Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.

Slides:



Advertisements
Similar presentations
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Advertisements

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Ben Livshits and Úlfar Erlingsson Microsoft Research.
By Loukik Purohit & Rohit Ghatol
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
EECS 354 Network Security Cross Site Scripting (XSS)
1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.
Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.
Redefining Web Browser Principals with a Configurable Origin Policy Yinzhi Cao, Vaibhav Rastogi, Zhichun Li†, Yan Chen and Alexander Moshchuk†† Northwestern.
Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.
On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
1 Frameworks. 2 Framework Set of cooperating classes/interfaces –Structure essential mechanisms of a problem domain –Programmer can extend framework classes,
Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009. Outline Background Setting SOP.
XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
Redefining Web Browser Principals with a Configurable Origin Policy Yinzhi Cao, Vaibhav Rastogi, Zhichun Li†, Yan Chen and Alexander Moshchuk†† Northwestern.
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Copyright© 2002 Avaya Inc. All rights reserved Advanced Cross Site Scripting Evil XSS Anton Rager.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
JavaScript, Fourth Edition
Ku-Yaw Chang Assistant Professor, Department of Computer Science and Information Engineering Da-Yeh University.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.
I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †,
Chapter 8 Cookies And Security JavaScript, Third Edition.
OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications.
Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.
Random Logic l Forum.NET l AJAX Behind the buzz word Forum.NET ● January 23, 2006.
Cookies Web Browser and Server use HTTP protocol to communicate and HTTP is a stateless protocol. But for a commercial website it is required to maintain.
Ajax In Action The Journey into Web2.0 Presented by Eric Pascarello.
76 © 1998, 1999, 2000 David T. Gray, Howard Duncan, Jane Kernan Frames When displaying information in a browser, it is sometimes useful to divide the display.
SMash : Secure Component Model for Cross- Domain Mashups on Unmodified Browsers WWW 2008 Frederik De Keukelaere et al. Presenter : SJ Park.
Overview Web Session 3 Matakuliah: Web Database Tahun: 2008.
Client-side processing in JavaScript.... JavaScript history Motivations –lack of “dynamic content” on web pages animations etc user-customised displays.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
HTML Overview Part 5 – JavaScript 1. Scripts 2  Scripts are used to add dynamic content to a web page.  Scripts consist of a list of commands that execute.
Plug-in Architectures Presented by Truc Nguyen. What’s a plug-in? “a type of program that tightly integrates with a larger application to add a special.
1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.
Front end (user interfaces) Facilitating the user‘s interaction with the SandS services and processes I. Mlakar, D. Ceric, A. Lipaj Valladolid, 17/12/2014.
Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.
AJAX. Overview of Ajax Ajax is not an API or a programming language Ajax aims to provide more responsive web applications In normal request/response HTTP.
 AJAX technology  Rich User Experience  Characteristics  Real live examples  JavaScript and AJAX  Web application workflow model – synchronous vs.
1 Chapter 22 World Wide Web (HTTP) Chapter 22 World Wide Web (HTTP) Mi-Jung Choi Dept. of Computer Science and Engineering
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Ad-blocker circumvention System
19.10 Using Cookies A cookie is a piece of information that’s stored by a server in a text file on a client’s computer to maintain information about.
CSC 495/583 Topics of Software Security Web Browser Security (2)
Cross-Site Request Forgeries: Exploitation and Prevention
Riding Someone Else’s Wave with CSRF
Advanced Cross Site Scripting Evil XSS
Protecting Browsers from Extension Vulnerabilities
Cross-Site Scripting Attack (XSS)
Cross Site Request Forgery (CSRF)
Presentation transcript:

Vaibhav Rastogi and Yi Yang

 SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different resources leads to vulnerabilities  Design a new framework to capture finer grained origins and sharing

 Web 2.0 – rich applications  An abstraction that solves many problems with one shot  A simple change that provides a solution to many problems

 Third party JavaScript  Ads, gadgets, widgets, Facebook Applications  Restrict interaction with the host website  Problem  Essentially of maintaining different origins

 Solution  SOP assigns the same origin  WebSandbox, AdSafe. ▪ Complex solutions ▪ Performance problems  More natural solution  Have a different origin

 Current solutions  Either unsafe or complex  document.domain  Used by several websites for cross domain sharing  Unsafe; attacks studied in class  Some websites confirmed to be using document.domain ▪ cnn.com, sina.com.cn, yandex.ru

 document.domain  Wrote a script to find sites which explicitly set document.domain in source  Post Message channel  Achieve arbitrary requirements of security  May be complex to program

 Opening two Gmail accounts in one browser without hassle  Current solutions are tricky

 Cookies play an important role  Cross domain sharing  Eg. google.com and mail.google.com  Cross site sharing  Eg. cnn.com and twitter.com

 Compared to the current sharing mechanisms, our originID approach  Less workload  More secure  Fine-grained origins  Consistent principle labeling

 DOM  Cookies  AJAX  Others, like history, display…

 Secure browser designs  Gazelle and OP  Criticize SOP but stick to it  MashupOS  Propose a new origin policy: VOP  sandbox tag provides separation  Does not generalize for collaboration  Origins may not be changed dynamically

 On the Incoherencies in Web Browser Access Control Policies  Current SOP mechanisms thoroughly criticized  ConScript  Controlling JavaScript functionality  Solves the separation problem to some extent  Object Views  Finer grained sharing for JavaScript objects  Cookies and other resources still a problem

 Two approaches for representing origins 1. A four tuple 2. A random string originID = “20-9fkd9kw9j3030d9g0425d“ ▪ analogous to session cookies  Approaches are lightweight

 Resources to be shared are placed in the same origin

 Resources to be separated are placed in different origins

 If no origins are specified the default is the prevalent Same Origin Policy  Current websites do not break

 Approach 1 at least as secure as the SOP  Approach 2: a new attack  Sniff the originID on the wire  Send malicious content with the same originID  The same attack also exists with cookies

 Attacks by using legacy origins  Solution: Disallow interaction of pages with origin with pages using legacy SOP

 Allowing Specification of origin in  HTML  HTTP headers originID :  Disabled document.domain

 WebKit Implementation Document HTML Parser Frame / Frame Loader Security Origin (DOM/Ajax) Cookie Origins HTTP Request/Response handler

 Modified the origin policy itself to work using originIDs (approach 1)  Cookies  Origin specified with a URL (domain + path)  Work ongoing

 Used test pages to allow collaboration of DOM from different origins  Real pages: cnn.com  Uses document.domain to allow cooperation between different frames  Disabled document.domain ▪ Parts of page missing  Used proxy to add originID headers on the fly ▪ Page loading fine again

 Thoughts about implementation in another browser like Chromium  Completing the implementation  Evaluating each of the applications of the work

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.