Download - Opa - Safe and Secure Web Development
-
7/27/2019 Opa - Safe and Secure Web Development
1/66
(c) MLstate
Opa - Safe and SecureWeb Develo ment
-
7/27/2019 Opa - Safe and Secure Web Development
2/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
3/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
4/66
(c) MLstate
Code
injec
tion
XSSA
ttack
s
DB injection
Buffe
roverflowsCS
RF
-
7/27/2019 Opa - Safe and Secure Web Development
5/66
(c) MLstate
Code
injec
tion
XSSA
ttack
s
DB injection
Buffe
roverflowsCS
RF
-
7/27/2019 Opa - Safe and Secure Web Development
6/66
(c) MLstate
> 9 + 5 + customers
14 customers> Customers: + 9 + 5
Customers: 95
-
7/27/2019 Opa - Safe and Secure Web Development
7/66
(c) MLstate
if (x == 0)
retry();
else if (x == 1)success();
else
error();
switch (x) {
case 0:
retry();
break;
case 1:success();
break;
default:
error();
}
-
7/27/2019 Opa - Safe and Secure Web Development
8/66
(c) MLstate
if (x == 0)
retry();
else if (x == 1)success();
else
error();
switch (x) {
case 0:
retry();
break;
case 1:success();
break;
default:
error();
}
x = 0
retry error
-
7/27/2019 Opa - Safe and Secure Web Development
9/66
(c) MLstate
[] + []
[] + {}{} + []
{} + {}
-
7/27/2019 Opa - Safe and Secure Web Development
10/66
(c) MLstate
[] + []
[] + {}{} + []
{} + {}
=
= {}= 0
= NaN
-
7/27/2019 Opa - Safe and Secure Web Development
11/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
12/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
13/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
14/66
(c) MLstate
Open source core.
Built on standards.
-
7/27/2019 Opa - Safe and Secure Web Development
15/66
(c) MLstate
Client code Server code
DB code
Configuration
-
7/27/2019 Opa - Safe and Secure Web Development
16/66
(c) MLstate
Client code Server code
DB code
Configuration
-
7/27/2019 Opa - Safe and Secure Web Development
17/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
18/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
19/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
20/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
21/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
22/66
(c) MLstate
functionaction(_) {
#msg = Hello!;
}
functionpage() {
Click the button:
Click!
}
Server.start(Server.http,
{ ~page, title: "Hello, world" }
)
-
7/27/2019 Opa - Safe and Secure Web Development
23/66
(c) MLstate
functionaction(_) {
#msg = Hello!;
}
functionpage() {
Click the button:
Click!
}
Server.start(Server.http,
{ ~page, title: "Hello, world" }
)
-
7/27/2019 Opa - Safe and Secure Web Development
24/66
(c) MLstate
functionaction(_) {
#msg = Hello!;
}
functionpage() {
Click the button:
Click!
}
Server.start(Server.http,
{ ~page, title: "Hello, world" }
)
-
7/27/2019 Opa - Safe and Secure Web Development
25/66
(c) MLstate
functionaction(_) {
#msg = Hello!;
}
functionpage() {
Click the button:
Click!
}
Server.start(Server.http,
{ ~page, title: "Hello, world" }
)
-
7/27/2019 Opa - Safe and Secure Web Development
26/66
(c) MLstate
functionaction(_) {
#msg = Hello!;
}
functionpage() {
Click the button:
Click!
}
Server.start(Server.http,
{ ~page, title: "Hello, world" }
)
-
7/27/2019 Opa - Safe and Secure Web Development
27/66
(c) MLstate
functionaction(_) {
#msg = Hello!;
}
functionpage() {
Click the button:
Click!
}
Server.start(Server.http,
{ ~page, title: "Hello, world" }
)
-
7/27/2019 Opa - Safe and Secure Web Development
28/66
(c) MLstate
functionaction(_) {
#msg = Hello!;
}
functionpage() {
Click the button:
Click!
}
Server.start(Server.http,
{ ~page, title: "Hello, world" }
)
-
7/27/2019 Opa - Safe and Secure Web Development
29/66
(c) MLstate
functionaction(_) {
#msg = Hello!;
}
functionpage() {
Click the button:
Click!
}
Server.start(Server.http,
{ ~page, title: "Hello, world" }
)
-
7/27/2019 Opa - Safe and Secure Web Development
30/66
(c) MLstate
function foo(s) {
String.length(s);}
function bar(x, y) {
foo(x) + y;
}
intfunction foo(string s) {
String.length(s);}
intfunction bar(string x, int y) {
foo(x) + y;
}
-
7/27/2019 Opa - Safe and Secure Web Development
31/66
(c) MLstate
foo = 1 + "bar";
-
7/27/2019 Opa - Safe and Secure Web Development
32/66
(c) MLstate
element =
{prompt({none})}
{expr}
{Calc.compute(expr)};
Open and close tag mismatch vs
-
7/27/2019 Opa - Safe and Secure Web Development
33/66
(c) MLstate
case {some: 13}: #status = "Enter";
callback(get());case {some: 37}: #status = "Left";
move({lef});
case {some: 38}: #status = "Up";
move({up});
case {some: 39}: #status = "Right";move({right});
First type: { lef }
Second type:
{ left } or { right } or{ rightmost } or
{ up } or { down }
-
7/27/2019 Opa - Safe and Secure Web Development
34/66
(c) MLstate
previous = Dom.get_content(#precaret);
#precaret = String.sub(0,
String.lenght(previous) - 1, previous);
#postcaret +=
String.get(String.length(previous) - 1,
previous);
No field lenght found.
Most probable field:length: string -> int
-
7/27/2019 Opa - Safe and Secure Web Development
35/66
(c) MLstate
previous = Dom.get_content(#postcaret);#postcaret = String.sub(1,
String.length(previous) - 1, previous);
#precaret =+ String.get(previous);
String.get is a string
function(int, string) but
application uses itas function(string)
-
7/27/2019 Opa - Safe and Secure Web Development
36/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
37/66
(c) MLstate
Code distribution
Data protection
Impedance mismatch
Blocking code
Protocol bugs and vulnerabilities
1
2
3
4
5
-
7/27/2019 Opa - Safe and Secure Web Development
38/66
(c) MLstate
// Will be on server side:
function db_update(value) {
/mydb/counter
-
7/27/2019 Opa - Safe and Secure Web Development
39/66
(c) MLstate
function init() {
#counter = /mydb/counter
}
-
7/27/2019 Opa - Safe and Secure Web Development
40/66
(c) MLstate
client function hash(pw) {
Sha512.hash(pw)
}
serverclient
-
7/27/2019 Opa - Safe and Secure Web Development
41/66
(c) MLstate
exposed function get() {
/mydb/counter
}
protectedexposed
-
7/27/2019 Opa - Safe and Secure Web Development
42/66
(c) MLstate
type user = {
string mail, int age,
list(string) comments}
database dbname {
user /user[{mail}] // primary key
int /user/age = 18 // default value}
-
7/27/2019 Opa - Safe and Secure Web Development
43/66
(c) MLstate
in [e1, e2]
or
and
not
skip
limit
order
-
7/27/2019 Opa - Safe and Secure Web Development
44/66
(c) MLstate
opa
mongoDB shell
-
7/27/2019 Opa - Safe and Secure Web Development
45/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
46/66
(c) MLstate
functionfibonacci(n) {
if (n == 0)
0
else if (n == 1)
1
else
fibonacci(n-1) + fibonacci(n-2)}
-
7/27/2019 Opa - Safe and Secure Web Development
47/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
48/66
(c) MLstate
Scheduler
Clients
SMTP ServerHTTP Server FTP Server
CPS
sockets
A DSL f t l
-
7/27/2019 Opa - Safe and Secure Web Development
49/66
(c) MLstate
Automaton
Grammar
-define Get (uri, v) = "GET " uri " HTTP/" v
-define Head (uri, v) = "HEAD " uri " HTTP/" v-define Post (uri, v) = "POST " uri " HTTP/" v-define Put (uri, v) = "PUT " uri " HTTP/" v-define Del (uri, v) = "DELETE " uri " HTTP/" v-define Trace (uri, v) = "TRACE " uri " HTTP/" v-define Conn (uri, v) = "CONNECT " uri " HTTP/" v-define Opts (uri, v) = "OPTIONS " uri " HTTP/" v
wait_for_request(hr, timeout):receive| Crlf -> ...| Head (uri, v) -> ...| Get (uri, v) -> ...
| Post (uri, v) -> ...| Put (uri, v) -> ...| Del (uri, v) -> ...| Trace (uri, v) -> ...| Conn (uri, v) -> ...catch| exn -> ...after timeout -> ...
A DSL for protocols
-
7/27/2019 Opa - Safe and Secure Web Development
50/66
(c) MLstate
Precise control on code distribution
Protected data by default
Transparent database mapping
Non-blocking
Safe protocols
1
2
3
4
5
-
7/27/2019 Opa - Safe and Secure Web Development
51/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
52/66
(c) MLstate
user_update(x:mess) = (
line = {x.id}: {x.message}
do exec([#show +
-
7/27/2019 Opa - Safe and Secure Web Development
53/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
54/66
(c) MLstate
make_broadcaster(id) = _ ->Network.broadcast({~id
message=Page.get_value(#entry)}, room)
-
7/27/2019 Opa - Safe and Secure Web Development
55/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
56/66
(c) MLstate
styled_page("Chat", //Display
connect()}/>
Send! )
-
7/27/2019 Opa - Safe and Secure Web Development
57/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
58/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
59/66
(c) MLstate
A1-Injection A6-Security Misconfiguration
A2-Cross Site Scripting (XSS) A7-Insecure Cryptographic Storage
A3-Broken Authentication and
Session Management
A8-Failure to Restrict URL Access
A4-Insecure Direct Object ReferencesA9-Insufficient Transport Layer
Protection
A5-Cross Site Request Forgery
(CSRF)
A10-Unvalidated Redirects and
Forwards
http://www.owasp.org/index.php/Top_10_2010-A10http://www.owasp.org/index.php/Top_10_2010-A10http://www.owasp.org/index.php/Top_10_2010-A10http://www.owasp.org/index.php/Top_10_2010-A10http://www.owasp.org/index.php/Top_10_2010-A5http://www.owasp.org/index.php/Top_10_2010-A5http://www.owasp.org/index.php/Top_10_2010-A5http://www.owasp.org/index.php/Top_10_2010-A5http://www.owasp.org/index.php/Top_10_2010-A9http://www.owasp.org/index.php/Top_10_2010-A9http://www.owasp.org/index.php/Top_10_2010-A9http://www.owasp.org/index.php/Top_10_2010-A9http://www.owasp.org/index.php/Top_10_2010-A4http://www.owasp.org/index.php/Top_10_2010-A4http://www.owasp.org/index.php/Top_10_2010-A8http://www.owasp.org/index.php/Top_10_2010-A8http://www.owasp.org/index.php/Top_10_2010-A3http://www.owasp.org/index.php/Top_10_2010-A3http://www.owasp.org/index.php/Top_10_2010-A3http://www.owasp.org/index.php/Top_10_2010-A3http://www.owasp.org/index.php/Top_10_2010-A7http://www.owasp.org/index.php/Top_10_2010-A7http://www.owasp.org/index.php/Top_10_2010-A2http://www.owasp.org/index.php/Top_10_2010-A2http://www.owasp.org/index.php/Top_10_2010-A6http://www.owasp.org/index.php/Top_10_2010-A6http://www.owasp.org/index.php/Top_10_2010-A1http://www.owasp.org/index.php/Top_10_2010-A1 -
7/27/2019 Opa - Safe and Secure Web Development
60/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
61/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
62/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
63/66
(c) MLstate
-
7/27/2019 Opa - Safe and Secure Web Development
64/66
(c) MLstate
Opah (Moonfish)
-
7/27/2019 Opa - Safe and Secure Web Development
65/66
(c) MLstate
Opa (Language)
-
7/27/2019 Opa - Safe and Secure Web Development
66/66
opalang.org@opalang