SlideShare ist ein Scribd-Unternehmen logo

02-browser-sec-model-sop.pptx

Als PPTX, PDF herunterladen
S
ssuserec53e73

security

Bildung
1 von 37
Basic Web Security Model: The Same-Origin Policy and Implications Tyler Moore Many slides from John Mitchell, Stanford Web Security Group and Vitaly Shmatikov, Cornell CS 4413/6013: Secure Electronic Commerce Spring 2019 1
Analogy Operating system • Primitives – System calls – Processes – Disk • Principals: Users – Discretionary access control • Vulnerabilities – Buffer overflow – Root exploit Web browser • Primitives – Document object model – Frames – Cookies / localStorage • Principals: “Origins” – Mandatory access control • Vulnerabilities – Cross-site scripting – Cross-site request forgery 2
ISOLATION 3
Content Comes from Many Sources u Scripts <script src=“//site.com/script.js”> </script> u Frames <iframe src=“//site.com/frame.html”> </iframe> u Stylesheets (CSS) <link rel=“stylesheet” type="text/css” href=“//site.com/theme.css" /> u Objects (Flash) - using swfobject.js script <script> var so = new SWFObject(‘//site.com/flash.swf', …); so.addParam(‘allowscriptaccess', ‘always'); so.write('flashdiv'); </script> slide 4 Allows Flash object to communicate with external scripts, navigate frames, open windows
Browser Sandbox u Goal: safely execute JavaScript code provided by a website • No direct file access, limited access to OS, network, browser data, content that came from other websites u Same origin policy • Can only access properties of documents and windows from the same domain, protocol, and port u User can grant privileges to signed scripts • UniversalBrowserRead/Write, UniversalFileRead, UniversalSendMail slide 5
Same Origin Policy (SOP) for DOM: Origin A can access origin B’s DOM if A and B have same (protocol, domain, port) Same Origin Policy (SOP) for cookies: Generally, based on ([protocol], domain, path) optional protocol://domain:port/path?params Same Origin Policy slide 6
Setting Cookies by Server slide 7 scope • Delete cookie by setting “expires” to date in past • Default scope is domain and path of setting URL Browser Server GET … HTTP Header: Set-cookie: NAME=VALUE; domain = (when to send); path = (when to send); secure = (only send over HTTPS); expires = (when expires); HttpOnly if expires=NULL: this session only
Viewing Cookies in Browser slide 8
Both cookies stored in browser’s cookie jar, both are in scope of login.site.com cookie 1 name = userid value = test domain = login.site.com path = / secure cookie 2 name = userid value = test123 domain = .site.com path = / secure distinct cookies Cookie Identification slide 9 Cookies are identified by (name, domain, path)
domain: any domain suffix of URL-hostname, except top-level domain (TLD) Which cookies can be set by login.site.com? login.site.com can set cookies for all of .site.com but not for another site or TLD Problematic for sites like .utulsa.edu path: anything allowed domains login.site.com .site.com disallowed domains user.site.com othersite.com .com SOP for Writing Cookies slide 10     
Browser sends all cookies in URL scope: • cookie-domain is domain-suffix of URL-domain • cookie-path is prefix of URL-path • protocol=HTTPS if cookie is “secure” Goal: server only sees cookies in its scope GET //URL-domain/URL-path Cookie: NAME = VALUE SOP for Sending Cookies Browser Server slide 11
Examples of Cookie SOP http://checkout.site.com/ http://login.site.com/ https://login.site.com/ cookie 1 name = userid value = u1 domain = login.site.com path = / secure cookie 2 name = userid value = u2 domain = .site.com path = / non-secure both set by login.site.com cookie: userid=u2 cookie: userid=u2 cookie: userid=u1; userid=u2 (arbitrary order; in FF3 most specific first) slide 12
Cookie Protocol Issues u What does the server know about the cookie sent to it by the browser? u Server only sees Cookie: Name=Value … does not see cookie attributes (e.g., “secure”) … does not see which domain set the cookie • RFC 2109 (cookie RFC) has an option for including domain, path in Cookie header, but not supported by browsers slide 13
u Alice logs in at login.site.com • login.site.com sets session-id cookie for .site.com u Alice visits evil.site.com • Overwrites .site.com session-id cookie with session-id of user “badguy” - not a violation of SOP! (why?) u Alice visits cs6013.site.com to submit homework • cs7403.site.com thinks it is talking to “badguy” u Problem: cs6013.site.com expects session-id from login.site.com, cannot tell that session-id cookie has been overwritten by a “sibling” domain Who Set The Cookie? slide 14
Overwriting “Secure” Cookies u Alice logs in at https://www.google.com https://www.google.com/accounts u Alice visits http://www.google.com • Automatically, due to the phishing filter u Network attacker can inject into response Set-Cookie: LSID=badguy; secure • Browser thinks this cookie came from http://google.com, allows it to overwrite secure cookie slide 15 LSID, GAUSR are “secure” cookies
Accessing Cookies via DOM u Same domain scoping rules as for sending cookies to the server u document.cookie returns a string with all cookies available for the document • Often used in JavaScript to customize page u Javascript can set and delete cookies via DOM – document.cookie = “name=value; expires=…; ” – document.cookie = “name=; expires= Thu, 01-Jan-70” slide 16
Path Separation Is Not Secure Cookie SOP: path separation when the browser visits x.com/A, it does not send the cookies of x.com/B This is done for efficiency, not security! DOM SOP: no path separation A script from x.com/A can read DOM of x.com/B <iframe src=“x.com/B"></iframe> alert(frames[0].document.cookie); slide 17
Caution: <script> tags exempt from Same-Origin Policy! u Same origin policy does not apply to directly included scripts (not enclosed in an iframe) • This script has privileges of A.com, not VeriSign – Can change other pages from A.com origin, load more scripts • Upshot: Never load an external script that you don’t completely trust with a <script> tag <script type="text/javascript" src=https://seal.verisign.com/getseal?host_name=A.com> </script> slide 18 VeriSign
NAVIGATION slide 19
Frames and iFrames u Window may contain frames from different sources • frame: rigid division as part of frameset • iframe: floating inline frame u Why use frames? • Delegate screen area to content from another source • Browser provides isolation based on frames • Parent may work even if frame is broken <IFRAME SRC="hello.html" WIDTH=450 HEIGHT=100> If you can see this, your browser doesn't understand IFRAME. </IFRAME> slide 20
u Each frame of a page has an origin • Origin = protocol://domain:port u Frame can access objects from its own origin • Network access, read/write DOM, cookies and localStorage u Frame cannot access objects associated with other origins A A B B A Browser Security Policy for Frames slide 21
Mashups slide 22
iGoogle (Now Defunct) slide 23
Cross-Frame Scripting u Frame A can execute a script that manipulates arbitrary DOM elements of Frame B only if Origin(A) = Origin(B) • Basic same origin policy, where origin is the protocol, domain, and port from which the frame was loaded u Some browsers used to allow any frame to navigate any other frame • Navigate = change where the content in the frame is loaded from • Navigation does not involve reading the frame’s old content u http://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_win_frames slide 24
Suppose the following HTML is hosted at site.com u Disallowed access <iframe src="http://othersite.com"></iframe> alert( frames[0].contentDocument.body.innerHTML ) alert( frames[0].src ) u Allowed access <img src="http://othersite.com/logo.gif"> alert( images[0].height ) or frames[0].location.href = “http://mysite.com/” Frame SOP Examples Navigating child frame is allowed, but reading frame[0].src is not slide 25
Guninski Attack window.open("https://www.google.com/...") window.open("https://www.attacker.com/...", "awglogin") awglogin If bad frame can navigate sibling frames, attacker gets password! slide 26
Gadget Hijacking in Mashups top.frames[1].location = "http:/www.attacker.com/...“; top.frames[2].location = "http:/www.attacker.com/...“; ... slide 27
Gadget Hijacking slide 28 Modern browsers only allow a frame to navigate its “descendant” frames
Features Developed in Response to Guninski u Cross-origin network requests • Access-Control-Allow-Origin: <list of domains> – Typical usage: Access-Control-Allow-Origin: * - Allowing access to all other origins is not that insecure, since by default, browsers will not send cookies or other authentication info via cross-network requests u Cross-origin client-side communication • Client-side messaging via fragment navigation • postMessage (HTML5) Site B Site A Site A context Site B context slide 29
COMMUNICATION slide 30
postMessage u New API for inter-frame communication • postMessage(message,targetOrigin) – message: string or object sent to target frame – targetOrigin: URL of target frame being sent to u Supported in latest browsers slide 31
Example of postMessage Usage document.addEventListener("message", receiver); function receiver(e) { if (e.origin == “http://a.com") { … e.data … } } slide 32 Messages are sent to frames, not origins Method invoked on window receiving message See http://blog.teamtreehouse.com/cross-domain-messaging-with-postmessage Why is this needed? frames[0].postMessage(“Hello!”, “http://b.com”); b.com a.com c.com
Message Eavesdropping (1) frames[0].postMessage(“Hello!”) u With descendant frame navigation policy u Attacker replaces inner frame with his own, gets message slide 33
Message Eavesdropping (2) frames[0].postMessage(“Hello!”) u With any frame navigation policy, even child u Attacker replaces child frame with his own, gets message slide 34
But who sent the message? slide 35 • postMessage 2nd parameter specifies the target origin • This ensures the message is only sent to targets chosen by the sender • The sending origin is revealed to the recipient upon receiving the message, but must be checked
And If The Check Is Wrong? slide 36
The Postman Always Rings Twice A study of postMessage usage in top 10,000 sites u 2,245 (22%) have a postMessage receiver u 1,585 have a receiver without an origin check u 262 have an incorrect origin check u 84 have exploitable vulnerabilities • Received message is evaluated as a script, stored into localStorage, etc. https://www.cs.utexas.edu/~shmat/shmat_ndss13postm an.pdf slide 37 [Son and Shmatikov]

Empfohlen

Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web security
newbie2019
 
15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt
ssuserec53e73
 
526_topic08.ppt
526_topic08.ppt526_topic08.ppt
526_topic08.ppt
sajeedmalagi
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
ssuserec53e73
 

Empfohlen

Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web security
newbie2019
 
15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt
ssuserec53e73
 
526_topic08.ppt
526_topic08.ppt526_topic08.ppt
526_topic08.ppt
sajeedmalagi
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
ssuserec53e73
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
ssuserec53e73
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
Krzysztof Kotowicz
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Divyanshu
 
15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt
shatrutrial44
 
Css
CssCss
Css
bismasheikh3
 
CSS.ppt
CSS.pptCSS.ppt
CSS.ppt
ssuserec53e73
 
Cos 432 web_security
Cos 432 web_securityCos 432 web_security
Cos 432 web_security
Michael Freyberger
 
4.Xss
4.Xss4.Xss
4.Xss
phanleson
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdf
ssuser01066a
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
Sang Shin
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerations
Eoin Keary
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
Krishna T
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
Andre N. Klingsheim
 
Rails Security
Rails SecurityRails Security
Rails Security
Jonathan Weiss
 
Attacking Web Proxies
Attacking Web ProxiesAttacking Web Proxies
Attacking Web Proxies
InMobi Technology
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
Threats in network that can be noted in security
Threats in network that can be noted in securityThreats in network that can be noted in security
Threats in network that can be noted in security
ssuserec53e73
 
Lsn21_NumPy in data science using python
Lsn21_NumPy in data science using pythonLsn21_NumPy in data science using python
Lsn21_NumPy in data science using python
ssuserec53e73
 

Weitere ähnliche Inhalte

Ähnlich wie 02-browser-sec-model-sop.pptx

Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
Krzysztof Kotowicz
 
15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt
shatrutrial44
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 

Ähnlich wie 02-browser-sec-model-sop.pptx (20)

14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt
 
Css
CssCss
Css
 
CSS.ppt
CSS.pptCSS.ppt
CSS.ppt
 
Cos 432 web_security
Cos 432 web_securityCos 432 web_security
Cos 432 web_security
 
4.Xss
4.Xss4.Xss
4.Xss
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdf
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerations
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Attacking Web Proxies
Attacking Web ProxiesAttacking Web Proxies
Attacking Web Proxies
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 

Mehr von ssuserec53e73

Threats in network that can be noted in security
Threats in network that can be noted in securityThreats in network that can be noted in security
Threats in network that can be noted in security
ssuserec53e73
 
Lsn21_NumPy in data science using python
Lsn21_NumPy in data science using pythonLsn21_NumPy in data science using python
Lsn21_NumPy in data science using python
ssuserec53e73
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber security
ssuserec53e73
 
Hash functions, digital signatures and hmac
Hash functions, digital signatures and hmacHash functions, digital signatures and hmac
Hash functions, digital signatures and hmac
ssuserec53e73
 
50134147-Knowledge-Representation-Using-Rules.ppt
50134147-Knowledge-Representation-Using-Rules.ppt50134147-Knowledge-Representation-Using-Rules.ppt
50134147-Knowledge-Representation-Using-Rules.ppt
ssuserec53e73
 

Mehr von ssuserec53e73 (20)

Threats in network that can be noted in security
Threats in network that can be noted in securityThreats in network that can be noted in security
Threats in network that can be noted in security
 
Lsn21_NumPy in data science using python
Lsn21_NumPy in data science using pythonLsn21_NumPy in data science using python
Lsn21_NumPy in data science using python
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber security
 
Hash functions, digital signatures and hmac
Hash functions, digital signatures and hmacHash functions, digital signatures and hmac
Hash functions, digital signatures and hmac
 
Asian Elephant Adaptations - Chelsea P..pptx
Asian Elephant Adaptations - Chelsea P..pptxAsian Elephant Adaptations - Chelsea P..pptx
Asian Elephant Adaptations - Chelsea P..pptx
 
Module 10-Introduction to OOP.pptx
Module 10-Introduction to OOP.pptxModule 10-Introduction to OOP.pptx
Module 10-Introduction to OOP.pptx
 
unit-1-l3.ppt
unit-1-l3.pptunit-1-l3.ppt
unit-1-l3.ppt
 
AI.ppt
AI.pptAI.ppt
AI.ppt
 
50134147-Knowledge-Representation-Using-Rules.ppt
50134147-Knowledge-Representation-Using-Rules.ppt50134147-Knowledge-Representation-Using-Rules.ppt
50134147-Knowledge-Representation-Using-Rules.ppt
 
Dr Jose Reena K.pdf
Dr Jose Reena K.pdfDr Jose Reena K.pdf
Dr Jose Reena K.pdf
 
Enumeration.pptx
Enumeration.pptxEnumeration.pptx
Enumeration.pptx
 
footscan.PPT
footscan.PPTfootscan.PPT
footscan.PPT
 
UNIT II.pptx
UNIT II.pptxUNIT II.pptx
UNIT II.pptx
 
Unit 1 iot.pptx
Unit 1 iot.pptxUnit 1 iot.pptx
Unit 1 iot.pptx
 
IoT Reference Architecture.pptx
IoT Reference Architecture.pptxIoT Reference Architecture.pptx
IoT Reference Architecture.pptx
 
patent ppt.pptx
patent ppt.pptxpatent ppt.pptx
patent ppt.pptx
 
Introduction to measurement.pptx
Introduction to measurement.pptxIntroduction to measurement.pptx
Introduction to measurement.pptx
 
ML-DecisionTrees.ppt
ML-DecisionTrees.pptML-DecisionTrees.ppt
ML-DecisionTrees.ppt
 
ML_Lecture_7.ppt
ML_Lecture_7.pptML_Lecture_7.ppt
ML_Lecture_7.ppt
 
070308-simmons.ppt
070308-simmons.ppt070308-simmons.ppt
070308-simmons.ppt
 

Kürzlich hochgeladen

Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
Association for Project Management
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 

Kürzlich hochgeladen (20)

Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 

02-browser-sec-model-sop.pptx

  • 1. Basic Web Security Model: The Same-Origin Policy and Implications Tyler Moore Many slides from John Mitchell, Stanford Web Security Group and Vitaly Shmatikov, Cornell CS 4413/6013: Secure Electronic Commerce Spring 2019 1
  • 2. Analogy Operating system • Primitives – System calls – Processes – Disk • Principals: Users – Discretionary access control • Vulnerabilities – Buffer overflow – Root exploit Web browser • Primitives – Document object model – Frames – Cookies / localStorage • Principals: “Origins” – Mandatory access control • Vulnerabilities – Cross-site scripting – Cross-site request forgery 2
  • 4. Content Comes from Many Sources u Scripts <script src=“//site.com/script.js”> </script> u Frames <iframe src=“//site.com/frame.html”> </iframe> u Stylesheets (CSS) <link rel=“stylesheet” type="text/css” href=“//site.com/theme.css" /> u Objects (Flash) - using swfobject.js script <script> var so = new SWFObject(‘//site.com/flash.swf', …); so.addParam(‘allowscriptaccess', ‘always'); so.write('flashdiv'); </script> slide 4 Allows Flash object to communicate with external scripts, navigate frames, open windows
  • 5. Browser Sandbox u Goal: safely execute JavaScript code provided by a website • No direct file access, limited access to OS, network, browser data, content that came from other websites u Same origin policy • Can only access properties of documents and windows from the same domain, protocol, and port u User can grant privileges to signed scripts • UniversalBrowserRead/Write, UniversalFileRead, UniversalSendMail slide 5
  • 6. Same Origin Policy (SOP) for DOM: Origin A can access origin B’s DOM if A and B have same (protocol, domain, port) Same Origin Policy (SOP) for cookies: Generally, based on ([protocol], domain, path) optional protocol://domain:port/path?params Same Origin Policy slide 6
  • 7. Setting Cookies by Server slide 7 scope • Delete cookie by setting “expires” to date in past • Default scope is domain and path of setting URL Browser Server GET … HTTP Header: Set-cookie: NAME=VALUE; domain = (when to send); path = (when to send); secure = (only send over HTTPS); expires = (when expires); HttpOnly if expires=NULL: this session only
  • 8. Viewing Cookies in Browser slide 8
  • 9. Both cookies stored in browser’s cookie jar, both are in scope of login.site.com cookie 1 name = userid value = test domain = login.site.com path = / secure cookie 2 name = userid value = test123 domain = .site.com path = / secure distinct cookies Cookie Identification slide 9 Cookies are identified by (name, domain, path)
  • 10. domain: any domain suffix of URL-hostname, except top-level domain (TLD) Which cookies can be set by login.site.com? login.site.com can set cookies for all of .site.com but not for another site or TLD Problematic for sites like .utulsa.edu path: anything allowed domains login.site.com .site.com disallowed domains user.site.com othersite.com .com SOP for Writing Cookies slide 10     
  • 11. Browser sends all cookies in URL scope: • cookie-domain is domain-suffix of URL-domain • cookie-path is prefix of URL-path • protocol=HTTPS if cookie is “secure” Goal: server only sees cookies in its scope GET //URL-domain/URL-path Cookie: NAME = VALUE SOP for Sending Cookies Browser Server slide 11
  • 12. Examples of Cookie SOP http://checkout.site.com/ http://login.site.com/ https://login.site.com/ cookie 1 name = userid value = u1 domain = login.site.com path = / secure cookie 2 name = userid value = u2 domain = .site.com path = / non-secure both set by login.site.com cookie: userid=u2 cookie: userid=u2 cookie: userid=u1; userid=u2 (arbitrary order; in FF3 most specific first) slide 12
  • 13. Cookie Protocol Issues u What does the server know about the cookie sent to it by the browser? u Server only sees Cookie: Name=Value … does not see cookie attributes (e.g., “secure”) … does not see which domain set the cookie • RFC 2109 (cookie RFC) has an option for including domain, path in Cookie header, but not supported by browsers slide 13
  • 14. u Alice logs in at login.site.com • login.site.com sets session-id cookie for .site.com u Alice visits evil.site.com • Overwrites .site.com session-id cookie with session-id of user “badguy” - not a violation of SOP! (why?) u Alice visits cs6013.site.com to submit homework • cs7403.site.com thinks it is talking to “badguy” u Problem: cs6013.site.com expects session-id from login.site.com, cannot tell that session-id cookie has been overwritten by a “sibling” domain Who Set The Cookie? slide 14
  • 15. Overwriting “Secure” Cookies u Alice logs in at https://www.google.com https://www.google.com/accounts u Alice visits http://www.google.com • Automatically, due to the phishing filter u Network attacker can inject into response Set-Cookie: LSID=badguy; secure • Browser thinks this cookie came from http://google.com, allows it to overwrite secure cookie slide 15 LSID, GAUSR are “secure” cookies
  • 16. Accessing Cookies via DOM u Same domain scoping rules as for sending cookies to the server u document.cookie returns a string with all cookies available for the document • Often used in JavaScript to customize page u Javascript can set and delete cookies via DOM – document.cookie = “name=value; expires=…; ” – document.cookie = “name=; expires= Thu, 01-Jan-70” slide 16
  • 17. Path Separation Is Not Secure Cookie SOP: path separation when the browser visits x.com/A, it does not send the cookies of x.com/B This is done for efficiency, not security! DOM SOP: no path separation A script from x.com/A can read DOM of x.com/B <iframe src=“x.com/B"></iframe> alert(frames[0].document.cookie); slide 17
  • 18. Caution: <script> tags exempt from Same-Origin Policy! u Same origin policy does not apply to directly included scripts (not enclosed in an iframe) • This script has privileges of A.com, not VeriSign – Can change other pages from A.com origin, load more scripts • Upshot: Never load an external script that you don’t completely trust with a <script> tag <script type="text/javascript" src=https://seal.verisign.com/getseal?host_name=A.com> </script> slide 18 VeriSign
  • 20. Frames and iFrames u Window may contain frames from different sources • frame: rigid division as part of frameset • iframe: floating inline frame u Why use frames? • Delegate screen area to content from another source • Browser provides isolation based on frames • Parent may work even if frame is broken <IFRAME SRC="hello.html" WIDTH=450 HEIGHT=100> If you can see this, your browser doesn't understand IFRAME. </IFRAME> slide 20
  • 21. u Each frame of a page has an origin • Origin = protocol://domain:port u Frame can access objects from its own origin • Network access, read/write DOM, cookies and localStorage u Frame cannot access objects associated with other origins A A B B A Browser Security Policy for Frames slide 21
  • 24. Cross-Frame Scripting u Frame A can execute a script that manipulates arbitrary DOM elements of Frame B only if Origin(A) = Origin(B) • Basic same origin policy, where origin is the protocol, domain, and port from which the frame was loaded u Some browsers used to allow any frame to navigate any other frame • Navigate = change where the content in the frame is loaded from • Navigation does not involve reading the frame’s old content u http://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_win_frames slide 24
  • 25. Suppose the following HTML is hosted at site.com u Disallowed access <iframe src="http://othersite.com"></iframe> alert( frames[0].contentDocument.body.innerHTML ) alert( frames[0].src ) u Allowed access <img src="http://othersite.com/logo.gif"> alert( images[0].height ) or frames[0].location.href = “http://mysite.com/” Frame SOP Examples Navigating child frame is allowed, but reading frame[0].src is not slide 25
  • 27. Gadget Hijacking in Mashups top.frames[1].location = "http:/www.attacker.com/...“; top.frames[2].location = "http:/www.attacker.com/...“; ... slide 27
  • 28. Gadget Hijacking slide 28 Modern browsers only allow a frame to navigate its “descendant” frames
  • 29. Features Developed in Response to Guninski u Cross-origin network requests • Access-Control-Allow-Origin: <list of domains> – Typical usage: Access-Control-Allow-Origin: * - Allowing access to all other origins is not that insecure, since by default, browsers will not send cookies or other authentication info via cross-network requests u Cross-origin client-side communication • Client-side messaging via fragment navigation • postMessage (HTML5) Site B Site A Site A context Site B context slide 29
  • 31. postMessage u New API for inter-frame communication • postMessage(message,targetOrigin) – message: string or object sent to target frame – targetOrigin: URL of target frame being sent to u Supported in latest browsers slide 31
  • 32. Example of postMessage Usage document.addEventListener("message", receiver); function receiver(e) { if (e.origin == “http://a.com") { … e.data … } } slide 32 Messages are sent to frames, not origins Method invoked on window receiving message See http://blog.teamtreehouse.com/cross-domain-messaging-with-postmessage Why is this needed? frames[0].postMessage(“Hello!”, “http://b.com”); b.com a.com c.com
  • 33. Message Eavesdropping (1) frames[0].postMessage(“Hello!”) u With descendant frame navigation policy u Attacker replaces inner frame with his own, gets message slide 33
  • 34. Message Eavesdropping (2) frames[0].postMessage(“Hello!”) u With any frame navigation policy, even child u Attacker replaces child frame with his own, gets message slide 34
  • 35. But who sent the message? slide 35 • postMessage 2nd parameter specifies the target origin • This ensures the message is only sent to targets chosen by the sender • The sending origin is revealed to the recipient upon receiving the message, but must be checked
  • 36. And If The Check Is Wrong? slide 36
  • 37. The Postman Always Rings Twice A study of postMessage usage in top 10,000 sites u 2,245 (22%) have a postMessage receiver u 1,585 have a receiver without an origin check u 262 have an incorrect origin check u 84 have exploitable vulnerabilities • Received message is evaluated as a script, stored into localStorage, etc. https://www.cs.utexas.edu/~shmat/shmat_ndss13postm an.pdf slide 37 [Son and Shmatikov]