opa - safe and secure web development

7/27/2019 Opa - Safe and Secure Web Development

1/66

(c) MLstate

Opa - Safe and SecureWeb Develo ment


2/66

(c) MLstate


3/66

(c) MLstate


4/66

(c) MLstate

Code

injec

tion

XSSA

ttack

s

DB injection

Buffe

roverflowsCS

RF


5/66

(c) MLstate

Code

injec

tion

XSSA

ttack

s

DB injection

Buffe

roverflowsCS

RF


6/66

(c) MLstate

> 9 + 5 + customers

14 customers> Customers: + 9 + 5

Customers: 95


7/66

(c) MLstate

if (x == 0)

retry();

else if (x == 1)success();

else

error();

switch (x) {

case 0:

retry();

break;

case 1:success();

break;

default:

error();

}


8/66

(c) MLstate

if (x == 0)

retry();

else if (x == 1)success();

else

error();

switch (x) {

case 0:

retry();

break;

case 1:success();

break;

default:

error();

}

x = 0

retry error


9/66

(c) MLstate

[] + []

[] + {}{} + []

{} + {}


10/66

(c) MLstate

[] + []

[] + {}{} + []

{} + {}

=

= {}= 0

= NaN


11/66

(c) MLstate


12/66

(c) MLstate


13/66

(c) MLstate


14/66

(c) MLstate

Open source core.

Built on standards.


15/66

(c) MLstate

Client code Server code

DB code

Configuration


16/66

(c) MLstate

Client code Server code

DB code

Configuration


17/66

(c) MLstate


18/66

(c) MLstate


19/66

(c) MLstate


20/66

(c) MLstate


21/66

(c) MLstate


22/66

(c) MLstate

functionaction(_) {

#msg = Hello!;

}

functionpage() {

Click the button:

Click!

}

Server.start(Server.http,

{ ~page, title: "Hello, world" }

)


23/66

(c) MLstate

functionaction(_) {

#msg = Hello!;

}

functionpage() {

Click the button:

Click!

}



)


24/66

(c) MLstate

functionaction(_) {

#msg = Hello!;

}

functionpage() {

Click the button:

Click!

}



)


25/66

(c) MLstate

functionaction(_) {

#msg = Hello!;

}

functionpage() {

Click the button:

Click!

}



)


26/66

(c) MLstate

functionaction(_) {

#msg = Hello!;

}

functionpage() {

Click the button:

Click!

}



)


27/66

(c) MLstate

functionaction(_) {

#msg = Hello!;

}

functionpage() {

Click the button:

Click!

}



)


28/66

(c) MLstate

functionaction(_) {

#msg = Hello!;

}

functionpage() {

Click the button:

Click!

}



)


29/66

(c) MLstate

functionaction(_) {

#msg = Hello!;

}

functionpage() {

Click the button:

Click!

}



)


30/66

(c) MLstate

function foo(s) {

String.length(s);}

function bar(x, y) {

foo(x) + y;

}

intfunction foo(string s) {

String.length(s);}

intfunction bar(string x, int y) {

foo(x) + y;

}


31/66

(c) MLstate

foo = 1 + "bar";


32/66

(c) MLstate

element =

{prompt({none})}

{expr}

{Calc.compute(expr)};

Open and close tag mismatch vs


33/66

(c) MLstate

case {some: 13}: #status = "Enter";

callback(get());case {some: 37}: #status = "Left";

move({lef});

case {some: 38}: #status = "Up";

move({up});

case {some: 39}: #status = "Right";move({right});

First type: { lef }

Second type:

{ left } or { right } or{ rightmost } or

{ up } or { down }


34/66

(c) MLstate

previous = Dom.get_content(#precaret);

#precaret = String.sub(0,

String.lenght(previous) - 1, previous);

#postcaret +=

String.get(String.length(previous) - 1,

previous);

No field lenght found.

Most probable field:length: string -> int


35/66

(c) MLstate

previous = Dom.get_content(#postcaret);#postcaret = String.sub(1,

String.length(previous) - 1, previous);

#precaret =+ String.get(previous);

String.get is a string

function(int, string) but

application uses itas function(string)


36/66

(c) MLstate


37/66

(c) MLstate

Code distribution

Data protection

Impedance mismatch

Blocking code

Protocol bugs and vulnerabilities

1

2

3

4

5


38/66

(c) MLstate

// Will be on server side:

function db_update(value) {

/mydb/counter


39/66

(c) MLstate

function init() {

#counter = /mydb/counter

}


40/66

(c) MLstate

client function hash(pw) {

Sha512.hash(pw)

}

serverclient


41/66

(c) MLstate

exposed function get() {

/mydb/counter

}

protectedexposed


42/66

(c) MLstate

type user = {

string mail, int age,

list(string) comments}

database dbname {

user /user[{mail}] // primary key

int /user/age = 18 // default value}


43/66

(c) MLstate

in [e1, e2]

or

and

not

skip

limit

order


44/66

(c) MLstate

opa

mongoDB shell


45/66

(c) MLstate


46/66

(c) MLstate

functionfibonacci(n) {

if (n == 0)

0

else if (n == 1)

1

else

fibonacci(n-1) + fibonacci(n-2)}


47/66

(c) MLstate


48/66

(c) MLstate

Scheduler

Clients

SMTP ServerHTTP Server FTP Server

CPS

sockets

A DSL f t l


49/66

(c) MLstate

Automaton

Grammar

-define Get (uri, v) = "GET " uri " HTTP/" v

-define Head (uri, v) = "HEAD " uri " HTTP/" v-define Post (uri, v) = "POST " uri " HTTP/" v-define Put (uri, v) = "PUT " uri " HTTP/" v-define Del (uri, v) = "DELETE " uri " HTTP/" v-define Trace (uri, v) = "TRACE " uri " HTTP/" v-define Conn (uri, v) = "CONNECT " uri " HTTP/" v-define Opts (uri, v) = "OPTIONS " uri " HTTP/" v

wait_for_request(hr, timeout):receive| Crlf -> ...| Head (uri, v) -> ...| Get (uri, v) -> ...

| Post (uri, v) -> ...| Put (uri, v) -> ...| Del (uri, v) -> ...| Trace (uri, v) -> ...| Conn (uri, v) -> ...catch| exn -> ...after timeout -> ...

A DSL for protocols


50/66

(c) MLstate

Precise control on code distribution

Protected data by default

Transparent database mapping

Non-blocking

Safe protocols

1

2

3

4

5


51/66

(c) MLstate


52/66

(c) MLstate

user_update(x:mess) = (

line = {x.id}: {x.message}

do exec([#show +


53/66

(c) MLstate


54/66

(c) MLstate

make_broadcaster(id) = _ ->Network.broadcast({~id

message=Page.get_value(#entry)}, room)


55/66

(c) MLstate


56/66

(c) MLstate

styled_page("Chat", //Display

connect()}/>

Send! )


57/66

(c) MLstate


58/66

(c) MLstate


59/66

(c) MLstate

A1-Injection A6-Security Misconfiguration

A2-Cross Site Scripting (XSS) A7-Insecure Cryptographic Storage

A3-Broken Authentication and

Session Management

A8-Failure to Restrict URL Access

A4-Insecure Direct Object ReferencesA9-Insufficient Transport Layer

Protection

A5-Cross Site Request Forgery

(CSRF)

A10-Unvalidated Redirects and

Forwards
http://www.owasp.org/index.php/Top_10_2010-A10http://www.owasp.org/index.php/Top_10_2010-A10http://www.owasp.org/index.php/Top_10_2010-A10http://www.owasp.org/index.php/Top_10_2010-A10http://www.owasp.org/index.php/Top_10_2010-A5http://www.owasp.org/index.php/Top_10_2010-A5http://www.owasp.org/index.php/Top_10_2010-A5http://www.owasp.org/index.php/Top_10_2010-A5http://www.owasp.org/index.php/Top_10_2010-A9http://www.owasp.org/index.php/Top_10_2010-A9http://www.owasp.org/index.php/Top_10_2010-A9http://www.owasp.org/index.php/Top_10_2010-A9http://www.owasp.org/index.php/Top_10_2010-A4http://www.owasp.org/index.php/Top_10_2010-A4http://www.owasp.org/index.php/Top_10_2010-A8http://www.owasp.org/index.php/Top_10_2010-A8http://www.owasp.org/index.php/Top_10_2010-A3http://www.owasp.org/index.php/Top_10_2010-A3http://www.owasp.org/index.php/Top_10_2010-A3http://www.owasp.org/index.php/Top_10_2010-A3http://www.owasp.org/index.php/Top_10_2010-A7http://www.owasp.org/index.php/Top_10_2010-A7http://www.owasp.org/index.php/Top_10_2010-A2http://www.owasp.org/index.php/Top_10_2010-A2http://www.owasp.org/index.php/Top_10_2010-A6http://www.owasp.org/index.php/Top_10_2010-A6http://www.owasp.org/index.php/Top_10_2010-A1http://www.owasp.org/index.php/Top_10_2010-A1


60/66

(c) MLstate


61/66

(c) MLstate


62/66

(c) MLstate


63/66

(c) MLstate


64/66

(c) MLstate

Opah (Moonfish)


65/66

(c) MLstate

Opa (Language)


66/66

opalang.org@opalang

opa - safe and secure web development

Documents