Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009. Outline Background Setting SOP.

Slides:



Advertisements
Similar presentations
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Advertisements

1/7 ITApplications XML Module Session 8: Introduction to Programming with XML.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
EECS 354 Network Security Cross Site Scripting (XSS)
Web 2.0 with AJAX Students : LASC Ioana KELEMEN Csilla POP Dan Adrian CIOBANU Dumitru Daniel Project leaders : Jean Luc LARBOT Ahmed RHIAT.
Davis Dai. Introduction  Acronym for “asynchronous JavaScript and XML”  Combination of various technologies  Was not developed as an official standard.
Chapter 9 Introduction to the Document Object Model (DOM) JavaScript, Third Edition.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.
HTML 1 Introduction to HTML. 2 Objectives Describe the Internet and its associated key terms Describe the World Wide Web and its associated key terms.
Presented by…. Group 2 1. Programming language 2Introduction.
Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.
CSCI 323 – Web Development Chapter 1 - Setting the Scene We’re going to move through the first few chapters pretty quick since they are a review for most.
IT 210 The Internet & World Wide Web introduction.
Computer Concepts 2014 Chapter 7 The Web and .
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
Working with Cookies Managing Data in a Web Site Using JavaScript Cookies* *Check and comply with the current legislation regarding handling cookies.
Unit 1 – Web Concepts Instructor: Brent Presley. ASSIGNMENT Read Chapter 1 Complete lab 1 – Installing Portable Apps.
1 Session 1: Introduction to HTML Spring Today’s Agenda Cover useful terminology for today’s session HTML, browsers, servers, etc. HTML Tags Get.
CSE 154 LECTURE 12: COOKIES. Including files: include include("filename"); PHP include("header.html"); include("shared-code.php"); PHP inserts the entire.
HTML, XHTML, and CSS Sixth Edition Chapter 1 Introduction to HTML, XHTML, and CSS.
Ajax. –Asynchronous JavaScript and XML –Umbrella term for technologies that often: Use client-side scripting for layout and formatting Use less than full.
Chapter 8 Cookies And Security JavaScript, Third Edition.
10/13/2015 ©2006 Scott Miller, University of Victoria 1 Content Serving Static vs. Dynamic Content Web Servers Server Flow Control Rev. 2.0.
OWL Jan How Websites Work. “The Internet” vs. “The Web”?
Cookies Web Browser and Server use HTTP protocol to communicate and HTTP is a stateless protocol. But for a commercial website it is required to maintain.
Session I Chapter 1 - Introduction to Web Development
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Overview Web Session 3 Matakuliah: Web Database Tahun: 2008.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
Ajax. –Asynchronous JavaScript and XML –Umbrella term for technologies that often: Use client-side scripting for layout and formatting Use less than full.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.
Session 1 Chapter 1 - Introduction to Web Development ITI 133: HTML5 Desktop and Mobile Level I
Module: Software Engineering of Web Applications Chapter 2: Technologies 1.
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
HTML Concepts and Techniques Fifth Edition Chapter 1 Introduction to HTML.
IS2802 Introduction to Multimedia Applications for Business Lecture 8: JavaScript and Cookies Rob Gleasure
Chapter 1 Introduction to HTML, XHTML, and CSS HTML5 & CSS 7 th Edition.
Dave Salinas. What is XML? XML stands for eXtensible Markup Language Markup language, like HTML HTML was designed to display data, whereas XML was designed.
1 PHP HTTP After this lecture, you should be able to know: How to create and process web forms with HTML and PHP. How to create and process web forms with.
Web Technology (NCS-504) Prepared By Mr. Abhishek Kesharwani Assistant Professor,UCER Naini,Allahabad.
1 AJAX. AJAX – Whatzit? Asynchronous (content loading)‏ Javascript (logic & control)‏ And XML (request handling)‏
Introduction to AJAX MIS 3502, Spring 2016 Jeremy Shafer Department of MIS Fox School of Business Temple University 2/4/2016.
Overview Web Technologies Computing Science Thompson Rivers University.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
CITA 330 Section 10 Web Remoting Techniques. Web Remoting Web Remoting is a term used to categorize the technique of using JavaScript to directly make.
Redmond Protocols Plugfest 2016 Tarun Chopra Accessing APIs through Add-Ins Sr. Escalation Engineer.
Some from Chapter 11.9 – “Web” 4 th edition and SY306 Web and Databases for Cyber Operations Cookies and.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
National College of Science & Information Technology.
Web Basics: HTML/CSS/JavaScript What are they?
CSE 154 Lecture 20: Cookies.
Web Technologies Computing Science Thompson Rivers University
JavaScript and Ajax (Ajax Tutorial)
Data Virtualization Tutorial… CORS and CIS
19.10 Using Cookies A cookie is a piece of information that’s stored by a server in a text file on a client’s computer to maintain information about.
Introduction to AJAX MIS 3502 Jeremy Shafer Department of MIS
Less Known Web Application Vulnerabilities
Introduction to AJAX MIS 3502 Jeremy Shafer Department of MIS
HTML5 Level I Session I Chapter 1 - Introduction to Web Development
Cross-Site Request Forgery (CSRF) Attack Lab
JavaScript & jQuery AJAX.
HTML5 and Local Storage.
CSc 337 Lecture 27: Cookies.
Web Technologies Computing Science Thompson Rivers University
Class 4: Building Interactive Web Pages
Cross Site Request Forgery (CSRF)
CSc 337 Lecture 25: Cookies.
Presentation transcript:

Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009

Outline Background Setting SOP

Background Document Object Model (DOM) Cookie XMLHttpRequest HTML LiveHTTPHeaders extension for Firefox

DOM The Document Object Model (DOM) is a cross-platform and language-independent convention for representing and interacting with objects in HTML, XHTML and XML documents. – from wiki cross-platformlanguageobjectsHTMLXHTMLXML

Cookie Cookies are placeholders for server- provided data in the web browser typically used to track sessions. Each cookie is a key-value pair such as "color=green" and may have some optional attributes. Web applications can create a cookie in the web browser using the set-cookie header in the HTTP response.

Cookie (cont.) After cookies are created, web browsers attach the cookies in all the subsequent requests to the web application. In a JavaScript program, All the cookies in the web application can be referenced using document.cookie object. In cookie-based session-management schemes, web applications store the session identifier in a cookie in the web browser.

Use Live HTTP Header (tools)

XMLHttpRequest XMLHttpRequest has an important role in the AJAX web development technique. – from wiki AJAX xhr = new XMLHttpRequest(); xhr.open(POST," m/posting.php",true); xhr.send(null);

HTML p –frame –iframe –img –a

LiveHTTPHeaders Observe the post request Observe the response Observe the cookie

Setting about:config in address bar of Firefox

SOP Origin: –Protocol: file://, ftp://, etc. –Domain: microsoft.com, google.com, etc. –Port: 80, 8080, 21, 3128, etc. The SOP identifies each web site using its origin, and creates a context for each origin. For each origin, the web browser creates a context and stores the resources of the web application from the origin in the context. JavaScript programs from one origin are not allowed to access resources from another origin.

Examples checks against the URL " - - from wikiURL

Resources for SOP Cookie History URL Contents Etc.

URL When in URL bar, I input some cross domain web page, can you use “forward” and “backward”? Is the URL showing?

Tags do not honor SOP Find out by yourself!

Reference XMLHttpRequest / XMLHttpRequest /

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.