Security and UsabilityURL-rewriting for the next-generation web user

Lincoln Baxter, IIISenior Software Engineer Red Hat, Inc.2012-03-27

Philly Java Users Group

Founderhttp://ocpsoft.org/ “Simpler is better.”

What is URL-rewriting?

Any manipulation of the HTTP Request/Response life-cycle.

Mind the gap.

● Gap #1: “Relocated” or missing resources

● Gap #2: Readability & Clutter

● Gap #3: Revealing sensitive information

● Gap #4: Formatting of useful information

● Gap #5: Validation of user input

● … (and actually many more)

“Without URL-rewriting, our life would be $#@!'ing hell.”

One big thing.

Gap #1: “Relocated” or missing resources

404slide not found

wtf?

http://ocpsoft.com/

http://ocpsoft.com/

http://ocpsoft.com/

http://ocpsoft.com/

http://ocpsoft.com/

http://ocpsoft.com/

robo.to

github.com

blippy.com

What does it mean?

Distraction from failure.

1. The content existed and now does not.

2. The content never existed, fool.

“Either the website sucks or you suck, and neither is going to make anyone happy.”

Translated.

2 ways to have a magical 404 experience ...

301 Moved Permanently 302 Moved Temporarily

Google says, “Redirect to the new URL for at least 180 days.”

Gap #2: URL-readability

http://www.amazon.com/Kindle-Touch-Wi-Fi-Ink-Display/dp/B005890G8Y/ref=amb_link_357575542_6?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=gateway-center-column&pf_rd_r=1T2J5PYBVZZWBHWN1BP1&pf_rd_t=101&pf_rd_p=1321408942&pf_rd_i=507846

wtf?

We are friends.

http://amazon.com/shop/kindle-touch

Tired of trash in your face?

http://www.amazon.com/Kindle-Touch-Wi-Fi-Ink-Display/dp/B005890G8Y/ref=amb_link_357575542_6?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=gateway-center-

column&pf_rd_r=1T2J5PYBVZZWBHWN1BP1&pf_rd_t=101&pf_rd_p=1321408942&pf_rd_i=507846

There's plenty of space out in space!

http://amazon.com/shop/kindle-touch?tracker=AAasfds3r32ydkl6fd854kdjf84hfidbdgv64n0curnoxydkl6fd854kdjf84hfidb

dgv64n0ge8nfbh...

Gap #3: Revealing sensitive information

Visit: http://microsoft.com/genuine/downloads/faq.aspx

You will be redirected to a page without .aspx suffix

.xhtml.do.asp.jsp.php.cgi.jsf/

A good magician never reveals the implementation.

Gap #4: Formatting of useful information

http://example.com/buy/1/shoes/store

35

Be cool.

http://example.com/store/shoes/1http://example.com/store/shoes/1/buy

http://example.com/store?buy=true&category=shoes&item=1

Why are people afraid of buying used cars?

You never know what you are going to get.

Trust me?http://www.youtube.com/watch?v=oHg5SJYRHA0

Built trust by reducing clutter & using clean URLs

Before:

http://example.com/news.xhtml?p=my-new-post

After:

http://example.com/news/my-new-post/

Gap #5: Validation of user input

URLs are user-input and your website is vulnerable!

Aspect Security says:

Two of three recent security vulnerabilities in web-frameworks are URL-based. *

* https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf

http://ocpsoft.com/

http://ocpsoft.com/

Real Life...

http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay?categoryId=28&storeId=1&catalogId=1&langId=-1&nav=hp-gndp

http://llbean.com/kids

http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay?categoryId=28&storeId=1&catalogId=1&langId=-1&nav=hp-gndp

http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay?categoryId=28&storeId=1&catalogId=1&langId=-1&nav=hp-gndp

Vulnerable!

Cluttered!

wtf?

validate?

Mind the gap.

● Gap #1: “Relocated” resources (404)

● Gap #2: Readability & Clutter

● Gap #3: Revealing sensitive information

● Gap #4: Formatting of useful information

● Gap #5: Validation of user input

URL-rewriting

Basic things we can do with all types of URL-rewriting

● Redirection & Relocation

● Parameterization

● Simple URL validation

● Add/Remove Headers

/store/{category}/{item}/store/$attack-%3/beginAccept-Charset: UTF-8

URL-rewriting: Proxy based (Non-Java)

Inbound only.

URL-rewriting: Filter Based (Native Java)

blatant lie

“I have no personal investment in any of these tools.”

- Me

Cool things we can do with Filter-based Java URL-rewriting

● Transformation and Canonicalization

● Complex Validation

● Data Conversion

● Request interception

● And more...

example.com/project/FOO

example.com/project/foo.when(Path.matches("/store/product/{pid}").where("pid").bindsTo(El.property("productBean.product").convertedBy(ProductConverter.class).validatedBy(ProductValidator.class)))

Some things you should NOT do, with Java URL-rewriting

If it needs to run when your app doesn't... you probably don't want to put it in your app.

Demos(It's *barcode time)

Access Control / Timer Demo ( http://access-rewrite.rhcloud.com/ )

● Problem #1: “Relocated” resources (404)

● Problem #2: Readability & Clutter

● Problem #3: Revealing sensitive information

● Problem #4: Formatting useful information

● Problem #5: Validation of user input

Rest Validation/Conversion Demo ( http://rest-rewrite.rhcloud.com )

● Problem #1: “Relocated” resources (404)

● Problem #2: Readability & Clutter

● Problem #3: Revealing sensitive information

● Problem #4: Formatting useful information

● Problem #5: Validation of user input

Composite Query Demo ( http://composite-rewrite.rhcloud.com )

● Problem #1: “Relocated” resources (404)

● Problem #2: Readability & Clutter

● Problem #3: Revealing sensitive information

● Problem #4: Formatting useful information

● Problem #5: Validation of user input

Bonus round!

But client-side web applications are the future,can't I just ignore the URL and use WebSockets?!

Client side browser applications

serves

http://twitter.com/#!/lincolnthree

requests#!/lincolnthree

#!/connect

#!/discover

#!/lincolnthree/status/180710662975143936

#!/li

How can we clean it up?

http://example.com/

request

response

example.com/login

example.com/signup

example.com/lincoln/myprojectrequest

?response

Handling bookmarks

serves

example.com/

example.com/login

example.com/lincoln/myproject

requ

est

/inspects

loginlincoln/...profile

Where am I?

example.com/

example.com/lincoln

example.com/lincoln/myproject

example.com/lincoln/lincoln

How do you determine the Context Root?

example.com/ ?example.com/lincoln ?example.com/lincoln/lincoln ?

Resolve the Context Root

http://example.com/lincoln

request

response

HEAD /lincoln?org.ocpsoft.rewrite.history.ContextPath

request

200 OK - Set Header: ContextPath = /response

/+

Demos

● Access control (Request Interception)

● REST (Validation and Conversion)

● Composite Query (Security and Usability)

● SocialPM Rich Client (Browser Applications)

Mind the gap.

● Gap #1: “Relocated” resources (404)

● Gap #2: Readability & Clutter

● Gap #3: Revealing sensitive information

● Gap #4: Formatting useful information

● Gap #5: Validation of URLs

● … (and actually many more)

“Without URL-rewriting, our life would be $#@!'ing hell.”

One big thing.

/questions

@lincolnthree@lincolnthree

@lincolnthree

You have options, but if you liked what you saw...

● Try it now: ocpsoft.org/rewrite

● Get involved: github.com/ocpsoft/rewrite