OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen UC Davis.

Slides:

Advertisements

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Advertisements

By Loukik Purohit & Rohit Ghatol

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

EECS 354 Network Security Cross Site Scripting (XSS)

Redefining Web Browser Principals with a Configurable Origin Policy Yinzhi Cao, Vaibhav Rastogi, Zhichun Li†, Yan Chen and Alexander Moshchuk†† Northwestern.

On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.

Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.

Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology.

Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Best and Worst Practices Building RIA from Adobe and Microsoft.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

Redefining Web Browser Principals with a Configurable Origin Policy Yinzhi Cao, Vaibhav Rastogi, Zhichun Li†, Yan Chen and Alexander Moshchuk†† Northwestern.

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,

Web Services & Widgets Godmar Back. Mash-Ups Applications that combine information from different sources in one web page Different architectural choices.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Apache Chemistry face-to-face meeting April 2010.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.

Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

SOMA: Mutual Approval for Included Content in Web Pages Terri Oda, Glenn Wurster, P.C. van Oorschot, Anil Somayaji Carleton Computer Security Lab Carleton.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Krishna Mohan Koyya Glarimy Technology Services

Embedding CenterView and Hosting External Content.

OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications.

BetterAuth: Web Authentication Revisited Martin Johns, Sebastian Lekies, Bastian Braun, Benjamin Flesch In ACSAC /01/08 A.C. ADL.

User Interface Toolkit Mechanisms For Securing Interface Elements Franziska Roesner, James Fogarty, Tadayoshi Kohno Computer Science & Engineering DUB.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

Robust Defenses for Cross-Site Request Forgery

1 Welcome to CSC 301 Web Programming Charles Frank.

2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

SMash : Secure Component Model for Cross- Domain Mashups on Unmodified Browsers WWW 2008 Frederik De Keukelaere et al. Presenter : SJ Park.

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

World Wide Web “WWW”, "Web" or "W3". World Wide Web “WWW”, "Web" or "W3"

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Cross-site request forgery Collin Jackson CS 142 Winter 2009.

CSI 3125, Preliminaries, page 1 SERVLET. CSI 3125, Preliminaries, page 2 SERVLET A servlet is a server-side software program, written in Java code, that.

Securing Angular Apps Brian Noyes

Protection and Communication Abstractions for Web Browsers in MashupOS Helen J. Wang, Xiaofeng Fan, Jon Howell (MSR) Collin Jackson (Stanford) February,

CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.

Cloud Environment Spring  Microsoft Research Browser (2009)  Multi-Principal Environment with Browser OS  Next Step Towards Secure Browser 

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

Lesson 4: Web Browsing.

Ofer Shezaf, CTO, Breach Security

Security mechanisms and vulnerabilities in .NET

Cross-Site Request Forgeries: Exploitation and Prevention

Automatic and Precise Client-Side Protection against CSRF Attacks

Riding Someone Else’s Wave with CSRF

CSC 495/583 Topics of Software Security Intro to Web Security

Objectives In this lesson you will learn about: Need for servlets

Lesson 4: Web Browsing.

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

Cross Site Request Forgery New Attacks and Defenses

Cross Site Request Forgery (CSRF)

Presentation transcript:

OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen UC Davis

Mashups and the Same Origin Policy Mashups integrate content from multiple websites Content protection relies on Same Origin Policy (SOP) – Currently, contents get complete or no isolation – MashupOS proposes more flexible trust relationship [SOSP 07] Isolated Open Access-Controlled Unauthorized

Same Origin Policy a.com b.com Server Browser  

Problems with SOP – What Domains are of the Same Origin? web1.acm.orgweb2.acm.org yes cs.ucdavis.edu ece.ucdavis.edu maybe amazon.co.uk bbc.co.uk no Same origin?

DNS Insecurity Client vulnerabilities – DNS rebinding (Jackson et al, CCS 07) – Dynamic Pharming (Karlof et al, CCS 07) Server vulnerabilities – DNS cache poisoning (Kaminsky, BlackHat 08)

Cross-Site Request Forgery a.com b.com Server Browser

OMash: Object Mashup A new browser security model Use Object-Oriented model (e.g. Java object model) Treat each Web page as an object – Encapsulate all scripts and data – Objects declare public interface – Objects communicate only via public interface

Object Abstractions Java (analogy) Web page object public class FooObject { public void publicMethod() { } private int privateData; } function getPublicInterface() { function Interface() { this.publicMethod = function () {…} } return new Interface(); } var privateData;

Page Objects A page consists of – DOM tree – Scripts – Credentials (HTTP auth, cookies) A page object can be contained in a – Window – Tab – Frame – Iframe

Public and Private Members Public interface – Each object declares getPublicInterface() – Returns a closure of all public methods and data Private data – DOM – Scripts – Credentials

Usage Example map.html integrator.html function getPublicInterface() { function Interface() { this.setCenter = function (lat,long) { … } return new Interface(); }... var map = win.getPublicInterface();... map.setCenter(lat, long); } map.html integrator.html

Trust Relationships Can model trust relationships needed for mashups (as identified by MashupOS) – Isolated – Open – Access-Controlled – Unauthorized

No access between provider and integrator Isolated function getPublicInterface() { function Interface() { } return new Interface(); }

Open Full access between provider and integrator function getPublicInterface() { function Interface() { this.getDocument = function () { return document; } return new Interface(); }

Limited access depending on caller Access-controlled function getPublicInterface() { function Interface() { this.auth = function(user,pass) { return token; } this.do = function (token,...) { check(token); } } return new Interface(); } var api = win.getPublicInterface(); token = api.auth(user, pass); api.do (token,...) ProviderIntegrator

Preventing CSRF a.com b.com Server Browser

Preventing CSRF a.com b.com Server Browser

Preventing CSRF a.com b.com Server Browser No cookie!

Browser Sessions under OMash Each cookie – belongs to a window – is shared by subsequent pages from the same domain in that window Each window has an independent session – Desirable side effect: Can log in to multiple accounts in different windows in the same browser

Cross-window Sessions How to track a session across windows? Cookie Inheritance – When page P1 loads P2, P2 inherits P1’s cookies – P1 and P2 now belong to the same session

Implementation Proof of concept as Firefox add-on – Make an exception to SOP in Mozilla’s Configurable Security Policy – Change Cookie Manager to make each cookie private to a window No changes required on the server

Supporting SOP without DNS If application prefers using SOP to allow inter- page communication: To implement this under OMash – Server embeds a shared secret in all pages – Pages authenticate each other using this secret

Supporting SOP without DNS secret = “1234”; function getPublicInterface() { function Interface() { this.foo=function (secret, … ) { check(secret); … } } return new Interface(); } secret = “1234” api = win.getPublicInterface() api.foo(secret, …) ProviderIntegrator

Related Work MashupOS (Wang et al, SOSP 07) SMash (Keukelaere WWW 07) Google’s Caja

Conclusion OMash a new browser security model – Allows flexible trust relation – Simple – Familiar, easy to understand Don’t rely on Same Origin Policy – Prevent CSRF attacks – Allows programmers to define “Same Origin” flexibly based on shared secrets