Presentation is loading. Please wait.

Presentation is loading. Please wait.

1. Same-origin Policy For JS JS on a site can read data only from the same site Protects a user’s confidential data from other sites.

Published byHelen Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: "1. Same-origin Policy For JS JS on a site can read data only from the same site Protects a user’s confidential data from other sites."— Presentation transcript:

1 1

2 Same-origin Policy For JS JS on a site can read data only from the same site Protects a user’s confidential data from other sites

3 secret.com 3 evil.com JS evil.com ✗ If there wasn’t the same-origin policy… Under the SOP, this attack is impossible

4 4

5 5 http://b.com/index.html Same-origin Policy for Flash......

6 6 http://b.com/index.html Same-origin Policy for Flash http://a.com/mov.swf Origin: a.com Origin : not embedding site, but hosting site

7 a.com Flash Player 7 ✗ ✓ a.com b.com Enforced by Flash Player, not browser Same-origin Policy for Flash

8 Admin of b.com We trust the Flash on a.com. Can we allow it to read data from us? a.com Flash Player ✗ b.com We can “opt out” of the standard SOP

9 b.com CDX http://b.com/crossdomain.xml Crossdomain Policy

10 a.com Flash Player CDX ✓ b.com Crossdomain Request

11 Crossdomain Policies Can Be Unsafe When unsafe, crossdomain attacks are possible

12 evil.com secret.com CDX...... http://secret.com/crossdomain.xml

13 Confidential information Protected by Cookies secret.com CDX evil.com GET /profile.php Cookie : SID=qqem7fe6123e Stealing Confidential Data Protected by Cookies Stealing Confidential Data Protected by Cookies ✗ Cookies are attached to crossdomain requests

14 Crossdomain Policies Must Be Carefully Used Exploitable to circumvent the same-origin policy

15 What Crossdomain Policies Are Deployed? How Are Flash Apps Using Xdomain Requests?

16 Motivation Crossdomain Policy Policies on Popular Sites XDomain Requests In the Wild Mitigation Conclusions 16

17 Crossdomain Policies Specify trusted websites & what they can do with the host

18 Policies:Example http://a.com/crossdomain.xml

19 Policies:Example http://a.com/crossdomain.xml

20 Policies:Example http://a.com/crossdomain.xml a.com cdx * Complete Loss of Protection by SOP ✗

21 Motivation Crossdomain Policy Policies on Popular Sites Xdomain Requests In the Wild Mitigation Conclusions 21

22 Surveyed Sites Alexa Top 50,000 sites (Jan 2011) robots.txt was respected For each Alexa entry “a.com” we queried “http://a.com:80/crossdomain.xml” 48,951 sites were left to survey

23 Sites with crossdomain.xml 17% had crossdomain.xml (8,264 websites)

24 Sites with Unrestricted Policy 6.0% sites had unrestricted policy (2,993 websites)

25 Sites with Unrestricted Policy

26 RankSiteDescription 9qq.comChinese news 47youku.comChinese video 48tudou.comChinese video 51xvideos.comadult video 61pornhub.comadult video 65about.comsearch 68zedo.comadvertising 77youporn.comadult video 81ifeng.comChinese news 87imagesshack.usmedia hosting + 36 more sites…

27 Case Study: Scribd.com scribd.com and www.scribd.com had unrestricted crossdomain policy

28 Case Study: Scribd.com Logged-in user’s profile is available to Flash on any other websites www.scribd.com/info

29 Sites Allowing Many Other Domains 1.6% of the sites allow 10 or more other sites for crossdomain access <allow-access-from domain=“www.n-23.com"/> //+ 199 more allow-access-from elements http://nissan.co.jp/crossdomain.xml

30 Sites Granted Access To Many Other Sites Some websites are granted crossdomain access to many other websites attractive targets for attackers

31 x.com Sites Granted Access To Many Other Sites CDX: x.com CDX: x.com CDX: x.com CDX: x.com a.com b.com c.com d.com Some websites are granted crossdomain access to many other websites

32 Sites Granted Access To Many Other Sites

33

34 Policies on Popular Sites: Upshot Without crossdomain.xml With crossdomain.xml

35 Policies on Popular Sites: Upshot Unrestricted policy Allowing 10+ other sites 778 (1.6%) 2993 (6.0%)

36 Motivation Crossdomain Policy Policies on Popular Sites Xdomain Requests In the Wild Mitigation Conclusions

37 Crossdomain Requests In the Wild 1. Modified Firefox browser to log Xdomain requests from Flash apps 2. Ran the browser over sites the frontpages of Alexa top 50,000 3. Analyzed the logged data

38 Modified Browser: Flash Player a.com Flash Player Browser

39 Modified Browser: Flash Player Flash Player Browser ActionScript NPAPI

40 Modified Browser: NPAPI Logger Browser loader.load(“http://a.com/data.txt”) NPN_GetURL(“http://a.com/data.txt”) Logger for NPAPI Calls http://a.com/safe.swf Flash Player

41 Modified Browser: Allowed Xdomain Request Browser...load(http://a.com/data.txt) NPN_...(http://a.com/crossdomain.xml) http://a.com/crossdomain.xml http://a.com/data.txt Logged NPAPI http://b.com/ad.swf NPN_...(http://a.com/data.txt) Flash Player ✓

42 Modified Browser: Allowed Xdomain Request http://a.com/crossdomain.xml http://a.com/data.txt Logged NPAPI crossdomain.xml is followed by “real” resources  the crossdomain request was allowed

43 Modified Browser:Disallowed Xdomain Request Browser...load(http://a.com/data.txt) NPN_...(http://a.com/crossdomain.xml) http://a.com/crossdomain.xml // not followed by any request to a.com Logged NPAPI http://b.com/ad.swf Flash Player ✗

44 Modified Browser:Disallowed Xdomain Request http://a.com/crossdomain.xml // not followed by any request to a.com Logged NPAPI crossdomain.xml is NOT followed by “real” resources  1+ crossdomain requests were disallowed the crossdomain policy

45 Surveyed Flash Applications Alexa Top 50,000 sites (Jan 2011) For each site, Flash applications on the frontpage were inspected 74 hours (5.3 sec / site) 17.5% of the sites hosted Flash apps (8,746 sites)

46 Crossdomain Requests: Figures 102,169 HTTP/HTTPS requests 21% of them : crossdomain requests preceded by a request to crossdomain.xml

47 Target Sites of Xdomain Requests

48 Disallowed Crossdomain Requests 10,565 requests to crossdomain.xml 1,545 were not followed by any subsequent request to their target sites 1,545 is a lower bound on the # of disallowed crossdomain requests The fraction of disallowed requests : ≥ 1,545/(1,545 + # of allowed requests) The fraction of disallowed requests : ≥ 1,545/(1,545 + 21,430) Disallowed requests : ≥ 6.7%

49 Motivation Crossdomain Policy Policies on Popular Sites Xdomain Requests In the Wild Mitigation Conclusions

50 Mitigation Prevalence of Overly Permissive Policies Frequent Use of Crossdomain Requests

51 Mitigation Auditing tool for crossdomain.xml raises warning when encountering dangerous policies Stripped cookies by default allow Flash apps for public content only Stripped cookies as an option controls whether or not cookie is attached in policies “Taint mode” for crossdomain data prevents Flash from hijacking data from other domain

52 Motivation Crossdomain Policy Policies on Popular Sites Xdomain Requests In the Wild Mitigation Conclusions

53 Surveyed crossdomain.xml on 50k sites possibly overly-permissive policies are common Studied the actual crossdomain requests crossdomain requests are frequently used Steps must be taken to mitigate problems

54 Future Work Study larger number of crossdomain.xml larger number of websites Extensive monitoring of Flash Player instrumentation of Flash Player for extensive logging Find vulnerabilities of websites sensitive information protected by session-cookie

55 Thank you!

56 Sub-path Crossdomain Policy

57 Admin of a.com I’d like to use different policies for sub-paths a.com /crossdomain.xml /sub/crossdomain.xml / /sub

58 Sub-path Crossdomain Policy <site-control permitted-cross-domain-policies="master-only"/>... http://a.com/crossdomain.xml Consult root policy only

59 Sub-path Crossdomain Policy <site-control permitted-cross-domain-policies=“by-content-type"/>... http://a.com/crossdomain.xml Consult sub-path policy files served with text/x-cross-domain-policy Content- Type

60 Sub-path Crossdomain Policy <site-control permitted-cross-domain-policies=“all"/>... http://a.com/crossdomain.xml Consult http://a.com/sub/crossdomain.xml for http://a.com/sub/

61 Sub-path Crossdomain Policy <site-control permitted-cross-domain-policies=“all"/>... http://a.com/crossdomain.xml a.com /crossdomain.xml / /upload crossdomain.xml

62 Sub-path Crossdomain Policy 896 sites have set the sub-policy attribute to “all” 402 sites have set it to “by-content-type”

63 Policies on Popular Sites: Upshot “all” sub-path policy “content-type” sub-path policy 896 (1.83%) 402 (0.82%)

64 Same-origin Policy For JS JS on a origin can only read from the same origin Origin (scheme, hostname, port) http:// a.com :80

Download ppt "1. Same-origin Policy For JS JS on a site can read data only from the same site Protects a user’s confidential data from other sites."

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Same Origin Policies Hidetake Jo.

Same Origin Policies Hidetake Jo.
Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?

Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?
Talking to Yourself for Fun and Profit Lin-Shung Huang ∗, Eric Y. Chen ∗, Adam Barth †, Eric Rescorla ‡ and Collin Jackson ∗ ∗ Carnegie Mellon University.

Talking to Yourself for Fun and Profit Lin-Shung Huang ∗, Eric Y. Chen ∗, Adam Barth †, Eric Rescorla ‡ and Collin Jackson ∗ ∗ Carnegie Mellon University.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Mitigating Malware Collin Jackson CS142 – Winter 2009.

Mitigating Malware Collin Jackson CS142 – Winter 2009.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.

Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.
On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.

On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.
Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.

Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Indirect File Leaks in Mobile Applications Daoyuan Wu and Rocky K. C. Chang The Hong Kong Polytechnic University May 21, 2015 1 MoST’15, in conjunction.

Indirect File Leaks in Mobile Applications Daoyuan Wu and Rocky K. C. Chang The Hong Kong Polytechnic University May 21, MoST’15, in conjunction.
Warning Ahead: Security Storms are Brewing in Your JavaScript Maty Siman.

Warning Ahead: Security Storms are Brewing in Your JavaScript Maty Siman.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Similar presentations

Ads by Google