Presentation is loading. Please wait.

Presentation is loading. Please wait.

Beware of Finer-Grained Origins

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Beware of Finer-Grained Origins"— Presentation transcript:

1 Beware of Finer-Grained Origins
Collin Jackson Adam Barth Stanford University

2 Security Context Determined By URL
"Origin" = Scheme Host (Port)

3 Sub-Origin Privileges
Contamination

4 Trust Specified By URL Import Export
<script src="prototype.js"></script> <link rel="stylesheet" href="base.css"> Export <form action="login.cgi"> var xhr = new XMLHttpRequest(); xhr.open("POST", "ajax.php");

5 Threat Models Web Attacker Upgrade: Network Attacker
Free user visit Upgrade: Network Attacker Eavesdrop Corrupt network traffic Upgrade: Cert-Mismatch Attacker User clicks through certificate errors Attacker still does not have trusted site’s certificate Cross-Path Attacker Same “origin” as good site, different path

6 Browser Features   Defenses Feature Sub-Origin Privilege Attacker
Origin Contamination Library Import Data Export Cookie Paths Read Cookie WSKE Certificate Errors (IE7) Show Lock EV Show Organization Locked Same-Origin Policy Petname Toolbar Show Petname Passpet Obtain Password Mixed Content N/A enablePrivilege Install Software IP-based Origins Network Requests

7 Mixed Content

8 WSKE Web Server Key-Enabled Cookies
“Secure” cookies only sent for same TLS key

9 Locked SOP Finer-grained origin (scheme, host, port, broken)
“Broken” HTTPS page can’t script valid HTTPS page Banks often import libraries <script src=" User clicks through cert error for paypalobjects.com Real PayPal imports script from paypalobjects.com Attacker runs script as “unbroken” PayPal Sites cannot safely use <script src="…">, CSS, SWF, etc

10 More Anti-Phishing using Certificates
Ignore the address bar, use cert instead Extended Validation Passpet Petname What about ?

11 TLS Forwarding Certificate belongs to bank
Domain name belongs to attacker Attacker can hijack session at any time Certificate UI is confused

12 TLS Forwarding Example

13 TLS Forwarding - Consequences
Might not be PayPal This is really PayPal, right?

14 TLS Forwarding Network Attack
Origin contamination Polluted cache

15 Firefox enablePrivilege API

16 Abusing enablePrivilege
Relies on certificate, ignores host name Signed HTML can import libraries and be scripted by its origin Is this code really from Yahoo!?

17 Cookie Paths http://www.stanford.edu/~alice
Set-Cookie: skrt=04f4; path=/~alice Set-Cookie: skrt=52f9; path=/~eve <iframe src="/~alice"></iframe> alert(frames[0].document.cookie);

18 DNS Rebinding Attack <iframe src="http://www.evil.com"> Firewall
[DWF’96, R’01] DNS Rebinding Attack <iframe src=" DNS-SEC cannot stop this attack Firewall ns.evil.com DNS server TTL = 0 web server corporate web server Read permitted: it’s the “same origin”

19 <script src="prototype.js"></script>
IP-based Origins Finer-grained origin (scheme, host, port, IP) imports <script src="prototype.js"></script> serves evil script Read contents of document POST it back to

20 SOLUTIONS

21 Embrace Grant privileges to origins Cross-site XHR XDomainRequest
Frame Navigation Local Storage postMessage Phishing Filter Password Database

22 https://y-cl7h3f7jwyj3fvmw7jpnjfvf2xlcmayi.yurl.net/
Extend Include fine-grained origin in URL YURL: HTTPEV: httpev://

23 Destroy Problem: documents that lack the sub-origin privilege
Eliminate privilege SafeLock Eliminate document ForceHTTPS ForceCertificate Strict Petname

24 Solutions   Defenses Feature Sub-Origin Privilege Attacker
Origin Contamination Library Import Data Export Cookie Paths Read Cookie WSKE Certificate Errors (IE7) Show Lock EV Show Organization Locked Same-Origin Policy Petname Toolbar Show Petname Passpet Obtain Password Mixed Content N/A enablePrivilege Install Software IP-based Origins Network Requests

25 Solutions  Extend Destroy  Defenses Feature Sub-Origin Privilege
Attacker Origin Contamination Library Import Data Export Cookie Paths Read Cookie Extend WSKE Certificate Errors (IE7) Show Lock Destroy EV Show Organization Locked Same-Origin Policy Petname Toolbar Show Petname Passpet Obtain Password Mixed Content N/A enablePrivilege Install Software IP-based Origins Network Requests

26 Summary Sub-origin privileges don’t work
Origin contamination Privilege escalation via script injection Beware of finer-grained origins Trust specified by URL Import/Export Three approaches for new features Embrace, extend, destroy

Download ppt "Beware of Finer-Grained Origins"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.

HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
How the Internet Works Course Objectives Introduce the various web browsers Introduce some new terms Explain the basic Internet to PC hookup  ISP  Wired.

How the Internet Works Course Objectives Introduce the various web browsers Introduce some new terms Explain the basic Internet to PC hookup  ISP  Wired.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.

Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
EEC-484/584 Computer Networks Discussion Session for HTTP and DNS Wenbing Zhao

EEC-484/584 Computer Networks Discussion Session for HTTP and DNS Wenbing Zhao
Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth.

Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth.
Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009. Outline Background Setting SOP.

Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009. Outline Background Setting SOP.
Lesson 19 Internet Basics.

Lesson 19 Internet Basics.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

Similar presentations

Ads by Google