CloudServices/Roadmaps/SimplePush-Server/SecCodeReview
Contents
- 1 Access Information
- 1.1 How is the application accessed?
- 1.2 Is the application internal or publicly available
- 1.3 If it is internal, what mechanism prevents non-members from accessing it?
- 1.4 Are there links to user-only resources displayed to non-users?
- 1.5 Are login pages secured with SSL over HTTPS?
- 1.6 If HTTPS is used, is Strict Transport Security set?
- 2 Infrastructure and Backends
- 3 Accounts and Passwords
- 4 Session Management
- 5 Third-Party Resources
- 6 Data Handling
- 6.1 What kind of data is transferred between the user and the application?
- 6.2 Is this data generated by the user or generated automatically?
- 6.3 Can the data be trusted?
- 6.4 How is the data sent to the application (i.e. JSON format, plain-text, GET/POST, etc.)?
- 6.5 How is the data handled by the server/application?
- 6.6 Can the data be manipulated in transit?
- 6.7 What happens if the data is altered?
- 6.8 What is done with the data once it is received (i.e. stored in a database, displayed to users)?
- 6.9 Is any data storage done via cookies? If so, what kind of data is stored via this method?
- 7 Uploaded Data
- 8 Data Sensitivity
- 9 Application Administration
- 10 Security Coding Flaws
- 10.1 Have all user inputs been sanitized?
- 10.2 Is a maximum size for data (input or uploads) defined?
- 10.3 Do all URL variables pass through sanitization?
- 10.4 Is data from databases escaped properly?
- 10.5 Are CSRF tokens used to prevent POSTs from outside websites?
- 10.6 If a database is used, are protections against SQL injection in place?
- 10.7 Is validation done on the server side (not just client-side)?
- 10.8 Is output encoded in addition to sanitization of input?
- 10.9 Does the user ever send data to the OS level?
- 10.10 Are x-frame options sent to “deny” or “sameorigin”?
- 10.11 Is debug mode disabled?
- 11 Security Review Documentation
Access Information
How is the application accessed?
Application is accessed in two ways. The client accesses via a WebSock connection. Third party servers access via a single REST PUT call.
Is the application internal or publicly available
This application is publicly available.
If it is internal, what mechanism prevents non-members from accessing it?
N/A
Are there links to user-only resources displayed to non-users?
No user information is displayed. In fact, very little information is actually stored or used in this application.
Are login pages secured with SSL over HTTPS?
There are no Login pages.
If HTTPS is used, is Strict Transport Security set?
Infrastructure and Backends
What languages do the applications use?
The application was written in Go.
What database language is used if applicable?
The application uses Memcache as a generic key/value data store.
Are the running versions up to date?
Currently running: go version devel +79a1fec35802 Fri May 24 12:37:42 2013 -0400 linux/amd64 memcached 1.4.13
What server is it running on?
Currently, the application is running on an AWS dev machine. ec2-54-244-98-201.us-west-2.compute.amazonaws.com (I can provide you general use ssh keys or you can provide a public key for OpsSec use.)
Accounts and Passwords
While there are technically "accounts" no password is maintained for these. UAIDs are generated by the client and used solely to identify itself to the server.
Update Information associated with a given client is stored as a pair of UUID4 values. A User Agent ID (UAID) and a ChannelID. There is an option for REST endpoint hashing which uses a simple,reversible AES hash to prevent third party sites from potentially gaining unwarranted information about the connecting clients.
Session Management
No Session cookies are used.
Third-Party Resources
Only third party resources are source libraries included in the binary application.
This code has been reviewed both by the golang community at large and by the local engineer.
Data Handling
What kind of data is transferred between the user and the application?
Client sends identifying UAID, and known channels (channels are ignored) Server returns list of channel updates for a given UAID (invalid channels are ignored by client) Third party server sends a PUT request to an Server generated endpoint triggering a channel update if valid, associated data for the PUT request is ignored.
Is this data generated by the user or generated automatically?
All data is programatically generated.
Can the data be trusted?
Generally, yes. Incoming data from the client is mostly ignored.
How is the data sent to the application (i.e. JSON format, plain-text, GET/POST, etc.)?
WebSocket uses JSON as the transport protocol.
How is the data handled by the server/application?
Server merely registers a self-expiring timestamp value in Memcache when a UAID.ChannelID pair is received.
Can the data be manipulated in transit?
Yes. Manipulation is irrelevant.
What happens if the data is altered?
Nothing. Client still receives the update.
What is done with the data once it is received (i.e. stored in a database, displayed to users)?
It is stored into Memcache, and then the client is notified if attached. If the client is not attached, an optional proprietary wake signal may be sent (out of band for this review) at which time the remote device may reconnect and accept the updates, sending an ACK message after receipt.
Is any data storage done via cookies? If so, what kind of data is stored via this method?
No.
Uploaded Data
There is no user meaningful data stored using this service.
Data Sensitivity
What kind of data is being stored and/or manipulated by the application?
A timestamp value is stored. This value is simply a placeholder as any data value could be used.
Does this data need to be encrypted in transit? In storage?
No.
What is the impact if this data is lost/stolen?
Someone just created a really annoying NNTP server.
Is secure/sensitive data sent over SSL?
No senstitive data is exchanged.
Application Administration
All real service management is performed locally by the client service. The server is gleefully ignorant of anything other than the user UAID.
Security Coding Flaws
Have all user inputs been sanitized?
Yes
Is a maximum size for data (input or uploads) defined?
No, data is discarded.
Do all URL variables pass through sanitization?
No, data is discarded.
Is data from databases escaped properly?
Yes
Are CSRF tokens used to prevent POSTs from outside websites?
POST values are not allowed.
If a database is used, are protections against SQL injection in place?
Database is not SQL based.
Is validation done on the server side (not just client-side)?
Data is discarded.
Is output encoded in addition to sanitization of input?
No.
Does the user ever send data to the OS level?
No.
Are x-frame options sent to “deny” or “sameorigin”?
No frames are used.
Is debug mode disabled?
Debugging merely increases logging output, and is controlled via server config options.
Additional Resources
Template for the above checks: https://docs.google.com/document/d/1SAzDuMwKUNN4_gdotqcv0oeZwLngjXjNYuZ2HZZaXp4/edit
Also, please view the WebAppSec Wiki: https://wiki.mozilla.org/WebAppSec
Security Review Documentation
Structure of a Security Review
This document covers five distinct activities and the documentation they produce when a security review is performed. Note that this guidance is prescriptive in that each component of a security review document should be produced, or a statement explaining why it wasn't should be included.
The goal of this document is to ensure that the Security Assurance team has a consistent format for the documentation we produce without enforcing a strict structure on how security review and testing is performed.
Architecture Diagram
External services, marked in yellow, communicate to the server which acts as a notification event proxy.
Detailed Application Diagram
The SimplePush server has been greatly simplified from the standard protocol in order to meet expected load issues. Where possible, stateful data has been eliminated or factored against (e.g. the normal protocol defines that the client return a list of known ChannelIDs for a given UAID that the server would filter incoming requests against. Since the client discards unknown ChannelIDs, the decision was made that those ChannelIDs would be passed to the client, and left to the client to discard.)
There is some consideration being made that the data *not* be written to memcache immediately, but only if the client fails to ACK the data as it's being sent (client is offline or fails to ACK data sent by the connected server thread).
Data-flow Enumeration
| ID | Origin | Destination | Description |
| 1 | Client | Server | Client connects via WebSocket protocol and sends a "hello" JSON packet containing the clients UAID. |
| 2 | Server | Client | Server responds with a "hello" JSON response. Server records that the UAID is now active and associates it to the listening websocket connection. |
| 3a | Server | Client | Server checks if there is outbound ChannelID updates for UAID and sends them as a "notification" packet" |
| 3b | Client | Server | Client "ack"s the Notification packet. Server deletes any "ack'd" notifications and re-flushes (see step 3a) until no more notifications are present. |
| 4 | Client | Server | Client registers a new ChannelID and receives a new "endpoint" URL |
| 4a | Client | App | (OUT OF BAND) The client relays the Endpoint to the app, which then communicates it back to 3rdPartyServer for later use. |
| 5 | 3rdPartyServer | Server | 3rdPartyServer PUTS to "endpoint". The specification requests that the server use "?v=..." however this version information is discarded by the Server. The server records the event to a record in memcache identified by UAID.ChannelID |
| 5a | Server | Client | IFF the client is actively connected, Server conducts a flush (See step 3*) |
| 5b | Server | Magic | IFF the client is not currently connected, an Proprietary Wake Up method may be employed. The client reconnects and starts at Step 1. |
Threat Analysis
A good deal of effort was put forth to reduce the amount of usable data and value of attack for this product.
The service is designed to allow remote sites to "wake" an app on a user's device. All actual function happens on the client. If an attacker manages to either identify or use the two UUID4 entries, the most they could do is repeatedly wake an application until the app decides to re-register another ChannelID. An attacker could use this to possibly reduce battery life or increase data costs for a user, but even then, there are much more effective means of doing this.
Security Testing
The security test plan is a brief explanation of security testing that should be performed, and should include an explanation of what tasks are to be performed, and the approximate amount of time spent performing those tasks.
