What kinds of Exploits are there for the DOM Model, and how to mitigate them?

The Document Object Model is defined by the W3C as:

“The Document Object Model is a platform- and language-neutral interface that will allow programs and scripts to dynamically access and update the content, structure and style of documents. The document can be further processed and the results of that processing can be incorporated back into the presented page. This is an overview of DOM-related materials here at W3C and around the web.”(W3C)ⁱ

The DOM is a form of advanced programmer interface (API), designed to allow web-developers access to fuctions and objects within the page via javascript. This allows the flexible creation and update of page and site elements in manners that most programmers would already understand. Since the DOM uses Javascript; it is executed within the Client Browser, it may also be executed by any language including but not limited to VBScript, C#, ASP.NET et cetera, ad nosium.(W3Schools)ⁱⁱ Since the DOM Model is Platform independent it may be manipulated by any script.

Funcitonality vs Security the Balance

The functionality of any API is always inversly proportional to the securty of that API. (Reguly)ⁱⁱⁱ(Howard)^iv

Exploits

The primary type and most common type of DOM Exploit involes a type callsed XSS or Cross Site Scripting. The one type specific to the DOM would be a Local XSS Attack as defined by Klien.(Klien)^v

The secondary type of DOM is the good old Bufer Overflow.(Wikipedia)^vi; Since all new browsers must be DOM compliant to function, the browser must allow the execution and use of DOM methods. This open's a potential attack vector to malicious code via the code arbitrating and then overrunning a given variables memory buffer; Since the most common browser on the internet is Internet Explorer there have been many DOM related buffer overflows but I will provide one here. (Microsoft)^vii

Each Browser on every platform has had one buffer overflow at one time or anohter they arise as a risk when the memory of a called object is not properly recovered or allocated during said objects instantiation. Since on most microsoft platforms the brower is running under the local users identity (which usually has administrative rights to the machine) if a buffer overflow does occur and is successful it results in the ability for the producer of said malicious code to execute arbitrary code with administrative privlages. In hacking cricles this is called “Owning” the box. Once a box has been “Owned” it may be used as a remote spam server, zombie box for DDOS or DOS attackes, or Identity theft or for whatever nefarious purposes the malicious code wirter intended.

There is also “ClickJacking” however it's a derivative of Cross Site scripting, primaraly used to bankrupt advertizing budgets of various competitiors to improve one's own ad ranks within search engine powered keyword systems.

Mitigations

To achieve any security one must limite the type and function of object calls and implment systems with features such as Automated Memory Management & Verifacation, (Stallings)^viii another method used to mitigate buffer overflows is random order library loading on the operating sytems startup.(OpenBSD)^ix Although the primary and best method to protect agains XSS and Buffer overflow attackes is to disable Scripting alltogether, requireing the user to verify weather or not the site maintains valid code. (Gorgio)^x The only alternative to this would be to implment dynamic online content validation as mentioned by Helfin et all.(Helfin et All.)^xi Were all contenet has a 3^rd party encrypted checksum with integrated public keys thus leveradging the cryptographic systems checksumming methods ot certify content.

in.a. (W3C, January 19^th 2005) Document Object Model [Online] World Wide Web, Available from: http://www.w3.org/DOM/ (Accessed on June 25^th 2009)

iin.a. (W3Schools, n.d.) JavaScript HTML DOM Objects [Online] World Wide Web, Available frrom: http://www.w3schools.com/js/js_obj_htmldom.asp (Accessed on: June 25^th 2009)

iiiRugley, Tyler (360 Security Ncircle, March 11^th 2009) Functionality vs Security Who Wins? [Online] World Wide Web, Available from: http://blog.ncircle.com/blogs/vert/archives/2009/03/functionality_versus_security.html (Accessed on: June 25^th 2009)

ivHoward, Michael (Microsoft, March 2007) Security Development Lifecycle (SDL) Banned Function Calls [Online] World Wide Web, Available from: http://msdn.microsoft.com/en-us/library/bb288454.aspx (Accessed on June 25^th 2009)

vKlein, Amit (Web applications Security Consortium, April 7^th 2005) DOM Based Cross Site Scripting of the Third Kind [Online] World Wide Web, Available from: http://www.webappsec.org/projects/articles/071105.shtml (Accessed on June 25^th 2009)

vin.a. (Wikipedia, June 19^th 2009) Buffer Overflow [Online] World Wide Web, Available from: http://en.wikipedia.org/wiki/Buffer_overflow (Accessed on June 25^th 2009)

viin.a. (Microsoft, December 13^th 2005) Microsoft Security Buillitn MS05-054 KBID 905915 [Online] World Wide Web, available from: http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx (Accessed on June 25^th 2009)

viiiWilliam Stallings, (Prentice Hall, 2008) Operating Systems 6^th ed. Section 7.5 Security Issues P331. [Online] World Wide Web, Available from: http://books.google.ca/books?id=dBQFXs5NPEYC&pg=PA331&lpg=PA331&dq=Memory+Management+Security&source=bl&ots=CtpS0WeuF8&sig=ws4AjP5HPHEPQ9DHx1X2oxfkSZs&hl=en&ei=h3FFSuLGO4WEtwf-8OCVBg&sa=X&oi=book_result&ct=result&resnum=4 (Accessed on June 25^th 2009)

ixn.a. (OpenBSD Foundation, October 3^rd 2006) OpenBSD 3.4 Release Notes [Online] World Wide Web, Available from: http://www.openbsd.org/34.html (Accessed on June 25^th 2009)

xMaone, Gorgio (Noscript, n.d.) NoScript Project Home page [Online] World Wide Web, available from: http://noscript.net/ (Accessed on June 25^th 2009)

xiHelfin, J; Handler, J; (Maryland University, IEEE, March 4^th 2004) Intellegent Systems Volume 16 Issue 2, A portrat of the Semantic web in action [Online] PDF Document, Available from: http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=920600 (Accessed on June 25^th 2009)

Have webforms changed the workflow paradigm?

The international standards organization (ISO) refers to a “business workflow” as “A sequence of Operations and or Work for an individual or group of persons either itself or as a process”.(ISO) [i] The origins of business workflows and workflow analysis are rooted in Operations Management. (Pilkington et al.)[ii]

Requirements Analysis and Engineering is a method utilized within software engineering to elicit conditions and needs of the clients for a proposed software solution to a business issue in a structured manner as to facilitate the primary development stages of software design. (DoD)[iii] This method utilizes “Stakeholder Identification”, “Interviews”, “Requirements Lists”, “Measureable Goals” and various forms of “Prototyping”.

Since all web forms are implemented in software; they should meet software engineering standards and requirements gathering should be conducted beforehand; in reality this is not always the case. However for the purposes of this argument; we will assume that all web-sites and forms are software and therefore should be developed according to existing models to reduce the risk of project failure and price overruns. (Jain)[iv]

There are many software development models and for the purposes of brevity we will not open a discussion to them here; we will simply state that these models exist and each model has its own method for development and lifecycle control; this includes where data may be gathered and determining at which points within the workflow process data should be elicited from the client using said developed application. These models include the Waterfall (Boehm)[v], Agile (Cockburn)[vi], Extreme (Beck)[vii] and Iterative (Basili)[viii]: Each of these models is impacted by the Bohem Spiral where cost and complexity is proportional to the software version and its history in development e.g. the longer the development cycle and the older the software the more it costs in both man-hours and monetary terms to maintain.

Just as there are software development models; the world of Business Analysis would not be complete without project and workflow management models and standards. These include the Project Management Institutes PMBok (Jaeger)[ix], IBM’s Rational Unified Process (Krebs)[x] and to a certain degree Unified modeling Language (UML)[xi], the IEEE and ISO have derivatives of the previous processes; such as the ISO 9000 certification; however these are accreditations for institutions regarding management and not the frameworks and models themselves.

Data Collection and Workflow Management

The methods used to identify how data is collected, stored, and used to generate business intelligence, Income, sales leads and revenue has been impacted in an immensely by the advent of the information age. eCommerce and B2B systems have emerged as new markets for previously location limited businesses in the worlds of retail sales, software development, business consultation, bookkeeping and accounting as well as entertainment. Communcaitons across all businesses have been forever changed to require a web-site and e-mail based communications. The global software market alone is valued at $203.4 billion as of 2006 and is expected to grow to $271 billion by 2011. (Datamonitor)[xii], this does not include other business sectors such as retail sales, mining and manufacturing, consumer electronics, et cetera, ad nosium. Each of the market segments benifits in various ways from a web presence and workflow integration with business intelligence has given rise to the “BI” sector within the ERP and CRM software markets.

How workflows relate to a given web-form is dependent upon the web-sites parent’s companies core business; a car manufacturer may use the web form for marketing and price quotation; thus generating potential business and valuable marketing information regarding their products in real-time. Where as an online music store such as iTunes, Beat port or Napster utilize web forms as a method to interface directly with their clients thought the entire sales process. Some of the world’s most valued companies exist exclusively online and function around a core web-site; these include search engines such as Google, eCommerce sites such as E-bay and payment processors such as Paypal. Although their per-capita margins are small, the volume of transfer for each of these sites is in the billions; and therefore even though they may only make a 1% margin on sales: google sells adwords, E-bay charges $3.99 per auction, and Paypal has moderate service fees) due to the sheer volume of clients these businesses are worth billions individually; as we can see Google alone is worth 135 Billion dollars. (Google Finance)[xiii]

Therefore not only are web forms important to a business but how they generate data; the methods used to manage and leverage that data and very nature of the paradigm of a given workflow has been forever changed for most if not all industrial and non-industrial businesses. Previously you had to purchase advertizing space in a given market from various publications; today you may simply setup a website and send out advertizing referring back to said site; or if the site is a service let the word of mouth carry the burden of marketing.

Thus the paradigm has changed, the nature by which businesses function; how software as a platform functions; the nature by which we collaborate and maintain our businesses and their respective communications have forever been changed by the web.

References

---

[i] N.a. (ISO 2006) Health informatics -- Digital imaging and communication in medicine (DICOM) including workflow and data management [Online] PDF Document, Available from: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=43218 (Accessed on: June 11^th 2009)

[ii] Pilkington, Alan; Meredith, Jack (University of London, Wake Forest University, November 2008) The evolution of the intellectual structure of operations management—1980–2006: A citation/co-citation analysis [Online] PDF Document, Available form: http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6VB7-4T84K5P-1&_user=10&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=dcda044cc1d0bcf78c8f9a38c50f1770 (Accessed on: June 11^th 2009)

[iii] N.a. (Department of Defence, Systems Management College, January 2001) Systems Engineering Fundamentals [Online] PDF Document, available from: http://www.dau.mil/pubs/pdf/SEFGuide%2001-01.pdf (Accessed on June 11^th 2009)

[iv] Jain, Deepak (Code Project, January 11^th 2007) Importance of Processes and Standards in Software Development [Online] World Wide Web, Available from: http://www.codeproject.com/KB/work/Process.aspx (Accessed on June 11th 2009)

[v] Boehm, B; (ACM, 1986) A spiral model of software development and enhancement [Online] PDF Document, Available from: http://portal.acm.org/citation.cfm?id=12944.12948 (Accessed on June 11^th 2009)

[vi] Cockburn, A (A Cockburn, 2001) Agile Development [Online] PDF Document, Available from: http://www.imamu.edu.sa/Scientific_selections/Documents/IT/AgileSwDevDraft3.pdf (Accessed on June 11th 2009)

[vii] Jeffries, R; (XP Programming.com, November 8^th 2001) What is Extreme Programming? [Online] World Wide Web, Available from: http://www.xprogramming.com/xpmag/whatisxp.htm (Accessed on June 11th 2009)

[viii] Basili, V, R; (IEEE 1990) Viewing Maintenece as Reuse-Oriented Software Development [Online] PDF Document, Available form: http://www.cs.umd.edu/projects/SoftEng/ESEG/papers/82.37.pdf (Accessed on June 11th 2009)

[ix] De Jager, J-M; (12Manage, 2004) PMBOK information Page [Online] World Wide Web, Available from: http://www.12manage.com/methods_pmi_pmbok.html (Accessed on June 11th 2009)

[x] Krebs, Joe (IBM, January 15^th 2007) The value of RUP Certifiacation [Online] World Wide Web, Available from: http://www.ibm.com/developerworks/rational/library/jan07/krebs/index.html (Accessed on June 11th 2009)

[xi][xi]N.a. (UML Organization, February 2009) UML Version 2.2 Formal Specification [Online] PDF Document, Available from: http://www.omg.org/spec/UML/2.2/ (Accessed on June 11^th 2009)

[xii] N.a. (Datamonitor, 2006) The global software market report [Online] World Wide Web, Available from: http://74.125.95.132/search?q=cache:Yhs8myEjdJ8J:www.infoedge.com/product_type.asp%3Fproduct%3DDO-4959+global+market+value+software&cd=1&hl=en&ct=clnk&gl=ca&client=firefox-a (Accessed on June 11^th 2006)

[xiii] N.a. (Nasdaq, June 11^th 2009) Google Finance Quote for GOOG [Online] World Wide Web, Available from: http://www.google.ca/finance?client=ob&q=NASDAQ:GOOG (Accesssed on June 11^th 2009)

How will the Growing Web impact your future, your childrens future?

The web is growing at an exponential rate as the result of Moore’s Law (Moore)[i], this creates an inverse proportion to the given “Cost” of information. Ie; as processing power doubles so too does storage, bandwidth, and all other related technology. A result of this is the reduction in cost of all technology; thus what once could host only 1000 web pages may now host 10,000, and thus the ability to host increases exponentially every 18 months.

Information and Knowledge wants to be free as a result of its very nature as stated by Stwart Brand (Clarke)[ii] This results in instantaneous availability of mass amounts of information. This is the reason we now refer to the present as the “Information Age”. (Ulmer)[iii]

We may easily fill volumes in regards to what is now available and how this impacts everyday life however for a look to the future and a prediction I foresee is the advent of wearable computing and communications as seen here with MIT’s Media Lab’s sixth sense.(Maes)[iv] Or by the advent of wearable computing.

The current issue of ready access to this information has brought about some other industries as a result; these include the online search engine, source verification engines, semi automated human resource modules and fully automated text based search function for every industry from electrical engineering to auto manufacturing.

As the volume of information grows simply being able to navigate this volume effectively becomes a life skill. We will require intelligent systems that fully leverage mammalian models to ensure that we can understand the segments of information we choose to digest. (Rodriguez et al.)[v]

The impacts this volume of information and it’s access to communications has already changed the way we wage war; (USAF)[vi], how we shop, how we research medicine and how we make life choices conserving everything from our education to daily consumption. Thus the volume of information enriches everyone’s life by allowing each individual to delve into their respective interests and communicate instantaneously around the globe.

The impact this will have on my children’s life will be far greater than mine; as a first generation information age person myself; I am duly biased. I have had access to the web for most of my adult life; I cannot imagine the impact this information would have on my children.

I plan on ensuring that they know how to use the web, and that they become selective consumers of “Good” media; ideally I’d like to teach my children how to avoid the various propaganda, pornography and other wasteful entertainment online; however by arming them with the tools to recognize the good from the bad I hope that the World Wide Web becomes an even more valuable resource for the future generations than it is today.

Pandora's Box was never so big or so cluttered.

References

---

[i] Moore, Gordon (Intel, 1965) Moore’s Law [Online] World Wide Web, Available from: http://www.intel.com/technology/mooreslaw/ (Accessed on June 9^th 2009)

[ii] Clarke, Roger (Xamax Consultancy, 2001) Information Wants to be Free [Online] World Wide Web, Available from: http://www.rogerclarke.com/II/IWtbF.html (Accessed on June 9th 2009)

[iii] Ulmer, Dave (Ulmer, December 23^rd 2006) Beyond the Information Age [Online] World Wide Web, Available from: http://www.vias.org/beyinfoage/index.html (Accessed on June 9th 2009)

[iv] Maes, Pattie (MIT, TED, February 2009) A sixth sense Lecutre [Online] World Wide Web, Available from: http://www.ted.com/talks/pattie_maes_demos_the_sixth_sense.html (Accessed on June 9th 2009)

[v] Rodriguez, Marko A.; (Vrije Universiteit, Brussel, Belguim, June 2006) The Hyper-Cortex of Human Collective-Intelligence Systems [Online] PDF Document, Available from: http://arxiv.org/ftp/cs/papers/0506/0506024.pdf (Accessed on June 9th 2009)

[vi] N.a. (USAF, April 18^th 2008) AFCYBER works to define scope of new 450th Electronic Warfare Wing [Online] World Wide Web, Available from: http://thesop.org/index.php?article=10755 (Accessed on June 9^th 2009)