The Tangled Web: A Guide to Securing Modern Web Applications [1st edition] 1593273886, 9781593273880, 2111234567

"Thorough and comprehensive coverage from one of the foremost experts in browser security."—Tavis Ormandy, Goo

1,782 223 4MB

English Pages 320 [324] Year 2011

Report DMCA / Copyright

DOWNLOAD FILE

The Tangled Web: A Guide to Securing Modern Web Applications [1st edition]
 1593273886, 9781593273880, 2111234567

Table of contents :
Preface......Page 19
Acknowledgments......Page 21
Information Security in a Nutshell......Page 23
Flirting with Formal Solutions......Page 24
Enter Risk Management......Page 26
Enlightenment Through Taxonomy......Page 28
Toward Practical Approaches......Page 29
Tales of the Stone Age: 1945 to 1994......Page 30
The First Browser Wars: 1995 to 1999......Page 32
The Boring Period: 2000 to 2003......Page 33
Web 2.0 and the Second Browser Wars: 2004 and Beyond......Page 34
The User as a Security Flaw......Page 36
Nonconvergence of Visions......Page 37
Cross-Browser Interactions: Synergy in Failure......Page 38
The Breakdown of the Client-Server Divide......Page 39
Global browser market share, May 2011......Page 41
PART I: Anatomy of the Web......Page 43
2: It Starts with a URL......Page 45
Scheme Name......Page 46
Indicator of a Hierarchical URL......Page 47
Server Address......Page 48
Hierarchical File Path......Page 49
Fragment ID......Page 50
Putting It All Together Again......Page 51
Reserved Characters and Percent Encoding......Page 53
Handling of Non-US-ASCII Text......Page 54
Protocols Claimed by Third-Party Applications and Plug-ins......Page 58
Encapsulating Pseudo-Protocols......Page 59
Resolution of Relative URLs......Page 60
When Decoding Parameters Received Through URLs......Page 62
3: Hypertext Transfer Protocol......Page 63
Basic Syntax of HTTP Traffic......Page 64
The Consequences of Supporting HTTP/0.9......Page 66
Newline Handling Quirks......Page 67
Proxy Requests......Page 68
Resolution of Duplicate or Conflicting Headers......Page 69
Semicolon-Delimited Header Values......Page 70
Header Character Set and Encoding Schemes......Page 71
Referer Header Behavior......Page 73
POST......Page 74
TRACE......Page 75
200-299: Success......Page 76
400-499: Client-Side Error......Page 77
Keepalive Sessions......Page 78
Chunked Data Transfers......Page 79
Caching Behavior......Page 80
HTTP Cookie Semantics......Page 82
HTTP Authentication......Page 84
Protocol-Level Encryption and Client Certificates......Page 86
Error-Handling Rules......Page 87
When Constructing Other Types of User-Controlled Requests or Responses......Page 89
4: Hypertext Markup Language......Page 91
Basic Concepts Behind HTML Documents......Page 92
Document Parsing Modes......Page 93
The Battle over Semantics......Page 94
Understanding HTML Parser Behavior......Page 95
Interactions Between Multiple Tags......Page 96
Explicit and Implicit Conditionals......Page 97
Entity Encoding......Page 98
HTTP/HTML Integration Semantics......Page 100
Plain Links......Page 101
Forms and Form-Triggered Requests......Page 102
Type-Specific Content Inclusion......Page 104
A Note on Cross-Site Request Forgery......Page 106
When Converting HTML to Plaintext......Page 107
When Writing a Markup Filter for User Content......Page 108
5: Cascading Style Sheets......Page 109
Basic CSS Syntax......Page 110
@ Directives and XBL Bindings......Page 111
Parser Resynchronization Risks......Page 112
Character Encoding......Page 113
When Allowing User-Specified Class Values on HTML Markup......Page 115
6: Browser-Side Scripts......Page 117
Basic Characteristics of JavaScript......Page 118
Script Processing Model......Page 119
Execution Ordering Control......Page 122
Code and Object Inspection Capabilities......Page 123
Modifying the Runtime Environment......Page 124
JavaScript Object Notation and Other Data Serializations......Page 126
E4X and Other Syntax Extensions......Page 128
Standard Object Hierarchy......Page 129
The Document Object Model......Page 131
Access to Other Documents......Page 133
Script Character Encoding......Page 134
Code Inclusion Modes and Nesting Risks......Page 135
The Living Dead: Visual Basic......Page 136
When Interacting with Browser Objects on the Client Side......Page 137
If You Want to Allow User-Controlled Scripts on Your Page......Page 138
Plaintext Files......Page 139
Bitmap Images......Page 140
XML-Based Documents......Page 141
Generic XML View......Page 142
Scalable Vector Graphics......Page 143
XML User Interface Language......Page 144
RSS and Atom Feeds......Page 145
A Note on Nonrenderable File Types......Page 146
On All Non-HTML Document Types......Page 147
8: Content Rendering with Browser Plug-ins......Page 149
Invoking a Plug-in......Page 150
The Perils of Plug-in Content-Type Handling......Page 151
Document Rendering Helpers......Page 152
Plug-in-Based Application Frameworks......Page 153
Adobe Flash......Page 154
Sun Java......Page 156
XML Browser Applications (XBAP)......Page 157
ActiveX Controls......Page 158
Living with Other Plug-ins......Page 159
If You Want to Write a New Browser Plug-in or ActiveX Component......Page 160
PART II: Browser Security Features......Page 161
9: Content Isolation Logic......Page 163
Same-Origin Policy for the Document Object Model......Page 164
document.domain......Page 165
postMessage(...)......Page 166
Interactions with Browser Credentials......Page 167
Same-Origin Policy for XMLHttpRequest......Page 168
Same-Origin Policy for Web Storage......Page 170
Security Policy for Cookies......Page 171
Impact of Cookies on the Same-Origin Policy......Page 172
Problems with Domain Restrictions......Page 173
The Unusual Danger of “localhost”......Page 174
Plug-in Security Rules......Page 175
Adobe Flash......Page 176
Java......Page 179
IP Addresses......Page 180
Local Files......Page 181
Other Uses of Origins......Page 183
When Embedding Plug-in-Handled Active Content from Third Parties......Page 184
When Writing Browser Extensions......Page 185
10: Origin Inheritance......Page 187
Origin Inheritance for about:blank......Page 188
Inheritance for data: URLs......Page 189
Inheritance for javascript: and vbscript: URLs......Page 191
A Note on Restricted Pseudo-URLs......Page 192
Security Engineering Cheat Sheet......Page 194
11: Life Outside Same-Origin Rules......Page 195
Changing the Location of Existing Documents......Page 196
Unsolicited Framing......Page 200
Cross-Domain Content Inclusion......Page 203
A Note on Cross-Origin Subresources......Page 205
Privacy-Related Side Channels......Page 206
Other SOP Loopholes and Their Uses......Page 207
When Arranging Cross-Domain Communications in JavaScript......Page 208
12: Other Security Boundaries......Page 209
Navigation to Sensitive Schemes......Page 210
Access to Internal Networks......Page 211
Prohibited Ports......Page 212
Limitations on Third-Party Cookies......Page 214
When Using Third-Party Cookies for Gadgets or Sandboxed Content......Page 217
13: Content Recognition Mechanisms......Page 219
Document Type Detection Logic......Page 220
Malformed MIME Types......Page 221
Special Content-Type Values......Page 222
Unrecognized Content Type......Page 224
Defensive Uses of Content-Disposition......Page 225
Content Directives on Subresources......Page 226
Downloaded Files and Other Non-HTTP Content......Page 227
Character Set Handling......Page 228
Byte Order Marks......Page 230
Markup-Controlled Charset on Subresources......Page 231
Detection for Non-HTTP Files......Page 232
When Hosting User-Generated Files......Page 234
14: Dealing with Rogue Scripts......Page 235
Denial-of-Service Attacks......Page 236
Execution Time and Memory Use Restrictions......Page 237
Connection Limits......Page 238
Pop-Up Filtering......Page 239
Dialog Use Restrictions......Page 240
Window-Positioning and Appearance Problems......Page 241
Timing Attacks on User Interfaces......Page 244
When Building Security-Sensitive UIs......Page 246
15: Extrinsic Site Privileges......Page 247
Browser- and Plug-in-Managed Site Permissions......Page 248
Form-Based Password Managers......Page 249
Internet Explorer’s Zone Model......Page 251
Mark of the Web and Zone.Identifier......Page 253
When Writing Plug-ins or Extensions That Recognize Privileged Origins......Page 254
PART III: A Glimpse of Things to Come......Page 255
16: New and Upcoming Security Features......Page 257
Cross-Domain Requests......Page 258
XDomainRequest......Page 261
Other Uses of the Origin Header......Page 262
Security Model Restriction Frameworks......Page 263
Content Security Policy......Page 264
Sandboxed Frames......Page 267
Strict Transport Security......Page 270
Private Browsing Modes......Page 271
In-Browser HTML Sanitizers......Page 272
XSS Filtering......Page 273
Security Engineering Cheat Sheet......Page 275
17: Other Browser Mechanisms of Note......Page 277
URL- and Protocol-Level Proposals......Page 278
Content-Level Features......Page 280
I/O Interfaces......Page 281
18: Common Web Vulnerabilities......Page 283
Vulnerabilities Specific to Web Applications......Page 284
Problems to Keep in Mind in Web Application Design......Page 285
Common Problems Unique to Server-Side Code......Page 287
Epilogue......Page 289
Notes......Page 291
Index......Page 305

Polecaj historie