1 The Emperor’s New APIs On the (In)Secure Usage of New Client-side Primitives Devdatta AkhaweSteve HannaEui Chul Richard Shin Dawn Song Arman BoehmPrateek.

Slides:



Advertisements
Similar presentations
DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.
Advertisements

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.
An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Team Members: Brad Stancel,
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Electrical and Computer Engineering Vitaly Gordievsky Alex Trefonas Scott Richard Matt Beckford Final Project Review.
Microsoft ® Official Course Interacting with the Search Service Microsoft SharePoint 2013 SharePoint Practice.
Web-Enabling the Warehouse Chapter 16. Benefits of Web-Enabling a Data Warehouse Better-informed decision making Lower costs of deployment and management.
Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.
Computer Science Public Key Management Lecture 5.
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Chapter 25 Utilizing Web Storage.
FORESEC Academy FORESEC Academy Security Essentials (II)
Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Prevent Cross-Site Scripting (XSS) attack
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
MSS*: Chapter 3 Shopping carts & Payment gateways * McClure, Stuart, Saumil Shah, and Shreeraj Shah. Web Hacking: attacks and defense. Addison Wesley.
Securing Web Applications. IE 7 significantly reduced attack surface against the browser and local machine…
JavaScript, Fourth Edition
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
Online Translation Service Capstone Design Eunyoung Ku Jason Roberts Jennifer Pitts Gregory Woodburn Kim Tran.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
ITGS Databases.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Web Portals Gateway To Information Or A Hole In Our Perimeter Defenses sm sm Deral Heiland – Layered Defense Research.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
CS2550 Dr. Brian Durney. SOURCES  JavaScript: The Definitive Guide, by David Flanagan  Dive into HTML5, by Mark Pilgrim
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
SSL(HandShake) Protocol By J.STEPHY GRAFF IIM.SC(C.S)
CMS 2: Advanced Web Editing - Content Presented By: Katie Pagano, Special Projects Manager Steve Pont, Product Architect.
The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5Websites Sooel Son and Vitaly Shmatikov The University of Texas at Austin 20.
ECpE Student Database Team 21 Adviser: Tien Nguyen ECpE and Tony Moore.
Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.
The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
CMSC 818J: Privacy enhancing technologies Lecture 2.
Kundan Singh Venkatesh Oct 2013
CS457 Introduction to Information Security Systems
BUILD SECURE PRODUCTS AND SERVICES
Web Application Security
TMG Client Protection 6NPS – Session 7.
# 66.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
World Wide Web policy.
Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.
SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Salesforce.com Salesforce.com is the world leader in on-demand customer relationship management (CRM) services Manages sales, marketing, customer service,
Security: Attacks & Countermeasures
Cross-Site Scripting Attack (XSS)
Presentation transcript:

1 The Emperor’s New APIs On the (In)Secure Usage of New Client-side Primitives Devdatta AkhaweSteve HannaEui Chul Richard Shin Dawn Song Arman BoehmPrateek Saxena University of California, Berkeley

2 New Web Primitives New HTML5 primitives enhance user experience Facebook Connect, Google Friend Connect –Identity provider, rich user experience

3 Changing Web Landscape Web applications changing to meet consumer needs Application logic is shifting Users’ expectations are changing Demand greater functionality Platform flexibility

4 Goals Two representative examples postMessage a secure channel for cross-origin communication localStorage – a client-side database primitive Are these new primitives used securely in practice?

5 Contributions A study of new client-side primitive use in practice –We examine two representative client-side primitives Provide evidence of pervasiveness of attacks Principles from lessons learned –Discussed vulnerabilities with vendors –We propose the Economy of Liabilities, Guiding Principle Suggested Enhancements –postMessage and client-side storage enhancements

6 Outline postMessage Case Study localStorage Case Study Discussion with Vendors Suggested Enhancements Conclusion

7 postMessage Overview postMessage used for cross-origin communication –Limitations of AJAX, server to server communication Usage: targetWindow.postMessage(msg, targetOrigin ) MyWeatherApp.com Weather.com postMessage To: Weather.com Origin: Data: “get_weather(94710)” Sender Receiver To: MyWeatherApp.com Origin: Data: “Sunny,75”

8 Secure Channel Abstraction postMessage guarantees confidentiality and authenticity –Confidentiality: Sender specifies recipient’s origin (targetOrigin) »targetOrigin can be ‘*’, which is broadcast –Authenticity: Browser attribs. msg with the sender’s origin (Origin) Key Point: If checks omitted, security of postMessage not assured otherWindow.postMessage(msg, targetOrigin )

9 Default Fail-Open Design Sample postMessage usage from Mozilla Dev Center var popup = window.open(...popup details...); popup.postMessage(“hi!", " Running on window.addEventListener("message", getMessage, false); function getMessage(event) { if (event.origin !== " return; alert(event.data); } Running on What happens if the origin check is removed? targetOrigin Origin Check

10 Default Fail-Open Design Sample postMessage usage from Mozilla Dev Center var popup = window.open(...popup details...); popup.postMessage(“hi!", " Running on Running on The application functionality remains the same! targetOrigin window.addEventListener("message", getMessage, false); function getMessage(event) { /*snipped*/ alert(event.data); } Origin Check

11 Mozilla Dev Center Warning From MDC postMessage page

12 Facebook Connect FBC enables users to use 3rd party sites with FB identity We reverse engineered FBC protocol FB Connect ProtocolFull details in paper Implementor Facebook.com Make login frame (API key, origin) (S, K, origin) msg: (S, K) make proxy get proxy code code for proxy (query, S) K (user data) proxyFrame msg: (query, S) K msg: (user data) loginFrame

13 Facebook Connect Attack: Integrity Attack on Integrity The origin of half of the messages were verified Lack of origin checks allow attacker to inject arbitrary data in the communication between the implementor and proxyFrame. Attacker can replace the proxyFrame with own frame. This allows the attacker to fully XSS the implementor. Facebook Connect Frame Hierarchy (proxyFrame replaced with attacker controlled proxyFrame) Attacker Implementor Attacker msg: (query, S) k msg: (XSS) targetOrigin: *

14 FBC Severity: Integrity Allows XSS at benign Implementor’s Origin –Only query verified, not response

15 Facebook Connect Attack: Confidentiality Attack on Confidentiality Messages to proxyFrame targetOrigin parameter set to broadcast. Leaks confidential information, like profile and identity. Because sender query not verified, allows a MITM attack. Attacker Implementor (query, S) k Facebook Connect Frame Hierarchy proxyFrame Facebook (query, S) k (user data) (query, S) k (user data)

16 FBC Severity: Confidentiality Leaks confidential user info –Friends, Contact Information, Political Associations, etc.

17 Google Friend Connect Google Friend Connect allows a Google user to share multiple online identities with third-party sites. We reverse engineered the GFC Protocol Google Friend Connect Protocol Full details in paper Make gadget frame (ID, N, session, origin)) (code for gadget) msg: (Q, N) (query) (user info) msg: (P, N) gadget frame ImplementorGoogle.com

18 Google Friend Connect Attack Attack targetOrigin correctly set but analysis code revealed absence of sender authenticity checks Protocol instead checks for correct nonce Predicting nonce leads to spoof of message exchanged by gadget and implementor Google Friend Connect Gadget

19 Google Friend Connect Attack Severity GFC Session Integrity Compromised –Parameters changed by spoofing msg –Example compromised gadget

20 Outline postMessage Case Study localStorage Case Study Suggested Enhancements Discussion with Vendors Conclusion

21 Client-side Storage Overview localStorage/webStorage for creating persistent, client-side databases –localStorage simple name/value pair –webStorage SQL capable database interface Browser guarantees isolation based on origin function get_name() { if (localStorage.name == ‘’) return prompt_name(); else return localStorage.name; } Example use of localStorage

22 Client-side Storage Potential Threat Web apps store data on the client-side to enable rich web experience Database output must be verified and sanitized –If not, this can lead to a server-oblivious, persistent client-side XSS attack.

23 Client-side Threat Model We consider 2 potential threat models –Primary XSS Attack Vector –Network Attacker Example scenarios Client-side Database XSS Malicious Code Victim’s Computer

24 Client-side Storage Evaluation Evaluated applications that utilized client-side storage Found 7/11 apps were vulnerable to persistent, client-side XSS attacks Persistent, client-side XSS –Google Gmail, Buzz, Documents, Maps Transient client-side XSS –Google Reader, Zoho Documents Invulnerable –Google Calendar, Translate

25 Vendor Discussion Google –Primary XSS is main concern –View as limitations of client-side database Facebook –50% of users’ browsers support postMessage –Otherwise fragment identifiers and Flash –Facebook response: disabled postMessage

26 Lessons Learned Developers within same org used primitive incorrectly Custom sanity checks and verification –Easy to make mistakes/omit checks –Not scalable Design for browser compatibility

27 Economy of Liabilities To ensure application security, a primitive must minimize the liability that a developer undertakes. Minimize onus on developer Default fail-closed design

28 Suggested Enhancements: postMessage Origin Whitelist –Extend Content Security Policy (CSP) »Site declaratively specifies origins allowed to postMessage –Ensures confidentiality/authenticity, restricts targetOrigin/Origin Origin Comparison Primitive –Reduces developer burden X-Content-Security-Policy: post-msg-senders *.example.com *.facebook.com post-msg-recip*.example.com *.facebook.com function compare_origins(msg_origin, [array of acceptable origins]); Input: message origin (event.origin), array of acceptable origins (ex. [example.com]) Output: 0 if invalid origin, otherwise an integer index into the array

29 Suggested Enhancements: Client-side Storage Client-side storage –Database output sanitization - toStaticHTML-like functionality localStorage.name = Joe evil_code(); In Out Joe Sanitizer Enable sanitization?

30 Conclusion Evaluated security of new primitives in practice –postMessage »Reverse engineered Facebook/Google Friend Connect »Often used securely, but devs in the same org make mistakes –localStorage »Examined high profile applications (Gmail, Buzz, Docs, etc) »Widely used without sanitization Discussed vendor reasoning and responses Enhancements using Economy of Liabilities as guiding principle –Increase their ease of use –Reduce developer burden –Increase overall security

31 Contact Contact: –Steve Hanna Please visit our project web site – THANKS FOR LISTENING

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.