How to secure your web service


Photo by Karl Randay

If you're including third-party content in your web pages, you can't stop a determined attacker. Browsers weren't designed with that scenario in mind, so by default any HTML you place on your pages has access to your site and cookies. The usual workaround for this is to scrub the external HTML on the server side to remove any Javascript, before passing it to the client.

The good news is this works pretty well, with platforms like Facebook and Myspace relying on it heavily. The bad news is it's practically impossible to make it perfect, there's so many different ways of hiding scripts inside HTML. When I was implementing my own scrubber for Google Hot Keys, I relied on the Cross-site Scripting (XSS) Cheatsheet to find cunning examples to test it against. I was dismayed when I later realized that Facebook's scrubber was still vulnerable to some of these attacks.

Google itself has struggled with XSS issues, though they've been quick with fixes, so I was very pleased to see they've just published their internal security handbook. They've got the best explanation I've seen of all the rules like the same-origin policy that are designed to safeguard users from malicious scripts. There's also a great cookbook on how to build your own content scrubber. Even better, they lay out suggestions for how to truly secure the environment with future browser features.

This cheers me up a lot. I often feel like a Cassandra when I'm pointing out how insecure the status quo is, but it reminds me a lot like the early days of Windows when security was considered a low priority, and we're still watching the repercussions of that mistake. I don't want the public to lose trust in our services because of constant exploits once we start moving more valuable data into the reach of malicious third-parties.

It looks like the evolutionary model that's served web standards so well before may come to the rescue with smart ideas like fine-grained script blocking in the browser and content security policies. Until then, learn Google's handbook by heart and keep a constant eye out for new exploits!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: