Layer 7: Securing Web 2.0 - What You Need to Know

Securing Web 2.0
What You Need to Know
K. Scott Morrison
VP Engineering and Chief Architect

January 2007

Bio – K. Scott Morrison

VP Engineering & Chief Architect at Layer 7 Technologies
• http://www.layer7tech.com
• Layer 7 is based in Vancouver BC, Canada

Co-author of Sams’ Java Web Services Unleashed and Wrox’s
Professional JMS
• Over 50 other publications in academic journals and trade magazines

Co-Editor WS-I Basic Security Profile
Co-Author WS-Federation

Frequent speaker on Web services, XML, mobile/wireless
computing systems, distributed systems architecture, and Java
design issues

January 2007

SecureSpan™ Gateway Overview Proprietary and Confidential 2

Agenda

Web 2.0
AJAX
What’s new about this?
The collision between AJAX & SOA
What are the new threat vectors
Mitigation strategies
Infrastructure solutions

January 2007


Web 2.0

Web 2.0 isn’t a technology
It’s actually an approach to building for the Web

Web 2.0 is:
MySpace
Aggregation of content Flickr

Collaboration Google Maps
Google Gmail
Synergizing the efforts of individuals Google Suggest
del.icio.us
Rich interaction models …etc

Remember: “You” is not a technology

Graphic source: http://www.time.com/time/covers/0,16641,20061225,00.html
January 2007


AJAX

AJAX is an approach underpinning Web 2.0
Provides rich browser interaction models
This contributes to goal of fostering individual contributions
Can also be used to aggregate content

AJAX is really a slick new name for existing technology:
1. (X)HTML and CSS for presentation markup
2. DOM and JavaScript for dynamic content
3. XMLHttpRequest (XHR), IFrame, dynamic <SCRIPT> hack
for asynchronous content retrieval
4. XML, JSON, JavaScript Objects, or just text for data
communication
So what is different here?

January 2007


Web 1.0

Firewall
Web
Application
Server Network
Directory
Server

User clicks link,
User clicks link,
presses button,
presses button,
is referred, etc
is referred, etc

Corporate
Network

Internet

Web
Browser

January 2007


Web 1.0 (cont.)

Firewall
Web
Application
Server Network
Directory
Server

AuthN,
AuthN,
AuthR
AuthR

HTTP headers+
Query params or
POST contents

HTTP GET or
HTTP GET or Corporate
POST
POST Network

Internet
HTTP
Request

Web
Browser

January 2007


Web 1.0 (cont.)

Firewall
Web
Application
Server Network
Directory
Server

New page
New page
rendered
rendered

Corporate
Network

HTTP Internet
Response

HTML, images,
JavaScript, etc

User experiences long
Web
Browser latency delays that affects
usability
January 2007


Web 2.0 – AJAX Paradigm

Firewall
Web
Application
Server Network
Directory
Server

… Request as before
… Request as before
Page load HTML
Page load HTML
with embedded
with embedded
JavaScript Engine Corporate
JavaScript Engine
Separation between Network
presentation and
HTTP
content retrieval
Response
Internet

HTML, images,
JavaScript
engine, etc

Web
Browser

January 2007


Web 2.0 – AJAX Paradigm (cont.)

Firewall
Web
Application
Server Network
Directory
Server

Service

HTTP GET,
HTTP GET,
POST, PUT,
POST, PUT,
DELETE, HEAD,
DELETE, HEAD,
etc
User interacts etc Corporate
User interacts Network
with AJAX HTTP
with AJAX
engine Request
engine
Internet

HTTP
XML, JSON,
Response
JavaScript
Objects, text, etc

Web
Browser

January 2007


Web 2.0 – Server Side Aggregations
Look familiar? It’s data
integration all over again… Firewall
New data, new transport, Web
same old problems Application
Server pulls Server Network
Server pulls Directory
external
RSS, ATOM, external Server
XML, etc information
information

External
Feeds and
Services

User interacts Corporate
User interacts Network
with web app
with web app
server
server
Internet
Aggregate
content page

This, of course could There are also models for
Web also be an AJAX-based
Browser application
client-side (browser)
aggregation
January 2007


What are the Threats?

Threats Against The Client
New Attack
New Attack
Surface: the
Surface: the
AJAX engine
AJAX engine
itself
itself

AJAX
Engine Loads of potential parameter &
injection attacks. Attempts to
hijack session tokens, cookies, etc.
Cross Site Scripting (XSS), Cross
Site Reference Forgery (XSRF)

Lots of potentially dangerous
Lots of potentially dangerous
things to query or even set.
things to query or even set.
Consider DOM:
Consider DOM:
document.URL
document.URL
document.cookie
document.cookie
Web document.domain
document.domain
Browser document.referrer
document.referrer
etc…
etc…

Turn off JavaScript??? No.
January 2007


What are the Threats (cont.)?

Firewall
Threats Against The Server Web
Application
Server

Classic Attack
Classic Attack
Surface, but
Surface, but
with new
with new
challenges
challenges

80, 443

In: Richer parameter
attacks, XML-based DOS Corporate
attacks, etc Network

Out: Information leaking,
integrity compromise,
injection, etc
Big problem: XML parsers
are just too helpful and
naive

January 2007


What are the Threats (cont.)?

Threats Against Content

External
Feeds and
Services
In: Session hijacking,
unauthorized access, etc
Out: Integrity compromise,
injection of poison content Corporate
like scripts into XML, etc Network

Another classic attack
Another classic attack
surface, but with still
surface, but with still
more new challenges
more new challenges
Note that the aggregator is
just another web client. It’s
not a browser, but many
similar attack still apply
January 2007


Why Should You Care?

Big questions around corporate responsibility
Regulatory issues around privacy (HIPAA, PIPEDA, etc)
Regulatory issues around accountability (Sarbox, etc)
Liability for forged transaction
Liability for damage from compromised servers

Not to mention huge issues around
brand and reputation damage accrued
from a significant security event

January 2007


Tactical Security Measures

Clients (browsers)
Tough area to secure
Must ensure you are serving solid code
Rigorous code review
AJAX has submarine complexity
Ensure that data streams you serve are validated
Redaction, strict validation to tightened schemas

Servers offer
Servers offer
clean and secure
clean and secure
code
code

Servers offer
Servers offer
validated and
validated and
cleansed data
cleansed data
The problem with JavaScript
is that it makes it easy to
Web write code, but hard to
Browser write secure code
January 2007


Tactical Security Measures (cont.)

Core Servers (Web application servers)
More control, and more mature best practices
Add rigorous AuthN, AuthR, Audit
Look at cryptographic model
Inward: DOS protect
Threat protect
Parameter validate
Outward: Schema validation and redaction

Validate
Validate
params
params

Validate and
Validate and
cleanse data
cleanse data
What makes this difficult is the
Secure channel added complexity of XML data
Secure channel
structures, and the richer attack
surface of service-based APIs
January 2007


Tactical Security Measures (cont.)

Aggregation Servers (Application servers)
Emerging area, with few best practices
Encourage authenticated access model
You may be forced into this anyway…
Look at cryptographic model
Incoming data: Validate feed content
Strip potential exploits like embedded
<SCRIPT> tags
Authenticate
Authenticate
access
access The big problem here is you may not
have control of the source of the data. A
large number of sites are cracking down
Validate and
on “unauthorized” use in mashups.
Validate and
threat protect
threat protect
data feed
Furthermore, APIs may change
data feed
radically, making it critical to validate
the incoming feed against a schema to
Secure channel
Secure channel catch API updates

January 2007


Thanks For Nothing Scott: “So How Do I Really Do This?”

You could just build it into your systems…

But that is brittle and error-prone

What you really need is specialized infrastructure built for this
purpose
Needs to be:
High performance
Scalable
Simple to configure

And most important: offer tunable security policy

January 2007


Why Tunable Policy?

Not all services are equal:
Not all services are equal:

getStockQuote():
anonymous access,
unsecure channel

buyStock():
authenticated and
authorized access, secured
(integrity and privacy)
channel or message

Policy (the security
Policy (the security
processing model) must
processing model) must
be customized to the
be customized to the
business requirements
business requirements
January 2007


Securing Web 2.0: SecureSpan Data Screen™

January 2007



Hardware appliance for Web, REST, & AJAX security
processing.
ASICs for XML schema validation, XPath, XSLT, cryptographic
operations
Fully clustered
Policy-based processing model
Browser-based management and operations console
Integration with all major directory, IAM, access control
servers
Integration with Symantec antivirus scan engine

Web Browser-based SecureSpan Data Screen™
management and cluster
operations

January 2007


Wire speed schema validation of XML entering network
Wire speed schema validation of XML entering network
Rigorous HTTP parameter validation
Rigorous HTTP parameter validation
Tight control over HTTP methods (GET, POST, Web
Tight control over HTTP methods (GET, POST,
DELETE, PUT, etc). Control over REST. Application
DELETE, PUT, etc). Control over REST.
Server Network
Hardware transformation of XML content in and out of
Hardware transformation of XML content in and out of Directory
network
network Server
Throttle access to back end services
Throttle access to back end services
Traffic shaping across server farms
Traffic shaping across server farms
XML threat detection
XML threat detection
Endpoint for SSL and XML document security
Endpoint for SSL and XML document security
(encryption, signature & canonicalization according to W3C
(encryption, signature & canonicalization according to W3C
specs)
specs)
Controlled striping of <SCRIPT>, eval() (PHP, JS,
Controlled striping of <SCRIPT>, eval() (PHP, JS,
Python, etc), shell injection attacks, etc to combat XSS
Python, etc), shell injection attacks, etc to combat XSS

Corporate
Network

Internet

Web
Gateway Deployment
Gateway Deployment
Browser
For Incoming Calls
For Incoming Calls
January 2007


Proxy Deployment For
Proxy Deployment For
Outgoing Calls
Outgoing Calls Web
Application
Server Network
RSS, ATOM,
XML, etc
Directory
Server

External
Services

Corporate
Network

Wire speed validation of XML entering network
Wire speed validation of XML entering network
Stripping of potential harmful data in feeds
Stripping of potential harmful data in feeds
(<SCRIPT>, etc)
(<SCRIPT>, etc)
Web Management of outgoing cryptography and credentials
Management of outgoing cryptography and credentials
Browser Wire speed transformation of XML data to insulate
Wire speed transformation of XML data to insulate
internal servers from external API changes
internal servers from external API changes
January 2007


Summary

Web 2.0 and the technologies associated with it are too good to
ignore

However, they introduce huge new security complexities

The only way to deal with these effectively is with diligence,
rigor, and specialized infrastructure to manage an evolving threat
model

Layer 7’s SecureSpan Data Screen™ provides the tools to help
secure Web 2.0, REST, AJAX, SOA, RSS and ATOM today.

January 2007


For further information:

K. Scott Morrison
Layer 7 Technologies
1501 – 700 West Georgia St.
Vancouver, B.C. V7Y 1B6
Canada
(800) 681-9377

smorrison@layer7tech.com
http://www.layer7tech.com

January 2007

Layer 7: Securing Web 2.0 - What You Need to Know

More Related Content

Similar to Layer 7: Securing Web 2.0 - What You Need to Know (20)

More from CA API Management (20)

Recently uploaded (20)

Layer 7: Securing Web 2.0 - What You Need to Know