University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

Slides:

Advertisements

Similar presentations

Nick Feamster CS 6262 Spring 2009

Advertisements

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

EECS 354 Network Security Cross Site Scripting (XSS)

Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.

Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.

Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology.

AppSec USA 2014 Denver, Colorado Warning Ahead: Security Storms are Brewing in Your JavaScript Helen Bravo.

1 The Emperor’s New APIs On the (In)Secure Usage of New Client-side Primitives Devdatta AkhaweSteve HannaEui Chul Richard Shin Dawn Song Arman BoehmPrateek.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.

JavaScript, Fourth Edition

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Chapter 8 Cookies And Security JavaScript, Third Edition.

BetterAuth: Web Authentication Revisited Martin Johns, Sebastian Lekies, Bastian Braun, Benjamin Flesch In ACSAC /01/08 A.C. ADL.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

Robust Defenses for Cross-Site Request Forgery

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

The Problem of State. We will look at… Sometimes web development is just plain weird! Internet / World Wide Web Aspects of their operation The role of.

Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Securing Angular Apps Brian Noyes

CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5Websites Sooel Son and Vitaly Shmatikov The University of Texas at Austin 20.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Browser code isolation John Mitchell CS 155 Spring 2016.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.

Redmond Protocols Plugfest 2016 Tarun Chopra Accessing APIs through Add-Ins Sr. Escalation Engineer.

Open Solutions for a Changing World™ Eddy Kleinjan Copyright 2005, Data Access WordwideNew Techniques for Building Web Applications June 6-9, 2005 Key.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.

ArcGIS for Server Security: Advanced

BUILD SECURE PRODUCTS AND SERVICES

Web Application Security

NodeJS Security Using PassportJS and HelmetJS:

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

World Wide Web policy.

Cross-Site Forgery

Browser code isolation

Riding Someone Else’s Wave with CSRF

Exploring DOM-Based Cross Site Attacks

Cross-Site Scripting Attack (XSS)

Cross Site Request Forgery (CSRF)

Presentation transcript:

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida, Orlando

University of Central Florida Prior/After HTML5 Same Origin Policy communication Cross Site Communication postMessage Protocol + Host + Port

University of Central Florida New Web Approach postMessage enhance user experience

University of Central Florida postMessage: Inter-frame Communication Different Frames

University of Central Florida What Worries? Changing Web Landscape: Inclination on Client Side JavaScript Application Logic Greater Functionality Greater Functionality Fast Query Response Fast Query Response Extended Functionality Extended Functionality

University of Central Florida Usage Usage: targetWindow.postMessage(, ) Message Target Origin Third Party

University of Central Florida Security Perspective postMessage guarantees confidentiality and authenticity Sender specifies recipient’s origin, specifying URL(Target Origin) Recipient origin can also be ‘*’ Developer’s responsibility. To be used Cautiously! 68% websites vulnerable to XSS

University of Central Florida Cause of Concern 25% of top 10,000 websites use postMessage: Alexa Over 70% of websites do not perform origin check. Nearly 12% perform semantically incorrect checks

University of Central Florida Sample Demonstration (I) Origin Check: Failing which enables XSS attacks. Var newWin=window.open ( newWin.postMessage(“Hi”, Var newWin=window.open ( newWin.postMessage(“Hi”, Window.addEventListner(“ message”, GetMsg, false); function GetMsg(event) { if (event.origin == “ return; event.source.postMessage(“ Hi ABC”, event.origin); } Window.addEventListner(“ message”, GetMsg, false); function GetMsg(event) { if (event.origin == “ return; event.source.postMessage(“ Hi ABC”, event.origin); } targetOrigin Origin Check Origin Check

University of Central Florida Sample Demonstration (II) Semantically Incorrect Checks Var newWin=window.open ( newWin.postMessage(“Hi”, Var newWin=window.open ( newWin.postMessage(“Hi”, Window.addEventListner(“ message”, GetMsg, false); function GetMsg(event) { Var w=/abc\.com(:[0-9])?$/; if (!event.origin.match(w)) return; event.source.postMessage(“ Hi ABC”, event.origin); } Window.addEventListner(“ message”, GetMsg, false); function GetMsg(event) { Var w=/abc\.com(:[0-9])?$/; if (!event.origin.match(w)) return; event.source.postMessage(“ Hi ABC”, event.origin); } targetOrigin Origin Check Origin Check Evilabc.com

University of Central Florida Defense from Attacker Website For third party content providers like Facebook – Based on Pseudo Random Token Frame with 3 rd party content accepts messages only from the origin of the page that loads this frame. Or (More Restrictive) Frame with third party content accepts messages only from the parent frame. – XSS can’t be prevented, if attacker includes 3rd party frame X.com Y.com X.com attacker.com X.com

University of Central Florida Defenses Attacker including 3 rd party frame. – Frame with 3 rd party content accepts messages only from content provider’s scripts running in any origin. Example: Receivers

University of Central Florida Defense from Third Party Content For website that use untrusted third party content – Based on Content Security Policy (CSP) extension Restricts origin of messages sent to X.com from attacker.com. Requires browser support, no cooperation From third party content provider. X.com attacker.com

University of Central Florida Using postMessage: Simple Example Data Origin Check Sender Origin Check Target Origin

University of Central Florida “Light” Threat Model Third Party Frames Attacker Child C sends message to B via A Child C sends message to B via A Honest

University of Central Florida “Heavy” Threat Model attacker.com novice.com Attacker directly included third party frame novice.com Provided Script novice.com Provided Script Attacker can put any script or data in local storage Can cause session hijacking if website stores user’s identity Can cause also steal stored cookies

University of Central Florida X-Frame-Options Header Allows/ disallows rendering of the document when inside an iframe. It may have three possible values: – SAMEORIGIN: The document will be rendered in an frame only if the frame and it’s parent have the same origin. – DENY: Document may not be rendered inside a frame. – ALLOW-FROM: Document can be frame in specific uri Needs to be added to web server’s config file. 3% of websites posing serious threat, do not use this feature

University of Central Florida Defense Techniques Pseudo Random Token Protect against “Light” threat model – Guarantees only the origin that loaded a third-party frame can send messages to this frame. Shared secret pseudo random token between site owner and inner frame – Web-Kit browsers, provide crypto.getRandomNumber API – via an XMLHttpRequest – Outer script attaches token to src attribute of frame it create Content Security Policy Enforce security policy on 3 rd party scripts. Require structural changes, by removing inline JavaScript CSP is HTTP header starting with X-Content-Security-Policy Only 3 out of Alexa top 10,000 websites use this

University of Central Florida Questions ?