cross site integration “mashups” cross site scripting
TRANSCRIPT
Cross Site IntegrationCross Site Integration
“mashups”cross site scripting
Server SideServer code fetches data or services
Has little to do with this course
Can involve XML or SQL to remote servers
Data may include HTML
Data may include javascript
Man-in-the-middle attacks?
3rd PartyDo you trust them?
When they update will it break you?
When they go broke will it break you?
Do they send any javascript code or URLs used in links?
javascript can do ANYTHING to you
URLs can send people to fake sites
AJAXprotocol is XML (SOAP)
data is often XML
Based upon hack of invisible frames
HTML pages read by javascript
Most often used in a framework which just lifts HTML fragments from the data
AJAXSecurity limitations are similar to javascripting frames
Same website policy!
can’t load external data
server-side data relays
Easy access to XML data sources
XML is powerful…
Examples?Libraries are always used: jQuery, etc
Requires server side program
Requires some XML data
this could be a minimal wrapper
http://www.w3schools.com/AJAX
http://www.ajaxdaddy.com
IssuesDO NOT OVER DO IT!
High server load / High bandwidth
slow XML over slow HTTP
Server relay needs bandwidth
Utilizing XML may be work
XML processing is cpu intensive
3rd PartyDo you trust them?
When they update will it break you?
When they go broke will it break you?
Do they send any javascript code or URLs used in links?
javascript can do ANYTHING to you
URLs can send people to fake sites
Javascript
Almost no security limitations
exec() of code can be limited to making objects
JSON (JavaScript Object Notation)
easier, smaller, faster than XML
Code is more powerful / flexible
JSONFor speed and size most use JSON
code can be written in JSON
most code libraries are in JSON
APIs not uniform!
Heavily depend on browser garbage collection - once script is loaded you can’t unload it
Variable Methodvar o = {json &could include code};
var x = “stringified code”;
var loaded=1;
loading function looks for loaded==1
o: loop object & copy or exec
x: exec() runs the string
Wrappedjavascript code sent as string data
wrap in HTML (invisible frame or part of a visible frame)
wrap in AJAX
This delays running the SCRIPT so you can “securely” exec it or parse it
Library StyleProvides a set of functions to do what needs to be done
often handle loading of JSON (or AJAX)
Function parameters used for customization
CSS of the generated HTML
Exampleshttp://disqus.com
Online comments, no javascript API
CSS to format, just a SCRIPT file
http://www.google.com/ig/directory?synd=open
Google gadgets js scripts
Some have API
API/Globals/QueryAPI- their javascript interface (trust?)
You call their functions with settings
Globals- you define objects with the settings before running their code
Query - you send settings in the Query part of requesting the data
3rd PartyDo you trust them?
When they update will it break you?
When they go broke will it break you?
Do they send any javascript code or URLs used in links?
javascript can do ANYTHING to you
URLs can send people to fake sites
Google Maps1st to popularize rich javascript applications
Has a Javascript API - add your own points on the map
Was early to popularize “mashups” combining datasets with location datahttp://code.google.com/apis/maps/documentation/javascript/
Plug-ins
Flash, Silverlight, A/V, ActiveX
Browser plugs have little security
Plug-ins may have javascript APIs
Plug-ins may have their OWN scripting (flash uses javascript)
ExamplesYoutube embedded
Paste-in HTML code
Basically its a flash plug-in embed
External video / audio content
Quicktime, <video>, etc
“super” cookies - use plug-ins to circumvent privacy