350 Chapter 8 • Securing XML <pd:ProductName>Product Name F</pd:ProductName> <pd:ProductPrice>25.00</pd:ProductPrice> </pd:Product> </pd:Products> Again, after the schema was defined, a Web developer could begin working on the XSL document to transform the XML document into HTML.The schema is a contract that everybody agrees upon for the structure of the data.The style sheet is only dependent upon the struc- ture of the data; the data itself is inconsequential.The style sheet in Figure 8.6 creates a table based upon an XML document that adheres to the preceding schema. Notice that this style sheet doesn’t create a com- plete HTML document but only some HTML.The reason for this is that the resulting output of the transformation is incorporated into an existing HTML document. Remember, the output of an XSL transfor- mation can be anything, including another XML document of a dif- ferent structure. Figure 8.6 Products.xsl <?xml version="1.0"?> <xsl:template xmlns:xsl="uri:xsl"> <h3>Product Listing</h3><br/> <table cellspacing="0" cellpadding="10" border="1"> <tr> <td><b>Product ID</b></td> <td><b>Product Name</b></td> <td><b>Price</b></td></tr> <xsl:for-each select="pd:Products/pd:Product"> <tr> <td><xsl:value-of select="pd:ProductID"/></td> <td><xsl:value-of select="pd:ProductName"/></td> www.syngress.com Figure 8.5 Continued Continued 137_hackapps_08 6/19/01 3:40 PM Page 350 Securing XML • Chapter 8 351 <td>$<xsl:value-of select="pd:ProductPrice"/></td> </tr> </xsl:for-each> </table> </xsl:template> Last but not least, we have code required to perform the XSL trans- formation.The code is contained within the window onload event of the following HTML document, as demonstrated in Figure 8.7. It will load both the preceding XML document and XSL style sheet and then transform the XML document using the XSL style sheet.The resulting transformation is displayed within the <div> tag. Figure 8.7 Products.html <html> <head> <title>Product Listing</title> <script language="javascript" for="window" event="onload"> var source = new ActiveXObject("Microsoft.XMLDOM"); source.load("products-data.xml"); var style = new ActiveXObject("Microsoft.XMLDOM"); style.load("products.xsl"); document.all.item("display").innerHTML = source.transformNode(style.documentElement); </script> </head> <body> <div id="display"></div> www.syngress.com Figure 8.6 Continued Continued 137_hackapps_08 6/19/01 3:40 PM Page 351 352 Chapter 8 • Securing XML </body> </html> When all these files are located in the same directory and the HTML file is opened, you will see the output as shown in Figure 8.8. The Risks Associated with Using XML XML and XSL are very powerful tools, and when wisely wielded can create Web applications that are easy to maintain because of the separa- tion of data and presentation.With a little planning, you can reduce the amount of code necessary by compartmentalizing key aspects of functionality using XML and XSL and reusing them throughout the application. Along with changing the way your components will com- municate within your application, XML will change the way entities communicate over the Internet. www.syngress.com Figure 8.7 Continued Figure 8.8 Resulting HTML 137_hackapps_08 6/19/01 3:40 PM Page 352 Securing XML • Chapter 8 353 XML and XSL are open standards.This is one of the reasons why these standards have become so popular. Many times, XML schemas are published by organizations to standardized industry- or business-related information.This is done in the hopes of further automating business processes, increasing collaboration, and easily integrating with new busi- ness partners over the Internet. As XML becomes more popular, you will begin seeing more information being exchanged between businesses and organizations. As always, secure design and architecture are key to making sure that none of that information is compromised during the exchange.The next sections provide a basis for understanding and using the XML encryption and digital signature specifications. Confidentiality Concerns The best way to protect data is to not expose it, and let’s face it—any- thing you send over the Internet is fair game. Although you may feel safer making a purchase over the Internet with a credit card than when your waiter picks up your credit card at the restaurant, a risk is still a risk. As always when dealing with the Internet, security is an issue, but remember that XML is about data, plain and simple, and XSL is about transforming XML—security needs to be carefully implemented in all Web applications, but it should be implemented in a layer autonomous to XML and XSL. If information is not meant to be seen, it is much safer to transform the XML document to exclude the sensitive informa- tion prior to delivering the document to the recipient, rather than encrypt the information within the document. XSL is a great way to “censor” your XML documents prior to delivery. Because XSL can be used to transform XML into anything, including a new XML document, it will allow you to have very granular control over what data gets sent to whom when it is used in conjunc- tion with authentication. If you find yourself adding a username and password element to your XML, stop. If you are encrypting values prior to entering them into an XML document, stop.Tools already exist that you can use for authentication, authorization, and encryption.These concepts are inte- gral to Web applications, but at a higher level in the overall architecture. www.syngress.com 137_hackapps_08 6/19/01 3:40 PM Page 353 354 Chapter 8 • Securing XML Say for example, you had an e-commerce Web site that takes orders over the Web and then send that order to a fulfillment company via XML to be packed and shipped. Because the credit card needs to be debited at the time of shipping, you feel it necessary to send the credit card number to the fulfillment company in the XML document that contains the rest of the order information. Feeling uncomfortable in exposing that information in clear text, you decide to encrypt the credit card number within the XML document. Although your intentions are good, the decision has consequences.The XML document no longer becomes self-describing. It has also become proprietary because you need the encryption algorithm in order to extract the credit card number.This decision reintroduces some of the problems XML was meant to eliminate. In many of these cases, other solutions exist. One may be to not send the credit card information to the fulfillment com- pany along with the rest of the order.When the order has been shipped, have the fulfillment company send a shipping notification to your appli- cation and have your application debit the credit card. Note that not only is your data at risk, but also your code. XSL is a complete programming language, and at times may be more valuable than the information contained within the XML it transforms.When you perform client-side transformations, you expose your XSL in much the same way that HTML is exposed to the client. Granted, most of your programming logic will remain secure on the server, but XSL still composes a great deal of your application. Securing it is as important as securing your XML. Securing XML Just as with HTML documents, digital certificates are the best way in which to secure any document that has to transverse the Internet. Any time you need to perform a secure transaction over the Internet, a dig- ital certificate should be involved, whether the destination is a browser or an application. Certificates are used by a variety of public key security services and applications that provide authentication, data integrity, and secure communications across nonsecure networks such as the Internet. www.syngress.com 137_hackapps_08 6/19/01 3:40 PM Page 354 Securing XML • Chapter 8 355 From the developer’s perspective, use of a certificate requires it to be installed on the Web server and that the HTTPS protocol is used instead of the typical HTTP. Access to XML and XSL documents on the server can be handled through file access restrictions just like any other file on the server. Unfortunately, if you are performing client-side XSL transformations, this requires that all the files required to perform the transformation be exposed to the Internet for anyone to use. One way to eliminate this exposure is to perform server-side transformation. All XML and XSL documents can reside safely on the server where they are transformed and only the resultant document is sent to the client. Having stated our personal opinions on the flaws we see in encrypting XML documents, we must report that the W3C is currently working on a specification for the XML Encryption namespace.The specification is currently a working draft focused upon structuring encrypted XML but also upon structuring the information necessary for the encryption/decryption process.You can find the draft at http://lists.w3.org/Archives/Public/xml-encryption/2000Dec/att- 0024/01-XMLEncryption_v01.html. XML Encryption The goal of the XML Encryption specification is to describe a digitally encrypted Web resource using XML.The Web resource can be anything from an HTML document to a GIF file, or even an XML document. With respect to XML documents, the specification provides for the encryption of an element including the start and end tags, the content within an element between the start and end tags, or the entire XML document.The encrypted data is structured using the <EncryptedData> element that contains information pertaining to encrypting and/or decrypting the information.This information includes the pertinent encryption algorithm, the key used for encryption, references to external data objects, and either the encrypted data or a reference to the encrypted data.The schema as defined so far is shown in Figure 8.9. www.syngress.com 137_hackapps_08 6/19/01 3:40 PM Page 355 356 Chapter 8 • Securing XML Figure 8.9 XML Encryption DTD <!DOCTYPE schema PUBLIC "-//W3C//DTD XMLSCHEMA 200010//EN" http://www.w3.org/2000/10/XMLSchema.dtd [ <!ATTLIST schema xmlns:ds CDATA #FIXED "http://www.w3.org/2000/10/XMLSchema"> <!ENTITY enc "http://www.w3.org/2000/11/temp-xmlenc"> <!ENTITY enc 'http://www.w3.org/2000/11/xmlenc#'> <!ENTITY dsig 'http://www.w3.org/2000/09/xmldsig#'> ]> <schema xmlns="http://www.w3.org/2000/10/XMLSchema" xmlns:ds="&dsig;" xmlns:xenc="&enc;" targetNamespace="&enc;" version="0.1" elementFormDefault="qualified"> <element name="EncryptedData"> <complexType> <sequence> <element ref="xenc:EncryptedKey" minOccurs=0/ maxOccurs="unbounded"/> <element ref="xenc:EncryptionMethod" minOccurs=0/> <element ref="ds:KeyInfo" minOccurs=0/> <element ref="xenc:CipherText"/> </sequence> <attribute name="Id" type="ID" use="optional"/> www.syngress.com Continued 137_hackapps_08 6/19/01 3:40 PM Page 356 Securing XML • Chapter 8 357 <attribute name="Type" type="string" use="optional"/> </complexType> </element> <element name="EncryptedKey"> <complexType> <sequence> <element ref="xenc:EncryptionMethod" minOccurs=0/> <element ref="xenc:ReferenceList" minOccurs=0/> <element ref="ds:KeyInfo" minOccurs=0/> <element ref="xenc:CipherText1"/> </sequence> <attribute name="Id" type="ID" use="optional"/> <attribute name="NameKey" type="string" use="optional"/> </complexType> </element> <element name="EncryptedKeyReference"> <complexType> <sequence> <element ref="ds:Transforms" minOccurs="0"/> </sequence> <attribute name="URI" type="uriReference"/> </complexType> </element> <element name="EncryptionMethod"> <complexType> <sequence> www.syngress.com Figure 8.9 Continued Continued 137_hackapps_08 6/19/01 3:40 PM Page 357 358 Chapter 8 • Securing XML <any namespace="##any" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Algorithm" type="uriReference" use="required"/> </complexType> </element> <element name="ReferenceList"> <complexType> <sequence> <element ref="xenc:DataReference" minOccurs="0" maxOccurs="unbounded"/> <element ref="xenc:KeyReference" minOccurs="0" maxOccurs="unbounded"/> </sequence> </complexType> </element> <element name="DataReference"> <complexType> <sequence> <any namespace="##any" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="URI" type="uriReference" use="optional"/> </complexType> </element> <element name="KeyReference"> <complexType> www.syngress.com Figure 8.9 Continued Continued 137_hackapps_08 6/19/01 3:40 PM Page 358 Securing XML • Chapter 8 359 <sequence> <any namespace="##any" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="URI" type="uriReference" use="optional"/> </complexType> </element> <element name="CipherText"> <complexType> <choice> <element ref="xenc:CipherText1"/> <element ref="xenc:CipherText2"/> </choice> </complexType> </element> <element name="CipherText1" type="ds:CryptoBinary"> <element name="CipherText2"> <complexType> <sequence> <element ref="ds:transforms" minOccurs="0"/> </sequence> </complexType> <attribute name="URI" type="uriReference" use="required"/> </element> </schema> www.syngress.com Figure 8.9 Continued 137_hackapps_08 6/19/01 3:40 PM Page 359 [...]... cell phones www.syngress.com 1 37 _hackapps_ 09 6/19/01 3:41 PM Page 371 Chapter 9 Building Safe ActiveX Internet Controls Solutions in this chapter: s The Dangers Associated with Using ActiveX s Methodology for Writing Safe ActiveX Controls s Securing ActiveX Controls Summary Solutions Fast Track Frequently Asked Questions 371 1 37 _hackapps_ 09 372 6/19/01 3:41 PM Page 372 Chapter 9 • Building Safe ActiveX... like a great idea, but it is a very expensive operation that can bog down a Web server.When shooting out XML to the Web, you typically don’t need a schema, though it is a great way to document your XML www.syngress.com 369 1 37 _hackapps_ 08 370 6/19/01 3:40 PM Page 370 Chapter 8 • Securing XML Q: How can I use XSL to make my applications completely browser independent? A: XSL is a tool you can use to... Internet Creating Web Applications Using XML XML and XSL should be used in conjunction with HTML when creating your Web applications. With these tools, your Web applications will be easier to maintain and can support a wider variety of browsers XML should not only be used in communicating with different entities over the Internet, but should be used as a means of communication within your application... unwanted characters on your screen, or it may kill your browser and in turn lock up your system.This problem has plagued the UNIX/Linux world for years, but recently has become more and more noticeable on the Windows platform If you browse the top IT security topics at Microsoft TechNet (www.microsoft.com/technet/security/current.asp), www.syngress.com 1 37 _hackapps_ 09 6/19/01 3:41 PM Page 377 Building Safe... the current version will be www.syngress.com 377 1 37 _hackapps_ 09 378 6/19/01 3:41 PM Page 378 Chapter 9 • Building Safe ActiveX Internet Controls used, especially if it can be exploited in some way Although you will get an error message when you use a control that has an expired signature, a lot of people will install it anyway just because it still has your name on it (see Figure 9.5) Unfortunately,... trying to achieve before relying on security to protect yourself.There may be other ways to accomplish what you wish by simply changing your process Program defensively and trust no one.With these precautions taken, your XML will be as secure as anything can be that is on or off the Internet www.syngress.com 1 37 _hackapps_ 08 6/19/01 3:40 PM Page 3 67 Securing XML • Chapter 8 Solutions Fast Track Defining... Coordination Center (CERT/CC), this control is incorrectly marked as “safe for scripting” when it is shipped www.syngress.com 373 1 37 _hackapps_ 09 374 6/19/01 3:41 PM Page 374 Chapter 9 • Building Safe ActiveX Internet Controls with Internet Explorer versions 4.0 and 5.0 As a result, a hacker could write malicious code to access and execute this control without you ever knowing that it has happened.Two well-known... infamous Windows Exploder control.This was a neat little ActiveX control written by Fred McLain (www.halcyon.com/mclain/ActiveX) that demonstrates what he calls www.syngress.com 375 1 37 _hackapps_ 09 376 6/19/01 3:41 PM Page 376 Chapter 9 • Building Safe ActiveX Internet Controls “dangerous” technology All his control does is perform a clean shutdown and power-off of the affected Windows system Now this... XML documents www.syngress.com 1 37 _hackapps_ 08 6/19/01 3:40 PM Page 369 Securing XML • Chapter 8 Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts To have your questions about this chapter... www.syngress.com 3 67 1 37 _hackapps_ 08 368 6/19/01 3:40 PM Page 368 Chapter 8 • Securing XML XSL is a complete programming language, and at times may be more valuable than the information contained within the XML it transforms.When you perform client-side transformations, you expose your XSL in much the same way that HTML is exposed to the client Securing XML Use existing methods of security to protect your XML . the Internet. Creating Web Applications Using XML ; XML and XSL should be used in conjunction with HTML when creating your Web applications. With these tools, your Web applications will be easier. authorization, and encryption.These concepts are inte- gral to Web applications, but at a higher level in the overall architecture. www.syngress.com 1 37 _hackapps_ 08 6/19/01 3:40 PM Page 353 354 Chapter 8. company send a shipping notification to your appli- cation and have your application debit the credit card. Note that not only is your data at risk, but also your code. XSL is a complete programming