Securing Ajax Applications Christopher Wells Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Securing Ajax Applications by Christopher Wells Copyright © 2007 Christopher Wells. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 [email protected]. Editor: Tatiana Apandi Cover Designer: Karen Montogmery Production Editor: Mary Brady Interior Designer: David Futato Production Services: Tolman Creek Design Illustrators: RobertRomanoandJessamynRead Printing History: July 2007: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc.Securing Ajax Applications, the image of a spotted hyena, and related trade dress are trademarks of O’Reilly Media, Inc. Manyofthedesignationsusedbymanufacturersandsellerstodistinguishtheirproductsareclaimedas trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. Whileeveryprecautionhasbeentakeninthepreparationofthisbook,thepublisherandauthorassume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. This book uses RepKover™, a durable and flexible lay-flat binding. ISBN-10: 0-596-52931-7 ISBN-13: 978-0-596-52931-4 [M] To Jennafer, my honey, and Maggie, my bit of honey: you two are what make life so sweet. Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix 1. The Evolving Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 The Rise of the Web 2 2. Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Security Basics 29 Risk Analysis 37 Common Web Application Vulnerabilities 40 3. Securing Web Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 How Web Sites Communicate 56 Browser Security 61 Browser Plug-ins, Extensions, and Add-ons 76 4. Protecting the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Network Security 100 Host Security 103 Web Server Hardening 121 Application Server Hardening 128 5. A Weak Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 HTTP Vulnerabilities 131 The Threats 136 JSON 143 XML 146 RSS 148 Atom 149 REST 152 vii 6. Securing Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Web Services Overview 156 Security and Web Services 167 Web Service Security 172 7. Building Secure APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Building Your Own APIs 174 Preconditions 179 Postconditions 180 Invariants 180 Security Concerns 181 RESTful Web Services 183 8. Mashups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Web Applications and Open Internet APIs 191 Wild Web 2.0 192 Mashups and Security 194 Open Versus Secure 198 A Security Blanket 199 Case Studies 201 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 viii | Table of Contents Preface 1 Deciding to add security to a web application is like deciding whether to wear clothes in the morning. Both decisions provide comfort and protection throughout theday,andinbothcasesthedecisionsarebettermadebeforehandratherthanlater. Justlookaroundandaskyourself,“HowopendoIreallywanttobewithmyneigh- bors?” Or, “How open do I really want them to be with me?” It’s all about sharing. With web sites sharing data via open APIs, web services, and other new technologies we are experiencing the veritable Woodstock of the digital age. Free love now takes the form of free content and services. Make mashups, not web pages! All right, so let’s get down to business. Believe it, or not, there is security in openness. Look at the United States govern- ment,forexample.TheopennessoftheU.S.governmentalsystemiswhathelpskeep it secure. Maybe that can work for us, too! Repeat after me: We,theprogrammers,inordertobuildamoreperfectWeb;toestablishpresenceand ensure server stability; provide for the common Web; promote general security; for ourselves and our posterity; do ordain and establish this constitution… Sadly,itisnotquitethateasy—orisit?Checksandbalancesmakegovernmentswork. There are layers of cooperation and defense. Each layer provides defense in depth. Webapplicationsecurityisaseriousbusiness.Allwebapplicationsareorwillbevul- nerable to some form of attack. The thing to remember is that most people are good, andsecurityisimplementedtothwartthosewhoarenot.So,thechancesofyourappli- cation getting attacked are proportional to the number of bad apples out there. Audience This book is for programmers on the front lines looking for a solid resource to help them protect their applications from harm. It is also for the developer or architect interested in sharing or consuming content in a safe way. ix Assumptions This Book Makes This book assumes basic developers’ knowledge of the Internet and web applica- tions. It also assumes a general awareness of security problems that can arise on the Internet. Knowledge of security methodologies and practices is helpful, but not required. Contents of This Book Chapter1,The Evolving Web Recounts how we got to where we are today on the Web. The chapter explains how web technologies have evolved, and why we have such a tangled Web. Chapter2,Web Security Describesbasicsecurityterms,practices,andmethodologies.Italsolaysoutand identifies the major vulnerabilities on the Web today. Chapter3,Securing Web Technologies Describes all the different types of web communications. This chapter discusses basic security measures that minimize risk and examines the security of several Internet technologies. Chapter4,Protecting the Server Walks through setting up a secure web server. It offers practical advice to help protect a server from threats on the Internet. Chapter5,A Weak Foundation Exploresthemajorprotocolsassociatedwithwebapplications,wheretheseams are,whatthepossibleattackvectorsmightbe,andsomerecommendedcounter- measures to help make applications more secure. Chapter6,Securing Web Services Looks at how web services work, the moving parts, how web technologies such as Ajax can fit in, and what major areas require security attention. Chapter7,Building Secure APIs ExamineswebAPIdesignandconstructionandpointsoutsomesecuritypitfalls along the way. Chapter8,Mashups DiscussestheevolutionofwebAPIsandhowtheywork.Thischapteralsolooks at some of the major security issues with mashups, such as lack of trust and authentication. It also tries to answer questions, such as what is the worst that can happen, and how to balance openness and security. x | Preface Conventions Used in This Book The following typographical conventions are used in this book: Plain text Indicates menu titles, menu options, menu buttons, and keyboard accelerators (such as Alt and Ctrl). Italic Indicates new terms, URLs, email addresses, filenames, file extensions, path- names, directories, and Unix utilities. Constant width Indicates commands, options, switches, variables, attributes, keys, functions, types, classes, namespaces, methods, modules, properties, parameters, values, objects, events, event handlers, XML tags, HTML tags, macros, the contents of files, or the output from commands. Constant width bold Shows commands or other text that should be typed literally by the user. Constant width italic Shows text that should be replaced with user-supplied values. This icon signifies a tip, suggestion, or general note. This icon indicates a warning or caution. Using Code Examples Thisbookisheretohelpyougetyourjobdone.Ingeneral,youmayusethecodein this book in your programs and documentation. You do not need to contact us for permissionunlessyou’rereproducingasignificantportionofthecode.Forexample, writing a program that uses several chunks of code from this book does not require permission.SellingordistributingaCD-ROMofexamplesfromO’Reillybooksdoes require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission. We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Securing Ajax Applications by Christopher Wells. Copyright 2007 Christopher Wells, 978-0-596-52931-4.” If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us [email protected]. Preface | xi How to Contact Us Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc. 1005 Gravenstein Highway North Sebastopol, CA 95472 800-998-9938 (in the United States or Canada) 707-829-0515 (international or local) 707-829-0104 (fax) We have a web page for this book, where we list errata, examples, and any addi- tional information. You can access this page at: http://www.oreilly.com/catalog/9780596529314 To comment or ask technical questions about this book, send email to: [email protected] For more information about our books, conferences, Resource Centers, and the O’Reilly Network, see our web site at: http://www.oreilly.com Safari® Enabled WhenyouseeaSafari®enabledicononthecoverofyourfavoritetech- nology book, that means the book is available online through the O’Reilly Network Safari Bookshelf. Safari offers a solution that’s better than e-Books. It’s a virtual library that lets you easily search thousands of top tech books, cut and paste code samples, download chapters,andfindquickanswerswhenyouneedthemostaccurate,currentinforma- tion. Try it for free athttp://safari.oreilly.com. Acknowledgments I would like to extend my thanks to the great folks at O’Reilly for giving me the opportunity to write this book. I would especially like to thank my editor, Tatiana Apandi,forputtingupwithme,andtoallthetechnicalreviewerswhoreadmybook and provided such instructive feedback. Thank you. IwouldalsoliketothankMickBauer,whosebook,LinuxServerSecurity:Toolsand Best Practices for Bastion Hosts (O’Reilly), has served as a great inspiration (if you run Linux, read it). xii | Preface
Description: