Womcat Bookmarks Security Issues

Copyright (C) 2002 Philip Dorrell
Back to Womcat Home Page

Womcat Bookmarks has been implemented as a local web application. The three components are:

• The database
• The web server, which is running the application code
• The browser

All of these components potentially need to be secured.

• If the database runs as a TCP server, it's server port should be bound to localhost. However the default database for Womcat Bookmarks is hsqldb run in standalone mode, which is connected to directly within the JVM, in which case this is not an issue.
• The web server is also secured by binding it to localhost, so that it cannot be accessed from external Internet hosts. Note that if localhost permits remote logins and running a browser application (or any client that can access http: URLs) then this could be used to access the application.
• The browser must be secured against "hostile URL's".

What is a Hostile URL?

If you run an application on a local web server that accesses otherwise protected data, this application can be accessed indirectly by a malicious user who places URL's on web pages under their control that are URL's for the local web application.

For example, in Womcat Bookmarks, a user might add a URL that inserts an offensive web site into your personal bookmarks list.

It is in the nature of web browsing that users do not, and sometimes cannot, verify URL's before clicking on links that activate them. So URL's that "do something" present a problem.

The solution I have used is for the local web application to generate a unique password every time it starts up. URL's that do something other than read and display data require this password before they will execute. The application places the password into all forms that it generates. In effect this authenticates form submissions received from the browser as being sourced from the application itself.

HTTP Referral Headers

It is not possible to use URL passwords to authenticate ordinary "<A HREF"-style links, for the following reason: browsers "leak" contents of a page URL, including all query parameters, when accessing links from that page, via "Referer" headers. To avoid this leakage, all authenticated web browser requests should be made via forms using the POST method, as web browsers do not include POST parameters in "Referer" headers.

Note that it cannot be helped that a user of the Womcat Bookmarks application will leak URL's for Womcat Bookmarks application pages to web sites whose links are on those pages, unless the user has a web browser that allows total suppression of "Referer" headers, or if they use a local web proxy to achieve the same effect. For example, if you select a link while browsing the subject "Mathematics", the web master at the site hosting that link will receive a "Referer" heading containing the link "http://localhost:17290/womcat/object?class=Subject&i_subject=en%2FMathematics&action=show", and will know that the user accessing their page was referred to it by their Womcat Bookmarks application.

Conclusion

Running a local web application while connected to the Internet, and which itself can be linked into from the Internet from URI protocol handler and which links back into potentially untrusted web sites, does require an awareness of security issues. However the risks are similar to those experienced with other Internet applications that process data from untrusted sources.

The default configuration of the application should provide a satisfactory level of security. But, given that Womcat Bookmarks is free software licensed under the LGPL, remember that there is NO WARRANTY!