Origin Policy Enforcement in Modern Browsers

Similar documents
Browser code isolation

Match the attack to its description:

CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

RKN 2015 Application Layer Short Summary

October 08: Introduction to Web Security

CSC 482/582: Computer Security. Cross-Site Security

WEB SECURITY: XSS & CSRF

Modern client-side defenses. Deian Stefan

W3Conf, November 15 & 16, Brad Scott

Content Security Policy

Secure Frame Communication in Browsers Review

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

Defense-in-depth techniques. for modern web applications

Content Security Policy

HTML5 Unbound: A Security & Privacy Drama. Mike Shema Qualys

Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers. Sunny Wear OWASP Tampa Chapter December

Robust Defenses for Cross-Site Request Forgery

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

So we broke all CSPs. You won't guess what happened next!

Acknowledgments... xix

WHY CSRF WORKS. Implicit authentication by Web browsers

Web basics: HTTP cookies

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Common Websites Security Issues. Ziv Perry

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Know Your Own Risks: Content Security Policy Report Aggregation and Analysis

Web Security: Vulnerabilities & Attacks

Web basics: HTTP cookies

last time: command injection

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Writing Secure Chrome Apps and Extensions

Protec'ng Java EE Web Apps with Secure HTTP Headers

More attacks on clients: Click-jacking/UI redressing, CSRF

BOOSTING THE SECURITY

Extending the browser to secure applications

CS 161 Computer Security

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

iframe programming with jquery jquery Summit 2011

The Multi-Principal OS Construction of the Gazelle Web Browser. Helen J. Wang, Chris Grier, Alex Moshchuk, Sam King, Piali Choudhury, Herman Venter

Northeastern University Systems Security Lab

Abusing JSONP with. Michele - CVE , CVE Pwnie Awards 2014 Nominated

Founded the web application security lab

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

Web Browser Security. CSC 482/582: Computer Security Slide #1

Web Security. Aggelos Kiayias Justin Neumann

The Evolution of Chrome Security Architecture. Huan Ren Director, Qihoo 360 Technology Ltd

Security. CSC309 TA: Sukwon Oh

We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries

Using HTTPS - HSTS, TLS, HPKP, CSP and friends

HTTP Security Headers Explained

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Web Security: XSS; Sessions


BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION

Moving your website to HTTPS - HSTS, TLS, HPKP, CSP and friends

Requirements from the Application Software Extended Package for Web Browsers

JOE WIPING OUT CSRF

WAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Django-CSP Documentation

The security of Mozilla Firefox s Extensions. Kristjan Krips

7.2.4 on Media content; on XSS) sws2 1

JOE WIPING OUT CSRF

EasyCrypt passes an independent security audit

Web Security. advanced topics on SOP. Yan Huang. Credits: slides adapted from Stanford and Cornell Tech

Code-Injection Attacks in Browsers Supporting Policies. Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS

User Interaction: jquery

Unusual Web Bugs. A Web App Hacker s Bag O Tricks. Alex kuza55 K.

Cross-domain leakiness Divulging sensitive information & attacking SSL sessions Chris Evans - Google Billy Rios - Microsoft

Some Facts Web 2.0/Ajax Security

CS 161 Computer Security

Jinx Malware 2.0 We know it s big, we measured it! Itzik Kotler Yoni Rom

Client 2. Authentication 5

CIT 480: Securing Computer Systems

Neat tricks to bypass CSRF-protection. Mikhail

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren

CS 161 Computer Security

Client-side Debugging. Gary Bettencourt

Computer Security CS 426 Lecture 41

Finding Vulnerabilities in Web Applications

Your Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies / Ben Stock Martin Johns

Cookie Security. Myths and Misconceptions. David Johansson OWASP London 30 Nov. 2017

Sandboxing JavaScript. Lieven Desmet iminds-distrinet, KU Leuven OWASP BeNeLux Days 2012 (29/11/2012, Leuven) DistriNet

s642 web security computer security adam everspaugh

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

CS Paul Krzyzanowski

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan

Protecting Users by Confining JavaScript with COWL

HTML5 Web Security. Thomas Röthlisberger IT Security Analyst

HTML5 a clear & present danger

Attacks on Clients: JavaScript & XSS

Information Security CS 526 Topic 11

Abusing JSONP with Rosetta Flash

Eradicating DNS Rebinding with the Extended Same-Origin Policy

CS 5450 HTTP. Vitaly Shmatikov

Transcription:

Origin Policy Enforcement in Modern Browsers A Case Study in Same Origin Implementations Frederik Braun Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 1 / 32

Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is the Same Origin Policy? What is an Origin? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Other/Better Security Policies CSP iframe Sandbox 6 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 2 / 32

Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is the Same Origin Policy? What is an Origin? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Other/Better Security Policies CSP iframe Sandbox 6 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 3 / 32

Frederik Braun Dipl. Ing. in IT-Security at Ruhr-Uni Bochum (2012) this research! https://frederik-braun.com/thesis Security Engineer at Mozilla in Berlin likes to play CTFs (hi FluxFingers!) willing to answer questions :) Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 4 / 32

Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is the Same Origin Policy? What is an Origin? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Other/Better Security Policies CSP iframe Sandbox 6 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 5 / 32

Ambient Authentication Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 6 / 32

The Severity of a Same Origin Policy Bypass Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 7 / 32

Our Scope My Thesis - This Talk The Same Origin Policy Formal Definition Actual Implementation Exceptions & Loopholes Other Policies Analysis of Previous Bugs Classification Bug Hunting Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 8 / 32

Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is the Same Origin Policy? What is an Origin? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Other/Better Security Policies CSP iframe Sandbox 6 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 9 / 32

The Same Origin Policy (SOP) An origin (...) is often used as the scope of authority or privilege by user agents. Barth The same-origin policy is the most important mechanism we have to keep hostile web applications at bay, but it s also an imperfect one. Zalewski Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 10 / 32

What is an Origin? http://www.example.com:8080/ scheme hostname port origin Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 11 / 32

Examples Compare for http://www.example.com/ URL http://www.example.com/help same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 12 / 32

Examples Compare for http://www.example.com/ URL http://www.example.com/help same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 12 / 32

Examples Compare for http://www.example.com/ URL http://www.example.com/help https://www.example.com/ same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 12 / 32

Examples Compare for http://www.example.com/ URL http://www.example.com/help https://www.example.com/ same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 12 / 32

Examples Compare for http://www.example.com/ URL http://www.example.com/help https://www.example.com/ about:blank same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 12 / 32

Examples Compare for http://www.example.com/ URL http://www.example.com/help https://www.example.com/ about:blank same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 12 / 32

Examples Compare for http://www.example.com/ URL http://www.example.com/help https://www.example.com/ about:blank http://www.example.com:8000/phpmyadmin same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 12 / 32

Examples Compare for http://www.example.com/ URL http://www.example.com/help https://www.example.com/ about:blank http://www.example.com:8000/phpmyadmin same-origin? / a a Internet Explorer doesn t care about ports. Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 12 / 32

JavaScript Object Hierarchy window history document location frames frame (ebay) frame (amazon) Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 13 / 32

No Way Out? - Exceptions Cookies window.location setter window.name persists document.domain Internet Explorer Zones CORS JSONP... Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 14 / 32

SOP Wrap-Up Summary read access vendor specific JavaScript Engine (Object Capability) vs. DOM (Access Control) the SOP is highly inhomogenous no consistent reference implementation Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 15 / 32

Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is the Same Origin Policy? What is an Origin? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Other/Better Security Policies CSP iframe Sandbox 6 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 16 / 32

All SOP Flaws are alike (CVE-2007-0981) Browser harmless.com\x00.attacker.com Server B harmless.com JavaScript, UTF-16 Server A DNS, ASCIIZ attacker.com Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 17 / 32

All SOP Flaws are alike (CVE-2010-2179) Browser http://attacker.com@harmless.com Server B harmless.com Flash Plugin Server A HTTP API attacker.com Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 18 / 32

All SOP Flaws are alike (CVE TBA) Browser jar:http://harmless.com/foo.odt Server B harmless.com Java URL Handler Server A HTTP API attacker.com Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 19 / 32

Demo Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 20 / 32

Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is the Same Origin Policy? What is an Origin? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Other/Better Security Policies CSP iframe Sandbox 6 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 21 / 32

Content Security Policy (CSP) Content Security Policy Security Header Whitelist approach for resource inclusion XSS Mitigation The cool kids do it Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 22 / 32

Example: A quite strict policy Content-Security-Policy: default-src: self ; img-src: https://static.example.org; script-src: https://static.example.org google-analytics.com Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 23 / 32

CSP Adoption Inline JavaScript On more than 96% of the web No easy way to safely allow inline JavaScript with CSP 1.0 Disadvantages with CSP 1.1 proposals for inline JS Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 24 / 32

Safe Content Inclusion <iframe sandbox> Displaying content. That s it. can be reduced with allow- values in the attribute Browser adoption is a problem Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 25 / 32

Partial Sandbox Bypass in Mozilla Firefox with allow-scripts set if (top!= window) { top.location = window.location; } non-unique origin. popups, forms, plugins allowed. Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 26 / 32

Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is the Same Origin Policy? What is an Origin? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Other/Better Security Policies CSP iframe Sandbox 6 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 27 / 32

Conclusion: Same Origin Policy an inconsistent policy vendor specific theoretically, it s a black list plugins late 2012: Java in nearly 70% of all browsers but only 0.2% of websites 2013: exploits, Click-To-Play,.. But: There are safe & well designed security models on the horizon Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 28 / 32

Future Work: Automation? Picture by Jason Huggins on flickr Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 29 / 32

This same origin policy is the dumbest thing ever.... All this protection serves to do is aggravate legitimate developers trying to get JavaScript to do the simplest of tasks. Somebody on stackoverflow.com Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 30 / 32

Thanks

References Barth, Adam. The web origin concept. http://tools.ietf.org/html/rfc6454, December 2011. Q-Success. Usage of client-side programming languages for websites. http://w3techs.com/technologies/overview/client side language/all. Last visited 2012-10-17. Michal Zalewski. The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, November 2011. For all references please see full thesis on https://frederik-braun.com/thesis Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 32 / 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback