Post on 01-Sep-2014
description
transcript
Security and UsabilityURL-rewriting for the next-generation web user
Lincoln Baxter, IIISenior Software Engineer Red Hat, Inc.2012-03-27
Philly Java Users Group
Founderhttp://ocpsoft.org/ “Simpler is better.”
What is URL-rewriting?
Any manipulation of the HTTP Request/Response life-cycle.
Mind the gap.
● Gap #1: “Relocated” or missing resources
● Gap #2: Readability & Clutter
● Gap #3: Revealing sensitive information
● Gap #4: Formatting of useful information
● Gap #5: Validation of user input
● … (and actually many more)
robo.to
github.com
blippy.com
“Either the website sucks or you suck, and neither is going to make anyone happy.”
Translated.
Gap #2: URL-readability
http://www.amazon.com/Kindle-Touch-Wi-Fi-Ink-Display/dp/B005890G8Y/ref=amb_link_357575542_6?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=gateway-center-column&pf_rd_r=1T2J5PYBVZZWBHWN1BP1&pf_rd_t=101&pf_rd_p=1321408942&pf_rd_i=507846
wtf?
Tired of trash in your face?
http://www.amazon.com/Kindle-Touch-Wi-Fi-Ink-Display/dp/B005890G8Y/ref=amb_link_357575542_6?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=gateway-center-
column&pf_rd_r=1T2J5PYBVZZWBHWN1BP1&pf_rd_t=101&pf_rd_p=1321408942&pf_rd_i=507846
There's plenty of space out in space!
http://amazon.com/shop/kindle-touch?tracker=AAasfds3r32ydkl6fd854kdjf84hfidbdgv64n0curnoxydkl6fd854kdjf84hfidb
dgv64n0ge8nfbh...
Gap #3: Revealing sensitive information
Visit: http://microsoft.com/genuine/downloads/faq.aspx
You will be redirected to a page without .aspx suffix
A good magician never reveals the implementation.
35
Be cool.
http://example.com/store/shoes/1http://example.com/store/shoes/1/buy
http://example.com/store?buy=true&category=shoes&item=1
Trust me?http://www.youtube.com/watch?v=oHg5SJYRHA0
Built trust by reducing clutter & using clean URLs
Before:
http://example.com/news.xhtml?p=my-new-post
After:
http://example.com/news/my-new-post/
Gap #5: Validation of user input
URLs are user-input and your website is vulnerable!
Aspect Security says:
Two of three recent security vulnerabilities in web-frameworks are URL-based. *
* https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf
Real Life...
http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay?categoryId=28&storeId=1&catalogId=1&langId=-1&nav=hp-gndp
http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay?categoryId=28&storeId=1&catalogId=1&langId=-1&nav=hp-gndp
http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay?categoryId=28&storeId=1&catalogId=1&langId=-1&nav=hp-gndp
Vulnerable!
Cluttered!
wtf?
validate?
Mind the gap.
● Gap #1: “Relocated” resources (404)
● Gap #2: Readability & Clutter
● Gap #3: Revealing sensitive information
● Gap #4: Formatting of useful information
● Gap #5: Validation of user input
Basic things we can do with all types of URL-rewriting
● Redirection & Relocation
● Parameterization
● Simple URL validation
● Add/Remove Headers
/store/{category}/{item}/store/$attack-%3/beginAccept-Charset: UTF-8
Cool things we can do with Filter-based Java URL-rewriting
● Transformation and Canonicalization
● Complex Validation
● Data Conversion
● Request interception
● And more...
example.com/project/FOO
example.com/project/foo.when(Path.matches("/store/product/{pid}").where("pid").bindsTo(El.property("productBean.product").convertedBy(ProductConverter.class).validatedBy(ProductValidator.class)))
Some things you should NOT do, with Java URL-rewriting
If it needs to run when your app doesn't... you probably don't want to put it in your app.
Access Control / Timer Demo ( http://access-rewrite.rhcloud.com/ )
● Problem #1: “Relocated” resources (404)
● Problem #2: Readability & Clutter
● Problem #3: Revealing sensitive information
● Problem #4: Formatting useful information
● Problem #5: Validation of user input
Rest Validation/Conversion Demo ( http://rest-rewrite.rhcloud.com )
● Problem #1: “Relocated” resources (404)
● Problem #2: Readability & Clutter
● Problem #3: Revealing sensitive information
● Problem #4: Formatting useful information
● Problem #5: Validation of user input
Composite Query Demo ( http://composite-rewrite.rhcloud.com )
● Problem #1: “Relocated” resources (404)
● Problem #2: Readability & Clutter
● Problem #3: Revealing sensitive information
● Problem #4: Formatting useful information
● Problem #5: Validation of user input
Bonus round!
But client-side web applications are the future,can't I just ignore the URL and use WebSockets?!
Client side browser applications
serves
http://twitter.com/#!/lincolnthree
requests#!/lincolnthree
#!/connect
#!/discover
#!/lincolnthree/status/180710662975143936
#!/li
How can we clean it up?
http://example.com/
request
response
example.com/login
example.com/signup
example.com/lincoln/myprojectrequest
?response
Handling bookmarks
serves
example.com/
example.com/login
example.com/lincoln/myproject
requ
est
/inspects
loginlincoln/...profile
Where am I?
example.com/
example.com/lincoln
example.com/lincoln/myproject
example.com/lincoln/lincoln
How do you determine the Context Root?
example.com/ ?example.com/lincoln ?example.com/lincoln/lincoln ?
Resolve the Context Root
http://example.com/lincoln
request
response
HEAD /lincoln?org.ocpsoft.rewrite.history.ContextPath
request
200 OK - Set Header: ContextPath = /response
/+
Demos
● Access control (Request Interception)
● REST (Validation and Conversion)
● Composite Query (Security and Usability)
● SocialPM Rich Client (Browser Applications)
Mind the gap.
● Gap #1: “Relocated” resources (404)
● Gap #2: Readability & Clutter
● Gap #3: Revealing sensitive information
● Gap #4: Formatting useful information
● Gap #5: Validation of URLs
● … (and actually many more)
@lincolnthree@lincolnthree
@lincolnthree
You have options, but if you liked what you saw...
● Try it now: ocpsoft.org/rewrite
● Get involved: github.com/ocpsoft/rewrite