-Entwickler

(p t y) lt d. 1995/04149/07. Course List 2018

Project 2: Web Security

THE NEW ERA OF WEB DEVELOPMENT. qooxdoo. Andreas Ecker, Derrell Lipman

Application vulnerabilities and defences

Assignment 6: Web Security

Introduction to Ajax. Sang Shin Java Technology Architect Sun Microsystems, Inc.

Fortify Software Security Content 2017 Update 4 December 15, 2017

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Checklist: Requirements GUI Test tool for Java and/or Web

COMP9321 Web Application Engineering

Etanova Enterprise Solutions

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

DESIGN AND IMPLEMENTATION OF SAGE DISPLAY CONTROLLER PROJECT

Integration Test Plan

Top 10 AJAX security holes & driving factors

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Information Security CS 526 Topic 8

Introduction to InfoSec SQLI & XSS (R10+11) Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Copyright

RKN 2015 Application Layer Short Summary

Etanova Enterprise Solutions

GUI Testing to the edge. Quality is not a given and testing is fun

GOING WHERE NO WAFS HAVE GONE BEFORE

Information Security CS 526 Topic 11

Designing Reusable Web Components

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Your Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies / Ben Stock Martin Johns

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Web Security: Vulnerabilities & Attacks

Web Penetration Testing

Financial. AngularJS. AngularJS.

Financial. AngularJS. AngularJS. Download Full Version :

Upload to your web space (e.g., UCSC) Due this Thursday 4/8 in class Deliverable: Send me an with the URL Grading:

1 About Web Security. What is application security? So what can happen? see [?]

CIS 4360 Secure Computer Systems XSS

Welcome to the OWASP TOP 10

Ben Livshits and Úlfar Erlingsson. Microsoft Research

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

Comet and WebSocket Web Applications How to Scale Server-Side Event-Driven Scenarios

Migrating traditional Java EE applications to mobile

Web Application Security. Philippe Bogaerts

PHP. MIT 6.470, IAP 2010 Yafim Landa

Working with Javascript Building Responsive Library apps

Seeking a Java design and coding position with some technical management responsibilities.

Roadmap. Mike Chtchelkonogov Founder & Chief Technology Officer Acumatica

Integrity attacks (from data to code): Cross-site Scripting - XSS

Robust Defenses for Cross-Site Request Forgery

AJAX: From the Client-side with JavaScript, Back to the Server

Ajax and Web 2.0 Related Frameworks and Toolkits. Dennis Chen Director of Product Engineering / Potix Corporation

Web Application Penetration Testing

SSC - Web applications and development Introduction and Java Servlet (I)

A Model-Controller Interface for Struts-Based Web Applications

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Using JavaScript on Client and Server with Project Phobos

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

1 Front-end Technologies - Historical Overview

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

Founder & CEO

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Services Interoperability With Java Technology and.net: Technologies for Web 2.0

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

An update on the latest strategies for building Ajax applications with JavaServer Faces

Vulnerability Analysis, Secure Development and Risk Management of Web 2.0 Applications OWASP. The OWASP Foundation

Networking & The Web. HCID 520 User Interface Software & Technology

Chrome Extension Security Architecture

Transcription:

RIA Security - Broken By Design Joonas Lehtinen IT Mill - CEO

a system is secure if it is designed to be secure and there are no bugs

no system should be designed to be insecure

not all bugs are security holes

not all security holes are found and exploited

security broken by design?

advertises security holes and makes avoiding them harder

1. 2. 3. RIA GWT Vaadin Security Architecture Complexity Attack surface Breaking in PayMate Attacks

Rich Internet Application

web platform 3D games business software web pages User Interface Complexity

Web Sites Ajax Sugar Full RIA Plugin JavaScript PHP JQuery Flex SmartClient JSP Wicket Dojo Silverlight JavaFX GWT ExtJS Seam Scriptaculous Client Side JSF Server Driven Tapestry MooTools ZK ICEFaces

UI logic runs in browser (as JavaScript or in plugin) Client Side Server Driven UI logic runs in server (framework updates UI in browser)

Google Web Toolkit

Apache -licensed User Interface Framework for building RIA in Java

Hosted Mode Browser Web Browser Subset of java.lang, java.util IE6 Web Server Widgetset Your Application UI Java to JavaScript Compiler IE7 Firefox Safari Your Application Logic DB

Vaadin

Apache -licensed User Interface Framework for building RIA in 100% Java

architecture Web Browser Java Server or Portal Your Custom Theme (optional) Servlet Vaadin Widgets (vaadin.jar) Servlet / Portlet / JSF / JSP /... (optional) Google Web Toolkit Vaadin Widgets (Rendering) Your Custom Widgets (optional) Your User Interface Your Business Logic

Security

Web 1.0 Client 5 Visible data filtering by access Server SQL injection DOM HTML Page over HttpResponse View 4 Model 3 Parameters over HttpRequest 1 Parameter parsing and validation Controller 2 DB Authentication

Client Side RIA All view and controller code is sent to all clients Client 4 Visible data filtering by access Server View 5 Requested data to view as XML / JSON SQL injection DOM 1 Model 3 Controller Client (and thus view and controller) can not be trusted Changes to model encoded as parameters 2 Parameter parsing and re-validation Authentication DB

Rule #1 Never trust the browser

Server Driven RIA Client DOM 9 1 TerminalAdapter 8 HTML Page over HttpResponse Automated by the RIA framework Parameters over HttpRequest 2 TerminalAdapter 7 3 Server View Controller Model 4 6 5 DB

Server Driven RIA Visible data filtering by access Client DOM 9 TerminalAdapter HTML Page over HttpResponse Automated by the RIA framework Handled by the framework 1 Parameters over HttpRequest 2 TerminalAdapter View Server 8 SQL injection 7 3 Controller Model 4 6 5 DB

Rule #2 Complexity is a hiding-place for security-flaws

complexity Aspect Server Driven Client Side No access to server resources - X Web-service API design - X Communication design - X Client-side validation - X Server-side validation X X Untrusted runtime - X Exposed runtime - X Highly dynamic language - X

Rule #3 Large surface: easy to attack, hard to defend

Attack Surface: Web 1.0 Web page HTML (presentation) Form parameters Parameter parsing Parameter validation Cross-site scripting (XSS)

Attack Surface: Client-side RIA Web page DOM (presentation) Form parameters (for hybrid solutions) Parameter parsing Parameter validation Cross-site scripting (XSS) UI logic can be Evaluated: Black-box changes to white-box! Changed Web services - a lot of API is exposed and can be called directly same as web 1.0

Attack Surface: Server Driven RIA Web page DOM (presentation) Form parameters (for hybrid solutions) Parameter parsing Parameter validation Cross-site scripting (XSS) UI logic can be Evaluated: Black-box changes to white-box! Changed Web services - a lot of API is exposed and can be called directly

Breaking In

Local demo http://localhost:8280/paymate/ Online demo http://vaadin.com/web/joonas/wiki/-/wiki/main/ria%20security [ no relation to paymate.com.au or paypal.com ]

GWT version Client-side RIA version Client Side RIA [ Google Web Toolkit ] Vaadin version Server-side RIA version Server Driven RIA [ IT Mill Toolkit ] [ Custom code ] Running on Client User Inteface Web Service API Async Web Service API [ Custom code ] Running on Server Web Service API Impl Business Logic DB User Inteface

Case #1 Injection

SELECT NAME,ID FROM ACCOUNT WHERE NAME=' ' OR TRUE OR ''=' ' AND PASSWORD=''

attack SQL injection

Injection Cures: Isolation: Keep data and execution separate Validation: Reject suspicious data Escaping: Modify the data to keep it from affecting the execution Client Side RIA Server Driven RIA vulnerable vulnerable

Case #2 Double validation

Missing double validation It is often convenient to do data some validation in the user interface logic Attacker can always bypass any validation done in the browser Thus everything must be validated (again) in the server! Lack of double validation is almost impossible to notice in testing or normal use

attack rewriting clientside logic

attack forging http transport

POST Data 4ï 0ï 7ï http://localhost:8080/paymate/clientside/com.paymate.gwt.paymateapplication/ï 29F4EA1240F157649C12466F01F46F60ï com.paymate.gwt.client.paymateserviceï sendmoneyï Dï java.lang.stringï joonas@vaadin.comï 1ï 2ï 3ï 4ï 2ï 5ï 6ï 999999ï 7ï -99999

var xhr = document.body.childnodes[5].contentwindow.xmlhttprequest; Override the original XMLHttpRequest implementation xhr.prototype.originalsend = xhr.prototype.send; xhr.prototype.send = function(a) {! Create UI for our hack tool var panel = document.createelement("div");! panel.innerhtml = "<textarea id='postdata' cols=80 rows=20> "+ "</textarea><br/><button id='postbutton'>post</button>";! document.body.appendchild(panel);! document.getelementbyid('postdata').value=a; Do the sending when the button is pressed! var t = this; document.getelementbyid('postbutton'). addeventlistener("click",function() {!! t.originalsend(document.getelementbyid('postdata').value);!! document.body.removechild(panel);! }, true); };

Double validation Cures: Never skip server-side validation Code review is a must - testing does not help Never think server-validation could be seen as extra work that will be added later in the project Client Side RIA Server Driven RIA vulnerable not vulnerable

Case #3 Forging references

Client 1. Client asks for service Web Service API 2. Service request is delegated to business logic 3. List of accessible object is requested Business Logic Process ref ref Data Model Object List Object A Object B

Client 3. More info about object is requested, with forged reference 1. Client asks for list of objects, references are returned ref ref Web Service API Web Service API 2. List of accessible object is requested 4. Info about wrong object is retrieved. Data model trusts the reference! ref Data Model Object List Object A Object B

attack requesting data with forged ids

Forging references Cures: Never pass any data-model level references to the client Do all the access checks for each call from client Client Side RIA Server Driven RIA vulnerable not vulnerable

These bugs are just plain stupid! [our team is smart enough to avoid them]

really? I can assure that Yes No I would newer do mistakes like these Not even under pressure, late at night, on deadline And neither would the rest of the team, no-one Or the guys working for our off-shore contractor And we rigorously double review all of our code And trust we would spot 100% of these And we review all legacy code too We will newer have any black boxes in our system

Rule #4 There will be bugs

summary

Rule #1 Never trust the browser Rule #2 More complexity - less security Rule #3 Large surface is hard to defend Rule #4 There will be bugs

Questions Comments joonas@vaadin.com skype://joonaslehtinen +358-40-5035001

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback