So you've created a very elegant and easy to maintain Web Application, perhaps leveraging some MVC patterns.
Your Controllers may be mapped to URLs such as these:
- FavoritesController: list() and view(int id) methods:
- /favorites/list
- /favorites/view/1
- /favorites/view/2
- ...
- SomeOtherControllers following similar patterns
At this point you're pretty confident that a determined cracker will actually have to do some work to mess with your application to uncover any sensitive data it may have.
Then you get ready to Go Mobile. It only makes sense: you have a compelling application and you wish to offer your users a compelling extension of your application to their Mobile Universe, while creating additional revenue opportunities. Everybody wins.
As a design team starts putting together mock-ups of the handheld experience, which may take quite a few weeks, you realize that regardless of what they come-up with, the handheld application will almost certainly need to exchange data with the web-based application. So you figure you might as well start exposing web services to cater to various use-cases.
Your MVC stack looks neat, and now just plain screams for exposing a JSON interface to most of your Controllers. It only makes sense. Once you're done, you can send the API to the Objective-C/Java Developer who'll be building your mobile apps for Blackberries, iPhones and Droids.
So you rig your controllers to become "json-aware": instead of only being able to output HTML, you're now also able to send a JSON payload:
- FavoritesController: list() and view(int id) methods:
- /favorites/list/json
- /favorites/view/1/json
- /favorites/view/2/json
- ...
JSON is valid JavaScript. Valid JavaScript can be loaded in a good ol' HTML script element through any site on the Web directly from your site. Whatever your script returns, such as a list of an authenticated user's favorites, is more or less fully-accessible to any other script running on that foreign document.
Forget your Handheld/Mobile project for a second as this isn't the vector of the gaping vulnerability you've just created:
Consider http://evilsite/somebadwebpage.html with the following line of code: <script src="http://yoursite/favorites/list/json"></script>
If evilsite manages to lure some of your users, perhaps thru some crafty social-engineering sprinkled with bit.ly obfuscation, they're now in a position to capture a victim's favorites.
If you're going the JSON route, you might consider the following simple techniques:
- Require a completely separate authentication handshake for your JSON services, they should not function if a user happens to be "authenticated on the site" while browsing from their desktop.
- Wrap your JSON payload in a light XML enclosure: it'll be enough to make browsers barf on a JavaScript parse error should someone try to reference your JSON URI in their web document.
<data>{jsonpayload}</data>
Don't go loading a full XML/DOM parser, just substring/indexOf/lastIndexof your way to the JSON payload.
3 comments:
You have done a marvelous job! I am really inspired with your work.
Well done! My Arizona SEO team appreciates this so much. Keep sharing!
Hey, very nice site. I came across this on Google, and I am stoked that I did. I will definitely be coming back here more often. Wish I could add to the conversation and bring a bit more to the table, but am just taking in as much info as I can at the moment. Thanks for sharing.
Karma KM 2500 Wheelchair
Keep Posting:)
Post a Comment