INVERSION OF CONTROL
CONTEXT
Unlike in the old days when they were strictly request-response client-server protocols, APIs are
now a glue layer. With mobile, HTML5 and other technologies, we are seeing many applications
where the server pushes data to the client.
Since most security protocols are set to trust servers and distrust clients, this turns the security
protocols upside down as well.
VULNERABILITIES IDENTIFICATION & TRACKING
Clients lack the protection and isolation of a
DMZ
Build a set of allowed client redirects and
sites that are authorized to connect
COUNTERMEASURE(S)
A full client-side DMZ is impractical. However, a client-side sandbox with server-side restrictions
such as session management and control flow is possible. Clients should only accept pushes from
authorized servers over strongly authenticated and encrypted channels.
ASSURANCE
Pentesting is generally a server-centric operation, but mobile and other push-based
applications require a synthetic test suite to exercise applications end to end in order to identify
client side issues.
09
|
The Curious Case of Inversion of Control
