Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

Published bySybil Taylor Modified over 8 years ago

Similar presentations

Presentation on theme: "University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,"— Presentation transcript:

1 University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida, Orlando

2 University of Central Florida Prior/After HTML5 Same Origin Policy communication Cross Site Communication postMessage Protocol + Host + Port

3 University of Central Florida New Web Approach postMessage enhance user experience

4 University of Central Florida postMessage: Inter-frame Communication Different Frames

5 University of Central Florida What Worries? Changing Web Landscape: Inclination on Client Side JavaScript Application Logic Greater Functionality Greater Functionality Fast Query Response Fast Query Response Extended Functionality Extended Functionality

6 University of Central Florida Usage Usage: targetWindow.postMessage(, ) Message Target Origin Third Party

7 University of Central Florida Security Perspective postMessage guarantees confidentiality and authenticity Sender specifies recipient’s origin, specifying URL(Target Origin) Recipient origin can also be ‘*’ Developer’s responsibility. To be used Cautiously! 68% websites vulnerable to XSS

8 University of Central Florida Cause of Concern 25% of top 10,000 websites use postMessage: Alexa Over 70% of websites do not perform origin check. Nearly 12% perform semantically incorrect checks

9 University of Central Florida Sample Demonstration (I) Origin Check: Failing which enables XSS attacks. Var newWin=window.open (http://www.xyz.com);http://www.xyz.com newWin.postMessage(“Hi”, http://www.xyz.com); http://www.xyz.com Var newWin=window.open (http://www.xyz.com);http://www.xyz.com newWin.postMessage(“Hi”, http://www.xyz.com); http://www.xyz.com Window.addEventListner(“ message”, GetMsg, false); function GetMsg(event) { if (event.origin == “ http://www.abc.com") return; event.source.postMessage(“ Hi ABC”, event.origin); } Window.addEventListner(“ message”, GetMsg, false); function GetMsg(event) { if (event.origin == “ http://www.abc.com") return; event.source.postMessage(“ Hi ABC”, event.origin); } http://www.abc.com http://www.xyz.com targetOrigin Origin Check Origin Check

10 University of Central Florida Sample Demonstration (II) Semantically Incorrect Checks Var newWin=window.open (http://www.xyz.com);http://www.xyz.com newWin.postMessage(“Hi”, http://www.xyz.com); http://www.xyz.com Var newWin=window.open (http://www.xyz.com);http://www.xyz.com newWin.postMessage(“Hi”, http://www.xyz.com); http://www.xyz.com Window.addEventListner(“ message”, GetMsg, false); function GetMsg(event) { Var w=/abc\.com(:[0-9])?$/; if (!event.origin.match(w)) return; event.source.postMessage(“ Hi ABC”, event.origin); } Window.addEventListner(“ message”, GetMsg, false); function GetMsg(event) { Var w=/abc\.com(:[0-9])?$/; if (!event.origin.match(w)) return; event.source.postMessage(“ Hi ABC”, event.origin); } http://www.abc.com http://www.xyz.com targetOrigin Origin Check Origin Check Evilabc.com

11 University of Central Florida Defense from Attacker Website For third party content providers like Facebook – Based on Pseudo Random Token Frame with 3 rd party content accepts messages only from the origin of the page that loads this frame. Or (More Restrictive) Frame with third party content accepts messages only from the parent frame. – XSS can’t be prevented, if attacker includes 3rd party frame X.com Y.com X.com attacker.com X.com

12 University of Central Florida Defenses Attacker including 3 rd party frame. – Frame with 3 rd party content accepts messages only from content provider’s scripts running in any origin. Example: www.facebook.comwww.facebook.com https://developers.facebook.com/docs/plugins/like-button/ www.attacker.com www.facebook.com Receivers

13 University of Central Florida Defense from Third Party Content For website that use untrusted third party content – Based on Content Security Policy (CSP) extension Restricts origin of messages sent to X.com from attacker.com. Requires browser support, no cooperation From third party content provider. X.com attacker.com

14 University of Central Florida Using postMessage: Simple Example Data Origin Check Sender Origin Check Target Origin

15 University of Central Florida “Light” Threat Model Third Party Frames Attacker Child C sends message to B via A Child C sends message to B via A Honest

16 University of Central Florida “Heavy” Threat Model attacker.com novice.com Attacker directly included third party frame novice.com Provided Script novice.com Provided Script Attacker can put any script or data in local storage Can cause session hijacking if website stores user’s identity Can cause also steal stored cookies

17 University of Central Florida X-Frame-Options Header Allows/ disallows rendering of the document when inside an iframe. It may have three possible values: – SAMEORIGIN: The document will be rendered in an frame only if the frame and it’s parent have the same origin. – DENY: Document may not be rendered inside a frame. – ALLOW-FROM: Document can be frame in specific uri Needs to be added to web server’s config file. 3% of websites posing serious threat, do not use this feature

18 University of Central Florida Defense Techniques Pseudo Random Token Protect against “Light” threat model – Guarantees only the origin that loaded a third-party frame can send messages to this frame. Shared secret pseudo random token between site owner and inner frame – Web-Kit browsers, provide crypto.getRandomNumber API – http://random.org via an XMLHttpRequest http://random.org – Outer script attaches token to src attribute of frame it create Content Security Policy Enforce security policy on 3 rd party scripts. Require structural changes, by removing inline JavaScript CSP is HTTP header starting with X-Content-Security-Policy Only 3 out of Alexa top 10,000 websites use this

19 University of Central Florida Questions ?

Download ppt "University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.

I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.

Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.
Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.

Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.
Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology.

Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology.
AppSec USA 2014 Denver, Colorado Warning Ahead: Security Storms are Brewing in Your JavaScript Helen Bravo.

AppSec USA 2014 Denver, Colorado Warning Ahead: Security Storms are Brewing in Your JavaScript Helen Bravo.
1 The Emperor’s New APIs On the (In)Secure Usage of New Client-side Primitives Devdatta AkhaweSteve HannaEui Chul Richard Shin Dawn Song Arman BoehmPrateek.

1 The Emperor’s New APIs On the (In)Secure Usage of New Client-side Primitives Devdatta AkhaweSteve HannaEui Chul Richard Shin Dawn Song Arman BoehmPrateek.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google