(redirected from Main.Security)
Attacks
- Access to other data
- Writing to the file system
- Denial of service by being in an infinite loop
- See https://www.owasp.org/index.php/Category:Attack for a complete list
- Authentication
- Identification: Is the host that is supplying the accessor code the host I think it is?
- Integrity: Has the accessor code been modified?
- Solution: Use a cryptographic checksum. Could iotAuth help here?
Tutorial Considerations
The browser tutorial allows the user to type in accessor code and then instantiate this accessor. This brings up security concerns.
Generally, we want to prevent:
- Attacks on the accessors repo server.
- Attackers turning the tutorial page into a data harvester (by redirecting users to the tutorial and implementing data-stealing code).
- Attackers using the tutorial page to create a virus (for example, a Denial of Service accessor).
Relevant concerns from from https://www.owasp.org/index.php/Category:Attack
- Data structure attacks
- Buffer overflow: Create an excessively long data structure.
- Malicious code
- Data-sending Trojan horse: Read information from user's machine and send to attacker.
- Injection
- Code injection: Take advantage of allowed characters, data format, or data amount to run code on system.
- Comment injection: Comment out the whole page using <!-- .
- Cross-site scripting (XSS): Load malicious code from external resources.
- Regular expression DoS: Create a very slowly evaluating regular expression.
- Server-side includes injection: Take advantage of <!-- to inject commands.
- Path traversal attacks
- Access unauthorized resources: Manipulate the path to access server data; e.g., by using ../ in the URL.
- Probabilistic techniques
- Denial of service: Overwhelm a server with requests.
Countermeasures:
- Whitelist characters. (Code injection)
- Prohibit looping constructs such as for, forEach, and while. (Buffer overflow)
- Prohibit HTML-style comments (Comment injection, Server-side includes injection)
- Restrict or prohibit REST accessor (XSS, DoS)
- Prohibit calls to window or document object (Data-sending Trojan horse)
- Prohibit regular expressions (Regular expression DoS)
- Prohibit access to files outside of accessor repo (Unauthorized resources). This applies to all accessor pages.
See Also