Building Secure Web Mashups Outline I. Browser Security

Building Secure Web Mashups Outline I. Browser Security Overview II. Web Mashups

III. Browser Security Details IV. Mashup Frameworks: MashupOS, Subspace, SMash, Caja

V. Framework Evaluation and Comparison VI. Related Work 2 Browser Security Overview

Layers of Browser Code Default browser behavior Binary plug-ins for embedded content Extensions that modify browser behavior Scripts that make web pages active 4 Extensions vs. Scripts

Theoretical perspective: the only difference is that web page scripts disappear after you leave a page and extensions don't Firefox reality: Extensions are completely unrestricted Web page scripts are restricted unless digitally signed 5

Security in Web Browsers Browsers simultaneously handle documents and scripts from multiple sources Scripts may attempt to interact with: Other web pages The browser Files and processes on the user's computer Remote hosts 6

A Security Failure Example The user is viewing a page with a secret confirmation code, which can be traded in person for some good or service A web page in another window reads the code and sends it to a remote host, where it can be accessed by an unscrupulous third party 7

Real-World Defense Same-origin policy: active content from different trust domains shouldn't interact SOP mostly succeeds for pages that want complete isolation SOP has inconsistencies and gaps that make partial isolation difficult or impossible 8

Web Mashups Mashup Examples housingmaps.com Wii Finder Clockr popurls.com Yahoo vs. Google Google Gadgets

10 Web Mashup Definitions Mashup: A web application that performs browser-side integration of content or services from multiple sources Integrator: site that hosts the web application Provider: site the provides content to the mashup Component: a piece of active content from a

provider 11 Sorts of Mashups Directly interacting with a web service from inside a browser script (e.g., reading an RSS feed) Display control delegation (Google gadgets: Google as integrator) Display control delegation + two-way browserside communication (Google maps, Google

search: Google as provider) 12 Mashup Techniques Simulated mashup: server-side data collection Frames + proxy server Frames + fragment-identifier messaging Browser plug-ins for relaying information Dynamically generated script requests

13 Mashup Security Concern If you include a Google Search control on your page, you give Google the ability to: read arbitrary information send it to an arbitrary recipient execute arbitrary code

14 Browser Security Details Browser State: Documents DOM: mutable tree structure model Metadata: domain property cookie property referrer property

etc. 16 Browser State: Frames Can be nested with