Securing Ajax Applications Christopher Wells Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Securing Ajax Applications by Christopher Wells Copyright © 2007 Christopher Wells. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or [email protected]. Editor: Tatiana Apandi Cover Designer: Karen Montogmery Production Editor: Mary Brady Interior Designer: David Futato Production Services: Tolman Creek Design Illustrators: Robert Romano and Jessamyn Read Printing History: July 2007: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. Securing Ajax Applications, the image of a spotted hyena, and related trade dress are trademarks of O’Reilly Media, Inc. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. This book uses RepKover™, a durable and flexible lay-flat binding. ISBN-10: 0-596-52931-7 ISBN-13: 978-0-596-52931-4 [M] To Jennafer, my honey, and Maggie, my bit of honey: you two are what make life so sweet. Table of Contents Preface . ix 1. The Evolving Web . 1 The Rise of the Web 2 2. Web Security . 29 Security Basics 29 Risk Analysis 37 Common Web Application Vulnerabilities 40 3. Securing Web Technologies . 56 How Web Sites Communicate 56 Browser Security 61 Browser Plug-ins, Extensions, and Add-ons 76 4. Protecting the Server . 99 Network Security 100 Host Security 103 Web Server Hardening 121 Application Server Hardening 128 5. A Weak Foundation . 130 HTTP Vulnerabilities 131 The Threats 136 JSON 143 XML 146 RSS 148 Atom 149 REST 152 vii 6. Securing Web Services . 155 Web Services Overview 156 Security and Web Services 167 Web Service Security 172 7. Building Secure APIs . 174 Building Your Own APIs 174 Preconditions 179 Postconditions 180 Invariants 180 Security Concerns 181 RESTful Web Services 183 8. Mashups . 190 Web Applications and Open Internet APIs 191 Wild Web 2.0 192 Mashups and Security 194 Open Versus Secure 198 A Security Blanket 199 Case Studies 201 Index . 213 viii | Table of Contents Preface1 Deciding to add security to a web application is like deciding whether to wear clothes in the morning. Both decisions provide comfort and protection throughout the day, and in both cases the decisions are better made beforehand rather than later. Just look around and ask yourself, “How open do I really want to be with my neigh- bors?” Or, “How open do I really want them to be with me?” It’s all about sharing. With web sites sharing data via open APIs, web services, and other new technologies we are experiencing the veritable Woodstock of the digital age. Free love now takes the form of free content and services. Make mashups, not web pages! All right, so let’s get down to business. Believe it, or not, there is security in openness. Look at the United States govern- ment, for example. The openness of the U.S. governmental system is what helps keep it secure. Maybe that can work for us, too! Repeat after me: We, the programmers, in order to build a more perfect Web; to establish presence and ensure server stability; provide for the common Web; promote general security; for ourselves and our posterity; do ordain and establish this constitution… Sadly, it is not quite that easy—or is it? Checks and balances make governments work. There are layers of cooperation and defense. Each layer provides defense in depth. Web application security is a serious business. All web applications are or will be vul- nerable to some form of attack. The thing to remember is that most people are good, and security is implemented to thwart those who are not. So, the chances of your appli- cation getting attacked are proportional to the number of bad apples out there. Audience This book is for programmers on the front lines looking for a solid resource to help them protect their applications from harm. It is also for the developer or architect interested in sharing or consuming content in a safe way. ix Assumptions This Book Makes This book assumes basic developers’ knowledge of the Internet and web applica- tions. It also assumes a general awareness of security problems that can arise on the Internet. Knowledge of security methodologies and practices is helpful, but not required. Contents of This Book Chapter 1, The Evolving Web Recounts how we got to where we are today on the Web. The chapter explains how web technologies have evolved, and why we have such a tangled Web. Chapter 2, Web Security Describes basic security terms, practices, and methodologies. It also lays out and identifies the major vulnerabilities on the Web today. Chapter 3, Securing Web Technologies Describes all the different types of web communications. This chapter discusses basic security measures that minimize risk and examines the security of several Internet technologies. Chapter 4, Protecting the Server Walks through setting up a secure web server. It offers practical advice to help protect a server from threats on the Internet. Chapter 5, A Weak Foundation Explores the major protocols associated with web applications, where the seams are, what the possible attack vectors might be, and some recommended counter- measures to help make applications more secure. Chapter 6, Securing Web Services Looks at how web services work, the moving parts, how web technologies such as Ajax can fit in, and what major areas require security attention. Chapter 7, Building Secure APIs Examines web API design and construction and points out some security pitfalls along the way. Chapter 8, Mashups Discusses the evolution of web APIs and how they work. This chapter also looks at some of the major security issues with mashups, such as lack of trust and authentication. It also tries to answer questions, such as what is the worst that can happen, and how to balance openness and security. x | Preface Conventions Used in This Book The following typographical conventions are used in this book: Plain text Indicates menu titles, menu options, menu buttons, and keyboard accelerators (such as Alt and Ctrl). Italic Indicates new terms, URLs, email addresses, filenames, file extensions, path- names, directories, and Unix utilities. Constant width Indicates commands, options, switches, variables, attributes, keys, functions, types, classes, namespaces, methods, modules, properties, parameters, values, objects, events, event handlers, XML tags, HTML tags, macros, the contents of files, or the output from commands. Constant width bold Shows commands or other text that should be typed literally by the user. Constant width italic Shows text that should be replaced with user-supplied values. This icon signifies a tip, suggestion, or general note. This icon indicates a warning or caution. Using Code Examples This book is here to help you get your job done. In general, you may use the code in this book in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission. We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Securing Ajax Applications by Christopher Wells. Copyright 2007 Christopher Wells, 978-0-596-52931-4.” If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us at [email protected]. Preface | xi How to Contact Us Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc. 1005 Gravenstein Highway North Sebastopol, CA 95472 800-998-9938 (in the United States or Canada) 707-829-0515 (international or local) 707-829-0104 (fax) We have a web page for this book, where we list errata, examples, and any addi- tional information. You can access this page at: http://www.oreilly.com/catalog/9780596529314 To comment or ask technical questions about this book, send email to: [email protected] For more information about our books, conferences, Resource Centers, and the O’Reilly Network, see our web site at: http://www.oreilly.com Safari® Enabled When you see a Safari® enabled icon on the cover of your favorite tech- nology book, that means the book is available online through the O’Reilly Network Safari Bookshelf. Safari offers a solution that’s better than e-Books. It’s a virtual library that lets you easily search thousands of top tech books, cut and paste code samples, download chapters, and find quick answers when you need the most accurate, current informa- tion. Try it for free at http://safari.oreilly.com. Acknowledgments I would like to extend my thanks to the great folks at O’Reilly for giving me the opportunity to write this book.