[Seaside] Advice on writing secure webapps from a scarred friend
Cees de Groot
seaside@lists.squeakfoundation.org
31 Jul 2002 03:17:36 +0200
Tim Rowledge <tim@sumeru.stanford.edu> said:
>Ideas on preventing such problems welcomed. I imagine it must be
>possible to make a socket refuse to accept vast amounts of data, though
>how do you decide what is vast? What can be done to 'protect' session
>numbers?
>
a) comes down to a DOS attack. Forget about it for now :-). b) is
something that struck me as well in Seaside. In my other software, I
always keep a Dictionary of 'external' to 'internal' keys. The 'internal'
keys would be '1', '2', '3', 'sendMail', 'doSomethingDangerous'; the
'external' keys are a UUID in binary form, followed by some 50-60 bits
of randomness, all presented in base31: EDEUOGKF62USOMKIRGBMFR9G7R8TCLT26G,
for example. The latter is what shows up in the webpage, and it is creeping
all over the place so you get nice, ugly, virtually unhackable code like:
<form action="<line noise>">
<input name="<more line noise>">
</form>
etcetera. I call these external keys 'capabilities', each one is only valid
within the current session (which itself is of course also a cryptographically
strong number) and gives the user a very limited capability (on a single
binding, in general). The neat thing is that security becomes easier: the user
is allowed to do whatever she possesses capabilities for, so no more checking
on whether user X has role R such that instance var I of class C may be
written: whatever is generated in the UI, is allowed.
--
Cees de Groot http://www.cdegroot.com <cg@cdegroot.com>
GnuPG 1024D/E0989E8B 0016 F679 F38D 5946 4ECD 1986 F303 937F E098 9E8B
Cogito ergo evigilo