Secure Frame Communication in Browsers Review

Similar documents
Robust Defenses for Cross-Site Request Forgery Review

A Security Evaluation of DNSSEC with NSEC Review

Robust Defenses for Cross-Site Request Forgery

Robust Defenses for Cross-Site Request Forgery

A Look Back at Security Problems in the TCP/IP Protocol Suite Review

A Survey of BGP Security Review

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

The security of Mozilla Firefox s Extensions. Kristjan Krips

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

MTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions

Copyright

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

P2_L12 Web Security Page 1

CS 161 Computer Security

Security Course. WebGoat Lab sessions

COMP9321 Web Application Engineering

Evaluating the Security Risks of Static vs. Dynamic Websites

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

Running Remote Code is Risky. Why Study Browser Security. Browser Sandbox. Threat Models. Security User Interface.

COMP9321 Web Application Engineering

Finding Vulnerabilities in Web Applications

Network Security - ISA 656 Web Security

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

COMP9321 Web Application Engineering

DreamFactory Customer Privacy and Security Whitepaper Delivering Secure Applications on Salesforce.com

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Web Security II. Slides from M. Hicks, University of Maryland

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Bank Infrastructure - Video - 1

Portal Recipient Guide. The Signature Approval Process

ISO/IEC Common Criteria. Threat Categories

Web basics: HTTP cookies

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Match the attack to its description:

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Web Security. advanced topics on SOP. Yan Huang. Credits: slides adapted from Stanford and Cornell Tech

Security and Privacy

Acronis Data Cloud Version 7.8

WEB SECURITY: XSS & CSRF

Password Managers: Attacks and Defenses

Browser code isolation

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

EasyCrypt passes an independent security audit

Introduction. Logging in. WebMail User Guide

Web Application Security. Philippe Bogaerts

Web basics: HTTP cookies

Information Security CS 526 Topic 11

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Origin Policy Enforcement in Modern Browsers

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

RKN 2015 Application Layer Short Summary

Phishing in the Age of SaaS

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Introduction. Logging in. WebQuarantine User Guide

C1: Define Security Requirements

Vidder PrecisionAccess

Chrome Extension Security Architecture

Security Philosophy. Humans have difficulty understanding risk

s642 web security computer security adam everspaugh

CS 142 Winter Session Management. Dan Boneh

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

CSCE 813 Internet Security Case Study II: XSS

Combating Common Web App Authentication Threats

User Guide. esign Emcee is a trademark of esign Emcee. All other trademarks are the property of their respective owners.

Tabular Presentation of the Application Software Extended Package for Web Browsers

Vulnerabilities in online banking applications

Information Security CS 526 Topic 8

Web Security: Vulnerabilities & Attacks

CIS 4360 Secure Computer Systems XSS

Content Security Policy

OAuth securing the insecure

Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit

Progress Exchange June, Phoenix, AZ, USA 1

How to perform the DDoS Testing of Web Applications

Browser Support Internet Explorer

CS 161 Computer Security

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems


YU Kaltura Media Package User's Guide For version 1.1.x. Written by Media and Information Technology Center, Yamaguchi University.

ICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

SMash: Secure Cross-Domain Mashups on Unmodified Browsers. Frederik De Keukelaere, Sumeer Bhola, Michael Steiner, Suresh Chari, Sachiko Yoshihama

Solutions Business Manager Web Application Security Assessment

Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

CSCE 120: Learning To Code

Cryptographic Protocols 1

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

OpenAjax Hub 1.1 & SMash (Secure Mashups)

CSE484 Final Study Guide

LET S TALK MONEY. Fahad Pervaiz. Sam Castle, Galen Weld, Franziska Roesner, Richard Anderson

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side

Information Security CS 526

Transcription:

Secure Frame Communication in Browsers Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic being interesting It is common to find content from various sources embedded within a given website. Such a website is called a mashup. The software which performs this binding is called the integrator and the data which is embedded is called the gadget. There are two types of mashups which are mentioned below: 1. In this the integrator does not communicate with the mashup. 2. In this the integrator communicates with the mashup. In this paper the authors try to explore the problem of separating trusted and untrusted web applications but simultaneously trying to establish secure communication between them. Though browsers same origin policy does not allow the data in one frame to modify data in another frame. Yet the same policy cannot be used for one frame trying to navigate another frame, as navigation is essential to support communication between frames.the attacker takes advantage of such a policy of browsers to attack this communication,such an attack has been demonstrated in the paper against Google AdSense login page and igoogle gadget aggregator. The paper explores ways to make the browser s frame navigation rules stringent and simultaneously accommodating present websites. The topic is interesting as there is an increasing need to protect user privacy while the users browser content from sites containing third party content. 2 Questions that the paper asks and how are those questions interesting The paper explores ways to make the browser s frame navigation policy stringent and simultaneously accommodating present websites. The question is interesting as there is an increasing need to protect user privacy while the users browser content from sites containing third party content. 3 How does it answer the questions The paper answers the questions by first describing the Threat model employed. The Threat Model is given below: 1. Web Attacker: A user uses the web browser to view content from trusted websites. An attacker breaches the users privacy by changing the state of the web browser to disrupt the users session. The threat model defines the web attacker as the one who has some computers and a server under his control. The following are the capabilities of the web attacker: 1

(a) The web attacker may play the role of an client or server. The authors assume attacker.com to be the web attackers server. The attacker can operate over HTTPS as it has obtained the digital certificate from a certification authority. Man in the middle attack is ruled out from this attack model. (b) The web attacker is confined to the browsers policy and does not do anything to bypass this policy. 2. Gadget Attacker: The gadget attacker has the capability to force the integrator to embed a gadget of its choice. The following threats are not included in the threat model: 1. Phishing: The attacker in this threat model does not try to get users information by masquerading as a trustworthy website. Hence this threat model rules out phishing. 2. XSS or Cross Site Scripting Attacks: The attacker in this threat model does not try to inject malicious scripts into web pages viewed by other users. Hence this threat model rules out Cross Site Scripting Attacks. Web applications can embed frames from third party content. The frame whose URL is displayed in the browser is known as a top-level frame. Whereas the location of subframes is not shown in the browser. The lock icon is displayed in the browser only in the case when all the frames are using HTTPS protocol. Most the browsers adopt the same origin policy, whereby the web pages belonging to the same website are permitted to access each others functions and properties. For performing navigation between frames the author states that the browsers prior to 1999 adopted a permissive policy, which states that a frame can navigate any other frame. Due to the permissive policy of the web browsers which gives any frame the capability to navigate any other frame, an attacker can navigate an honest log-in frame, replacing the login frame with the attacker s login frame, which is alike to the actual log-in frame. Thus the attacker is able to get the users account information. In order to circumvent the loopholes in the permissive policy of the web browsers, Mozilla implemented a stringent policy known as Window Policy. According to the Window Policy a frame has the capability to navigate only the frames in its own window. This policy was adopted to prevent an attacker from navigating frames belonging to an honest website. The loophole in the Window Policy is that it assumes that an honest principle will embed only honest frames. But practically this does not happen, as shown in the scenarios below: 1. Aggregators: igoogle, My Yahoo, etc embed third party content. Such sites are called mashup. These mashup depend on the browsers policy to protect them from malicious third parties. 2. Advertisements: Sites embed third party advertisements into their top frame. Hence such sites are also mashups. Such sites also depend on the browsers policy to protect them from an attacker, who controls the advertisement frame. Since the mashups do embed content from malicious third parties, hence this gives the attacker the ability to perform a gadget hijacking attack. The below mentioned are the ways in which an attacker may exploit the mashups vulnerabilities: 1. Exploiting Loopholes in an Aggregator: Consider the case when igoogle embeds the login form of a bank. In order to carry out the attack, an attacker may replace the bank s frame with his gadget, and thus steal the users credentials such as passwords. 2. Expoiting Loopholes in web pages containing advertisements: Any attacker s advertisement frame can potentially navigate the other advertisement frames to his frame, thus taking away the other advertisers impressions. Some of the policies adopted by browser vendors are mentioned below: 2

1. Descendant Policy:In this policy, a frame is capable to navigating only its descendants. In this policy the child frame is prohibited from navigating its parent frame, but the vice versa is possible. However, the loophole in this policy is that a frame can navigate its siblings by writing malicious code into its parent. 2. Child Policy: In this policy, a frame is capable of navigating only its children. In this policy the parent frame may navigate only its child frame but the vice versa is not possible. The loophole in this policy is frame can still draw over its grandchild frame. Also this policy is not compatible with many sites, thus reducing its applicability. In order to overcome the loopholes present in the above two policies the author suggests that the browser should accept a frame s navigation request only if current frame s origin is the same as that of the requesting frames origin. In order to verify this policy of origin propagation the authors implemented this policy in Safari, Firefox, Flash and Opera. Yelp is a website which embeds Google Maps to show the location of business centers. Google Maps can be embedded into Yelp s top frame in two ways: Frame or Script. In order to display locations interactively Yelp needs to perform a high percentage of inter-frame communication with Google Maps. There are many websites like Yelp which need to perform inter-frame communication. Thus in order to perform inter-frame communication, two methods are employed which are mentioned below: 1. Frame Identifier Channel: An example of how messages can be communicated between frames is (Reference: Secure Frame Communication in Browsers by Adam Barth et.al.): Suppose the current value of frames[0].location is: frames[0].location= http://example.com/doc Now a message can be passed to this frame by adding the message after the # sign: frames[0].location= http://example.com/doc#message ; The above way of passing messages between frames is known as inter-frame communication through a Frame Identifier Channel. The frame identifier channel does provide confidentiality but not authentication. The author explains the channel by drawing an analogy with a public key channel. This analogy is described below: Microsoft uses Frame Identifier Channel for inter-frame communication in Windows.Live.Channels API. Microsoft employs the following protocol which is analogous to the Needham-Schroeder protocol (Reference: Secure Frame Communication in Browsers by Adam Barth et.al.): A ->B: N A, URI A B ->B: N A, N A A ->B: N B, Message 1 Here A and B are frames, N A and N B are random numbers and URI A is the uniform resource identifier of A. Frame Identifier Channel also suffers from Lowe anomaly, which was also present in Needham- Schroeder protocol. This anomaly is given below (Reference: Secure Frame Communication in Browsers by Adam Barth et.al.): Integrator ->Attacker: N I, URI I Attacker ->Gadget: N I, URI I Gadget ->Integrator: N G, Message I In this the attacker in the guise of the gadget takes N I from the integrator. The attacker then gives this value of N I to the Gadget and passes the value received to the integrator, the integrator in turn gives the gadget the value of N G and Message 1.Lowe s improvement of Needham-Schroeder protocol can be applied in order to circumvent this attack. Lowe s improvement states that each agent should include its identity while passing messages in the protocol. This improvement is mentioned below (Reference: Secure Frame Communication in Browsers by Adam Barth et.al.): A ->B: N A, URI A B ->A: N A,N B, URI A A ->B: N B... 3

A ->B: N A,N B, Message i B ->A: N A,N B, Message j 2. postmessage Channel: HTML5 introduced the postmessage method. postmessage method is used to pass messages between frames. For example, in order to pass message, the sender calls the postmessage method as given below (Reference: Secure Frame Communication in Browsers by Adam Barth et.al.): frames[0].postmessage( Hello ); An event is then generated in the recipient frame to indicate that a message has arrived for the recipient frame. Apart from the message this event contains information about the sender and a pointer to sender. The postmessage channel does provide authentication as the sender can be accurately determined by verifying the cryptographic signature, but the channel does not provide confidentiality, the attacker can thus exploit this weakness of the channel. Some of the attacks are mentioned below: (a) Recursive Mashup Attack: An integrator passes a message to an embedded gadget. An attacker can intercept this message by first loading the integrator inside a frame and then navigating the gadget to attacker.com, which then intercepts the message. This attack can be prevented by first checking if top!=self. If this condition is true then the browser should not render the frame, as the true condition indicates that the integrator is within a frame, and hence prone to attack. (b) Reply Attack: In this attack the Gadget sends a message to the integrator, an attacker can intercept the integrators reply by first framing the gadget and then navigating the gadget to attacker.com, which then intercepts the message. In order to secure the postmessage method the authors propose an API called CommRequest. CommRequest aids to provide confidentiality to postmessage, as CommRequest gives the message only to the intended recipient. 4 Methodology used to investigate the paper The methodology used to investigate the paper is a case study based approach. 5 What I learned from the paper I learned some of the modification which can be made to the frame navigation policy in order to make it secure. 6 How the paper relates to previous work The paper relates to the following previous work: 1. SMash (Reference: Subspace: Secure cross-domain communication for web mashups by Collin Jackson et.al.) is a technique which makes navigation decisions based on frame hierarchy and events. But this method is vulnerable to denial of service attack. Also it takes SMash 20 seconds to generate a response, which an attacker can take advantage of to launch a attack. In contrast to this the modifications proposed in this paper don t suffer from these disadvantages. 2. Another method to prevent an attacker from attacking mashups is to avoid using frames and to put the gadgets and integrators in a single web page by writing code for them safe subsets of HTML and JavaScript. However writing code for such pages becomes difficult as now the developer has to avoid all the pitfalls. The authors feel that frame based web pages will continue to be used because of the safer implementation of postmessage. 4

7 Strengths of the paper I like the analogy of public-key channel which the author gives for the frame identifier channel. The authors give the analogy of Lowe s anomaly in Needham-Schroeder protocol to describe the loopholes in frame identifier channel. I like this approach of the author as by understanding the anomaly I am able to understand the flaws in frame identifier channel and also the need to make it secure. 8 Weaknesses of the paper In the paper the authors state that browsers should adopt origin propagation. Then they the state that Additional navigations do not sacrifice security because an attacker can perform navigations indirectly (Reference: Secure Frame Communication in Browsers by Adam Barth et.al.). I find this statement contradictory as if the attackers can perform navigations then the application surely has vulnerabilities, which makes it insecure. 9 Results The authors propose improvements inter-frame communication methods namely, frame-identifier messaging and postmessage methods in order to make inter-frame communication secure. 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback