Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,

Slides:



Advertisements
Similar presentations
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Advertisements

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
An Evaluation of the Google Chrome Extension Security Architecture
EECS 354 Network Security Cross Site Scripting (XSS)
Lesson 4: Web Browsing.
Java Security: From HotJava to Netscape & Beyond Drew Dean, Edward W. Felten, Dan S. Wallach Department of Computer Science, Princeton University May,
 2003 Prentice Hall, Inc. All rights reserved. Chapter 21 – Web Servers (IIS and Apache) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3 System.
Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Microsoft ASP.NET AJAX - AJAX as it has to be Presented by : Rana Vijayasimha Nalla CSCE Grad Student.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
1 Web Servers (IIS and Apache) Outline 9.1 Introduction 9.2 HTTP Request Types 9.3 System Architecture 9.4 Client-Side Scripting versus Server-Side Scripting.
INTRODUCTION TO WEB DATABASE PROGRAMMING
FORESEC Academy FORESEC Academy Security Essentials (II)
M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,
Data Security.
Ajax (Asynchronous JavaScript and XML). AJAX  Enable asynchronous communication between a web client and a server.  A client is not blocked when an.
Prevent Cross-Site Scripting (XSS) attack
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
ASP.NET 2.0 Chapter 5 Advanced Web Controls. ASP.NET 2.0, Third Edition2 Objectives.
JavaScript, Fourth Edition
CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.
 2001 Prentice Hall, Inc. All rights reserved. 1 Chapter 21 - Web Servers (IIS, PWS and Apache) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3.
HOW WEB SERVER WORKS? By- PUSHPENDU MONDAL RAJAT CHAUHAN RAHUL YADAV RANJIT MEENA RAHUL TYAGI.
IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References.
Chapter 8 Cookies And Security JavaScript, Third Edition.
OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications.
Cross Site Integration “mashups” cross site scripting.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
SMash : Secure Component Model for Cross- Domain Mashups on Unmodified Browsers WWW 2008 Frederik De Keukelaere et al. Presenter : SJ Park.
Session: 1. © Aptech Ltd. 2Introduction to the Web / Session 1  Explain the evolution of HTML  Explain the page structure used by HTML  List the drawbacks.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Web Server.
Introduction to HTML. _______________________________________________________________________________________________________________ 2 Outline Key issues.
Introduction and Principles Web Server Scripting.
IT533 Lectures ASP.NET AJAX.
Web Browsing *TAKE NOTES*. Millions of people browse the Web every day for research, shopping, job duties and entertainment. Installing a web browser.
Cloud Environment Spring  Microsoft Research Browser (2009)  Multi-Principal Environment with Browser OS  Next Step Towards Secure Browser 
 AJAX technology  Rich User Experience  Characteristics  Real live examples  JavaScript and AJAX  Web application workflow model – synchronous vs.
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.
JavaScript and Ajax (JavaScript Environment) Week 6 Web site:
The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.
National College of Science & Information Technology.
1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.
BUILD SECURE PRODUCTS AND SERVICES
TMG Client Protection 6NPS – Session 7.
World Wide Web policy.
Lesson 4: Web Browsing.
Data Virtualization Tutorial… CORS and CIS
Subbu Allamaraju BEA Systems Inc
Web Caching? Web Caching:.
Cross-Site Request Forgeries: Exploitation and Prevention
What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.
Lesson 4: Web Browsing.
Cross Site Request Forgery (CSRF)
Presentation transcript:

Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson, Stanford University Helen J. Wang, Microsoft Research

2 Outline Introduction Current Practice Single Web Service Multiple Web Services Evaluation Conclusion and Comments 2009/3/242

3 Introduction Mashup –A website or web application that seamlessly combines content from more than one source into an integrated experience. Gadget aggregators aggregate third- party JavaScript code, the gadgets, into one page to provide a desirable, single- stop information presentation to their users. –Google Personalized Homepage, Microsoft Windows Live 2009/3/243

4 Introduction Browsers are poorly designed to pass data between domains, often forcing web developers to abandon security in the name of functionality. Subspace –A cross-domain communication mechanism that allows efficient communication across domains without sacrificing security –A small JavaScript library, and works across all major browsers

5 Introduction How to obtain third-party data – tags: one site gets complete control. Allows observing or hijacking user’s session –Browser plugins: inconvenient Gadget aggregators typically are presented with two security choices: –Inline gadgets: allow the gadget full access to the surrounding page –Sandboxed cross-domain frames: cannot engage in client-side communication with the parent frame

6 Current Practice How mashups currently communicate across domains: –Same-origin policies –Proxies –Cross-domain tags –Browser plugins –Fragment identifier messaging 2009/3/246

7 JavaScript Same-origin policy Inline frames (IFRAMEs) –Can be used to download rich HTML documents from outside sources –If the content comes from a different domain, the browser will not allow the JavaScript in the containing page to read or manipulate the document inside the frame, and vice versa.

8 JavaScript Same-origin policy XMLHttpRequest –Can be used to download arbitrary XML documents without reloading the page –Cannot be used to download files that are not from the same domain as the page making the request Protects the secrecy of HTML documents that the user has access to Protects the integrity of a page against unauthorized modification by other pages

9 Proxies The website hosting the mashup can host a URL which relays data between the client and the source of the data. Makes the data appear to the client to be “same-origin” data, so the browser allows the data to be read back. Disadvantages –Adds latency –Increases bandwidth costs –Provide another layer for hackers to hide behind for DoS or exploiting input validation vulnerabilities on the server hosting the data source

10 XMLHttpRequest ServerofOriginSite.com Client / Browser Loaded from ServerofOriginSite.com MashupSite.com HTTP GET, HTTP POST XMLHttpRequest

11 Cross-domain tags Scripts can be loaded from other domains and executed with the privileges of the page that include them. Disadvantages –A script can only be accessed by executing it. The page including the script has no way of performing input validation to ensure that the script being retrieved is not misusing its access to the parent page. –The site hosting the script could change the content of the script at any time, and could even serve different content to different users. ”

12

13 Browser plugins Can provide many of the cross-domain network communication capabilities that are needed by mashups –Macromedia’s Flash browser plugin Disadvantages –Some users choose not to install them for security, privacy, or compatibility reasons

14 Fragment identifier messaging Fragment identifiers –The hash part of an URL –a URI pointing to an anchor named section_2: The containing page sets (but not read) the URL fragment identifier of an embedded IFRAME, and the IFRAME must poll to detect changes in the value of its location.hash property. Disadvantages –Require careful synchronization between the communicating pages –Can be easily disrupted if the user presses the browser’s back button

15 Single Web Service Introduce a “throwaway” subdomain (e.g. webservice.mashup.com) that is used only to retrieve information from that web service webservice.mashup.com Used only by IFRAMEs. These frames are structured such that data can be safely downloaded from using a tag –None of the browser state associated with top. (eg. the user’s authentication cookie, or the contents of a page) are ever accessible to top /3/2415 top. The mashup siteThe untrusted web service ?

16 Cross-subdomain Cummunication If two domains that want to communicate share a common suffix, they can use the JavaScript document.domain property to give each other full access to one another. –Defaults to the host name of the server that the document was retrieved from –Can be truncated to a suffix (and only a suffix) of this name. Must occur on dot-aligned boundaries Pages on a.example.com and b.example.com can change the value of document.domain to example.com, allowing them to pass JavaScript data and code between each other at runtime. –Once a page has shortened its domain using this mechanism, it is no longer permitted to access other frames that do not match its new domain. –It cannot set document.domain back to its original value

17 Single Web Service - Setup Phase Perform a setup protocol that gives pages in both domains access to the same Subspace JavaScript object. 1.Create mediator frame: the top frame(top. and the mediator frame (a hidden iframe pointing to a tiny page on set their document.domain variable to 2.Create untrusted frame 3.Pass JavaScript communication object: The mediator frame and the untrusted frame change their document.domain to mashup.com. Can use the same Subspace object to pass arbitrary JavaScript data. mashup.com 2009/3/2417

18 Performed only once and does not need to be restarted when further data requests are required The top frame and the mediator frame cannot directly communicate, because their domains don’t match. –the top frame is protected The mediator frame cannot issue XMLHttpRequests to top. top. –the cookie belonging to top. is not accessible to the code hosted on webservice.mashup.comtop.

19 Multiple Web Services If the mashup wants to interact with more than one web service or gadget, it not only needs to protect the security of its own domain, it also needs to keep these web services from compromising each other. The untrusted frame for every web service lives in the mashup.com domainmashup.com –An attacker’s untrusted frame might be able to interfere with the untrusted frame of another web service –Whether or not this issue is a problem is depends on the frame restrictions imposed by the browser 2009/3/2419

20 Frame Hierarchy upperFrame is top.frames[0] navigateFrame is top.frames[1] listFrame is upperFrame.frames[0] or top.frames[0].frames[0] contentFrame is upperFrame.frames[1] or top.frames[0].frames[1]

21 Multiple Web Services - Restrictive frame access The browser restricts access to cross- domain frames when navigating the frame hierarchy –Opera and some configurations of IE6 Create a new nested frame structure for each web service or gadget that needs to be included.

22 Multiple Web Services - Permissive frame access Any frame anywhere on the page can be reached by any other frame, and if those frames are in the same domain, they can each access each other and intercept each other’s communications –Firefox, Safari, IE7, and some configurations of IE6 Use a new throwaway domain for each web service that the mashup needs to interact with –keep these frames from interfering with each other top. webservice1.mashup.com The mashup site The untrusted web service ? webservice2.mashup.com The untrusted web service ?

23 1.Create mediator frame: the browser is at top. Create an IFRAME pointing to a page on Retrieve JavaScript object and change domain. top. 2.Create untrusted frame 3.Create access frame: obtain a “container” JavaScript object from the untrusted frame and then change domain to mashup.commashup.com 4.Pass JavaScript communication object: the access frame can obtain the Subspace object from the mediator frame (due to permissive frame access policy and the same domain). Put the object into the container it shares with the untrusted frame. 5.Cleanup: the untrusted frame disposes of the access frame. It has the Subspace object to communicate with the top frame. 6.Repeat for every gadget: then the mediator frame can be disposed. 7.Load untrusted content: all the gadgets have a Subspace communication channel to the top frame, but none of them have access to each other. top. webservice1.mashup.com The mashup site The untrusted web service ? webservice2.mashup.com The untrusted web service ? Mediator Frame: mashup.com webservice1. mashup.com

24 Evaluation Mashup Measurements –Shows a list of the 20 most recent kitten photos from the Flickr phto sharing site. 2009/3/2424 –Proxy: connects to the Flickr web service and relays data to the mashup. Use XMLHttpRequest. –Unsafe: downloads the data directly from Flickr using a cross- domain tag. –Subspace: also use tag to make network request. Subspace took longer to set up (load hidden IFRAMEs), but its network requests were faster than the proxy approach

Evaluation Gadget aggregator Measurements –Allows the user to customize the font color of all his or her gadgets. 25 –Sandboxed: use a third-party iframe approach that reloaded the gadget whenever the user’s desired font color changed. –Unsafe: include the gadget’s source code inline with the page. Use JavaScript to pass the desired font color to the gadget region of the page. –Subspace Initial page load: sandboxed and unsafe approaches were faster (fewer frames were required) Respond to a font color change request: the sandboxed approach required the user to wait for the page to load

26 Conclusion Presented Subspace, a cross-domain communication primitive that allows efficient communication across domains while still sandboxing untrusted code. Uses existing browser features as building blocks and is therefore is highly practical. Prototype implementation of Subspace is compatible with all major browsers. 2009/3/2426

27 Comments Looks brilliant to me for scenarios where the Web application developer is looking to achieve secure mashups because it works with today's browsers without requiring any plugins The strategy requires that the server have a stash of subdomains lying around. 2009/3/2427