The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.

Slides:



Advertisements
Similar presentations
Operating System Security
Advertisements

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
EECS 354 Network Security Cross Site Scripting (XSS)
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.
Attacking Session Management Juliette Lessing
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security of Mobile Applications Vitaly Shmatikov CS 6431.
Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
Cong Wang1, Qian Wang1, Kui Ren1 and Wenjing Lou2
HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
SCRIPT LESS ATTACKS STEALING THE PIE WITHOUT TOUCHING THE SILL.
Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †,
A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen UC Davis.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications.
18-jan-962. ETH-W4 (ra)1 security on the Web l security l authentication l privacy.
Robust Defenses for Cross-Site Request Forgery
2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011.
SMash : Secure Component Model for Cross- Domain Mashups on Unmodified Browsers WWW 2008 Frederik De Keukelaere et al. Presenter : SJ Park.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Web Server.
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
No Escape From Reality: Security and Privacy of Augmented Reality Browsers WWW '15.
1 Utkarsha MishraCOMPSCI 725 David Silver, Suman Jana, Eric Chen, Collin Jackson, and Dan Boneh. “Password Managers: Attacks and Defenses.” In Proceedings.
Cloud Environment Spring  Microsoft Research Browser (2009)  Multi-Principal Environment with Browser OS  Next Step Towards Secure Browser 
Security API discussion Group Name: SEC Source: Shingo Fujimoto, FUJITSU Meeting Date: Agenda Item: Security API.
The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5Websites Sooel Son and Vitaly Shmatikov The University of Texas at Austin 20.
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Browser code isolation John Mitchell CS 155 Spring 2016.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
Database and Cloud Security
An Introduction to Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Analyzing WebView Vulnerabilities in Android Applications
The New Virtual Organization Membership Service (VOMS)
Browser code isolation
Riding Someone Else’s Wave with CSRF
Exploring DOM-Based Cross Site Attacks
Cross-Site Scripting Attack (XSS)
Cross Site Request Forgery (CSRF)
Presentation transcript:

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas at Austin, NDSS 2013.

Outlin Introduction Security risk of postMessage Consequences of postMessage abuse Analysis Defense Conclusion

Same Origin Policy Web security is based on the same origin policy (SOP). SOP of browsers disallows scripts loaded from one origin to access another origin. Two sites do not belong to same origin if they differ in at least one of the three- protocol, domain name or port number.

postMessage When a webpage integrates content from multiple origins, it is often convenient or even necessary for frames from different origins to communicate with each other. HTML5, includes the postMessage facility relaxes the same origin policy by providing a structured mechanism for cross-origin communication. It enables a script to send a message to a window regardless of their respective origins.

Using postMessage A frame at embeds an inner frame from a different origin,

Security Risks of postMessage Careless use of postMessage is fraught with danger. Cross-document messaging is considered the top HTML5 security threat Threat Model Light Heavy

Light threat model siteA adds third-party content from siteB and siteC by including scripts from these sites. These scripts run in siteA’s origin and create inner frames whose origins are siteB and siteC, respectively.

Light threat model This setup opens a hole in the same origin policy.

Light threat model The postMessage mechanism does not guarantee that messages sent to siteB actually come from siteA. If a malicious page includes siteA as a (possibly invisible) frame, it can send messages to both siteA and its descendant third-party frames.

Heavy threat model Third-party content may use the data from received messages in executable scripts or write it into local storage. This may give the attacker a way to inject malicious code into the content provider’s origin.

Consequences of postMessage abuse This shows an exploit against the front page of people.com. The front page of people.com was altered with the NDSS 2013 Call for Papers and the photos of the authors of this paper.

Consequences of postMessage abuse Incorrect check The check accepts messages from any origin ending in “jumptime.com”, e.g., eviljumptime.com resulting in injection of arbitrary scripts into any page that includes the jumptime.com script. This page includes a third-party script from jumptime.com

Analysis They analyzed the front pages of the Alexa top 10,000 websites and found 2,245 distinct hosts using postMessage.

Analysis The total number of hosts that include postMessage receivers with an incorrect or missing origin check is 1,712(some hosts include multiple receivers). A receiver with a missing or incorrect origin check has an exploitable vulnerability if it allows the attacker to (1) inject a script, or (2) read or write local storage. 13 distinct receivers with exploitable vulnerabilities were found. These receivers compromise the security of 84 different hosts.

DEFENSES

Origin-based defense for third-party content This defense protects against the “light” threat model Only the origin that loaded a third-party frame can send messages to this frame Establishing a shared secret token between the frame belonging to the site owner (siteOwner) and the inner frame belonging to the third-party content provider (provider). Scripts from any origin other than siteOwner or provider are prevented from reading the token by the same origin policy.

Origin-based defense for third-party content Authenticating messages to third-party frames: – The outer script generates a 64-bit pseudo-random htoken. – When the outer script attach the shared secret token to the message data while sending a message to the inner frame via postMessage. – The postMessage request must also restrict the origin of the recipient to the provider’s origin. – The inner frame checks whether their data contains the same token as the src attribute of the frame.

123

Origin-based defense for third-party content Authenticating messages from third-party frames: – To enable the hosting page to receive messages from the provider’s frame, the outer script may attach a message receiver to this page. – Authentication is much simpler in this receiver because the correct origin of the messages is always the provider.

Frame-based defense for third-party content Only the immediate parent of the third-party frame can send messages to this frame The property guaranteed by this defense does not allow the third-party content to receive messages from sibling frames that belong to the same origin

Defenses for the “heavy” threat model Third-party content providers must carefully examine what their receivers do in response to received messages. If the receiver performs potentially dangerous operations such as eval on the data from received messages, it must consider the possibility that the message may be malicious. Messages sent to other frames should not contain sensitive information and their recipient origin should be restricted.

Defense for site owners This is based on a simple extension of Content Security Policy (CSP). It instructs Web browsers how to confine the origins of Web resources. For example, the following CSP tells the browser to fetch or execute scripts only from or the site itself.

Conclusion The postMessage mechanism relaxes the same origin policy but leads more causion for security. They proposed a simple defense that allows third- party content to authenticate the source of messages received via postMessage. Another complementary defense, based on a Content Security Policy extension, for pages that include third-party content is also described.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.