Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5Websites Sooel Son and Vitaly Shmatikov The University of Texas at Austin 20.

Published byMaria Ball Modified over 8 years ago

Similar presentations

Presentation on theme: "The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5Websites Sooel Son and Vitaly Shmatikov The University of Texas at Austin 20."— Presentation transcript:

1 The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5Websites Sooel Son and Vitaly Shmatikov The University of Texas at Austin 20 th NDSS Symposium (February 2013)

2 Introduction O Web browsers isolate content by on its origin. O same origin policy O Popular sites often include third-party content. O advertisements O buttons for social recommendations O … O They need to communicate with each other. 2013/3/25 A Seminar at Advanced Defense Lab2

3 HTML5 O HTML5 includes the postMessage facility that enables a script to send a message to a window regardless of their respective origins. [link]link 2013/3/25 A Seminar at Advanced Defense Lab3

4 postMessage O Sender (may be invoked by third-party script) O window.postMessage( message, targetOrigin [, transfer ] ) O Browser use targetOrigin to verify window 2013/3/25 A Seminar at Advanced Defense Lab4

5 Message Event O The event listener may be registered by third-party script O Some message event object members O data O origin O The sender’s origin O source O It represents the WindowProxy of the browsing context of the Window object from which the message came 2013/3/25 A Seminar at Advanced Defense Lab5

6 Two Problems about postMessage O Senders need to specify targetOrigin O Barth et al. USENIX Security 2008 O Recievers need to verify event.origin O This paper 2013/3/25 A Seminar at Advanced Defense Lab6

Download ppt "The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5Websites Sooel Son and Vitaly Shmatikov The University of Texas at Austin 20."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)

Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.

Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.
Suman Jana and Vitaly Shmatikov The University of Texas at Austin Memento: Learning Secrets from Process Footprints 33 rd Security & Privacy (May, 2012)

Suman Jana and Vitaly Shmatikov The University of Texas at Austin Memento: Learning Secrets from Process Footprints 33 rd Security & Privacy (May, 2012)
The Museum Project The Museum Project Yoav Gvili & Asaf Stein Supervisor : Alexander Arlievsky.

The Museum Project The Museum Project Yoav Gvili & Asaf Stein Supervisor : Alexander Arlievsky.
Architecture External Web Services Supported Services Repository LMS Services Domain Model Process Container Process Instance Course Sequencing Presentation.

Architecture External Web Services Supported Services Repository LMS Services Domain Model Process Container Process Instance Course Sequencing Presentation.
1 The Emperor’s New APIs On the (In)Secure Usage of New Client-side Primitives Devdatta AkhaweSteve HannaEui Chul Richard Shin Dawn Song Arman BoehmPrateek.

1 The Emperor’s New APIs On the (In)Secure Usage of New Client-side Primitives Devdatta AkhaweSteve HannaEui Chul Richard Shin Dawn Song Arman BoehmPrateek.
Security of Mobile Applications Vitaly Shmatikov CS 6431.

Security of Mobile Applications Vitaly Shmatikov CS 6431.
CS526Topic 9: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.

CS526Topic 9: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Introduction 2: Internet, Intranet, and Extranet J394 – Perancangan Situs Web Program Sudi Manajemen Universitas Bina Nusantara.

Introduction 2: Internet, Intranet, and Extranet J394 – Perancangan Situs Web Program Sudi Manajemen Universitas Bina Nusantara.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.
Internet Basics.

Internet Basics.
File Upload Instructions and Information The File Upload utility is used for transferring files too large to send through the email system. How it Works:

File Upload Instructions and Information The File Upload utility is used for transferring files too large to send through the system. How it Works:
What is Wordpress?  WordPress has a web template processor. Users can re-arrange widgets without editing PHP of HTML code; they can also install and.

What is Wordpress?  WordPress has a web template processor. Users can re-arrange widgets without editing PHP of HTML code; they can also install and.
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Similar presentations

Ads by Google