2012 03 27_philly_jug_rewrite_static
DESCRIPTION
TRANSCRIPT
Security and UsabilityURL-rewriting for the next-generation web user
Lincoln Baxter, IIISenior Software Engineer Red Hat, Inc.2012-03-27
Philly Java Users Group
Founderhttp://ocpsoft.org/ “Simpler is better.”
What is URL-rewriting?
Any manipulation of the HTTP Request/Response life-cycle.
Mind the gap.
● Gap #1: “Relocated” or missing resources
● Gap #2: Readability & Clutter
● Gap #3: Revealing sensitive information
● Gap #4: Formatting of useful information
● Gap #5: Validation of user input
● … (and actually many more)
Gap #1: “Relocated” or missing resources
404slide not found
wtf?
robo.to
github.com
blippy.com
What does it mean?
Distraction from failure.
“Either the website sucks or you suck, and neither is going to make anyone happy.”
Translated.
2 ways to have a magical 404 experience ...
301 Moved Permanently 302 Moved Temporarily
Google says, “Redirect to the new URL for at least 180 days.”
Gap #2: URL-readability
http://www.amazon.com/Kindle-Touch-Wi-Fi-Ink-Display/dp/B005890G8Y/ref=amb_link_357575542_6?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=gateway-center-column&pf_rd_r=1T2J5PYBVZZWBHWN1BP1&pf_rd_t=101&pf_rd_p=1321408942&pf_rd_i=507846
wtf?
We are friends.
http://amazon.com/shop/kindle-touch
Tired of trash in your face?
http://www.amazon.com/Kindle-Touch-Wi-Fi-Ink-Display/dp/B005890G8Y/ref=amb_link_357575542_6?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=gateway-center-
column&pf_rd_r=1T2J5PYBVZZWBHWN1BP1&pf_rd_t=101&pf_rd_p=1321408942&pf_rd_i=507846
There's plenty of space out in space!
http://amazon.com/shop/kindle-touch?tracker=AAasfds3r32ydkl6fd854kdjf84hfidbdgv64n0curnoxydkl6fd854kdjf84hfidb
dgv64n0ge8nfbh...
Gap #3: Revealing sensitive information
Visit: http://microsoft.com/genuine/downloads/faq.aspx
You will be redirected to a page without .aspx suffix
.xhtml.do.asp.jsp.php.cgi.jsf/
A good magician never reveals the implementation.
35
Be cool.
http://example.com/store/shoes/1http://example.com/store/shoes/1/buy
http://example.com/store?buy=true&category=shoes&item=1
Why are people afraid of buying used cars?
You never know what you are going to get.
Trust me?http://www.youtube.com/watch?v=oHg5SJYRHA0
Built trust by reducing clutter & using clean URLs
Before:
http://example.com/news.xhtml?p=my-new-post
After:
http://example.com/news/my-new-post/
Gap #5: Validation of user input
URLs are user-input and your website is vulnerable!
Aspect Security says:
Two of three recent security vulnerabilities in web-frameworks are URL-based. *
* https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf
Real Life...
http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay?categoryId=28&storeId=1&catalogId=1&langId=-1&nav=hp-gndp
http://llbean.com/kids
http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay?categoryId=28&storeId=1&catalogId=1&langId=-1&nav=hp-gndp
http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay?categoryId=28&storeId=1&catalogId=1&langId=-1&nav=hp-gndp
Vulnerable!
Cluttered!
wtf?
validate?
Mind the gap.
● Gap #1: “Relocated” resources (404)
● Gap #2: Readability & Clutter
● Gap #3: Revealing sensitive information
● Gap #4: Formatting of useful information
● Gap #5: Validation of user input
URL-rewriting
Basic things we can do with all types of URL-rewriting
● Redirection & Relocation
● Parameterization
● Simple URL validation
● Add/Remove Headers
/store/{category}/{item}/store/$attack-%3/beginAccept-Charset: UTF-8
URL-rewriting: Proxy based (Non-Java)
Inbound only.
URL-rewriting: Filter Based (Native Java)
Cool things we can do with Filter-based Java URL-rewriting
● Transformation and Canonicalization
● Complex Validation
● Data Conversion
● Request interception
● And more...
example.com/project/FOO
example.com/project/foo.when(Path.matches("/store/product/{pid}").where("pid").bindsTo(El.property("productBean.product").convertedBy(ProductConverter.class).validatedBy(ProductValidator.class)))
Some things you should NOT do, with Java URL-rewriting
If it needs to run when your app doesn't... you probably don't want to put it in your app.
Demos(It's *barcode time)
Access Control / Timer Demo ( http://access-rewrite.rhcloud.com/ )
● Problem #1: “Relocated” resources (404)
● Problem #2: Readability & Clutter
● Problem #3: Revealing sensitive information
● Problem #4: Formatting useful information
● Problem #5: Validation of user input
Rest Validation/Conversion Demo ( http://rest-rewrite.rhcloud.com )
● Problem #1: “Relocated” resources (404)
● Problem #2: Readability & Clutter
● Problem #3: Revealing sensitive information
● Problem #4: Formatting useful information
● Problem #5: Validation of user input
Composite Query Demo ( http://composite-rewrite.rhcloud.com )
● Problem #1: “Relocated” resources (404)
● Problem #2: Readability & Clutter
● Problem #3: Revealing sensitive information
● Problem #4: Formatting useful information
● Problem #5: Validation of user input
Bonus round!
But client-side web applications are the future,can't I just ignore the URL and use WebSockets?!
Client side browser applications
serves
http://twitter.com/#!/lincolnthree
requests#!/lincolnthree
#!/connect
#!/discover
#!/lincolnthree/status/180710662975143936
#!/li
How can we clean it up?
http://example.com/
request
response
example.com/login
example.com/signup
example.com/lincoln/myprojectrequest
?response
Handling bookmarks
serves
example.com/
example.com/login
example.com/lincoln/myproject
requ
est
/inspects
loginlincoln/...profile
Where am I?
example.com/
example.com/lincoln
example.com/lincoln/myproject
example.com/lincoln/lincoln
How do you determine the Context Root?
example.com/ ?example.com/lincoln ?example.com/lincoln/lincoln ?
Resolve the Context Root
http://example.com/lincoln
request
response
HEAD /lincoln?org.ocpsoft.rewrite.history.ContextPath
request
200 OK - Set Header: ContextPath = /response
/+
Demos
● Access control (Request Interception)
● REST (Validation and Conversion)
● Composite Query (Security and Usability)
● SocialPM Rich Client (Browser Applications)
Mind the gap.
● Gap #1: “Relocated” resources (404)
● Gap #2: Readability & Clutter
● Gap #3: Revealing sensitive information
● Gap #4: Formatting useful information
● Gap #5: Validation of URLs
● … (and actually many more)
/questions
@lincolnthree@lincolnthree
@lincolnthree
You have options, but if you liked what you saw...
● Try it now: ocpsoft.org/rewrite
● Get involved: github.com/ocpsoft/rewrite