$30 off During Our Annual Pro Sale. View Details »

Intro to Browser security policies/features

Bharath
November 17, 2018

Intro to Browser security policies/features

Slides from the talk Intro to Browser security policies/features.

The talk covers:

- Understand Same Origin Policy(SOP)
- Limitations of Same Origin Policy(SOP)
- Mechanisms to work around Same Origin Policy(SOP)
- postMessage
- CORS

Bharath

November 17, 2018
Tweet

More Decks by Bharath

Other Decks in Programming

Transcript

  1. View Slide

  2. ABOUT ME
    ABOUT ME
    Bharath Kumar
    Security Engineer @
    Offensive Security Certified Professional(OSCP)
    Appsecco

    View Slide

  3. THE PLAN
    THE PLAN
    Understand Same Origin Policy(SOP)
    Limitations of Same Origin Policy(SOP)
    Mechanisms to work around Same Origin
    Policy(SOP)

    View Slide

  4. SAME ORIGIN POLICY
    SAME ORIGIN POLICY
    The same-origin policy is a critical
    (browser) security mechanism that
    restricts how a document or script
    loaded from one origin can interact
    with a resource from another origin. It
    helps isolate potentially malicious
    documents, reducing possible attack
    vectors.
    https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy

    View Slide

  5. SUBSETS OF SAME ORIGIN
    SUBSETS OF SAME ORIGIN
    POLICY RULES
    POLICY RULES
    Document Object Model(DOM)
    XMLHttpRequest (XHR)
    Web Storage API
    HTTP cookies
    Pseudo protocols
    Flash/PDF/Silverlight ...

    View Slide

  6. SOP - SCENARIO 1
    SOP - SCENARIO 1
    Accessing resources inside the browser

    View Slide

  7. SOP - SCENARIO 2
    SOP - SCENARIO 2
    Accessing resources over the network

    View Slide

  8. WEB ORIGIN
    WEB ORIGIN
    RFC 6454: The Web Origin Concept

    View Slide

  9. WEB ORIGIN - POP QUIZ
    WEB ORIGIN - POP QUIZ
    Compare the origin with
    http://store.company.com/dir/page.html

    View Slide

  10. WEB ORIGIN - POP QUIZ
    WEB ORIGIN - POP QUIZ
    Compare the origin with
    http://store.company.com/dir/page.html

    View Slide

  11. DOCUMENT OBJECT
    DOCUMENT OBJECT
    MODEL(DOM)
    MODEL(DOM)
    DOM connects web pages to scripts or programming
    languages
    DOM is a programming interface for HTML and XML
    documents
    DOM represents the page so that programs can
    change the document structure, style, and content
    https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model

    View Slide

  12. DOM
    DOM
    Element:

    Element:

    Element:

    Text:
    "My title"
    Element:

    Text:
    "A heading"
    Element:

    Text:
    "Link text"
    DOM
    Document Object Model
    document
    Attribut:
    href
    Root element:

    View Slide

  13. DEMO - DOM
    DEMO - DOM

    View Slide

  14. SOP - DOM
    SOP - DOM

    View Slide

  15. SOP - DOM
    SOP - DOM

    View Slide

  16. DEMO - SOP DOM
    DEMO - SOP DOM

    View Slide

  17. SOP - FRAMES/IFRAME
    SOP - FRAMES/IFRAME

    View Slide

  18. SOP - FRAMES/IFRAME
    SOP - FRAMES/IFRAME
    Each frame/Iframe is isolated and gets a seperate
    JavaScript execution context
    Frames/Iframes can manipulate the parent location
    using window.parent.location even if the
    parent has different origin

    View Slide

  19. DEMO - SOP FRAMES/IFRAMES
    DEMO - SOP FRAMES/IFRAMES

    View Slide

  20. XMLHTTPREQUEST
    XMLHTTPREQUEST
    XMLHttpRequest (XHR) objects allow JavaScript to
    interact with servers
    Using XHR you can retrieve data from a URL without
    having to do a full page refresh
    XHR can be used to retrieve any type of data, not
    just XML, and it supports protocols other than HTTP
    XHR requests can be made with cookies and custom
    HTTP headers
    https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest

    View Slide

  21. SOP - XMLHTTPREQUEST
    SOP - XMLHTTPREQUEST

    View Slide

  22. DEMO - SOP - XMLHTTPREQUEST
    DEMO - SOP - XMLHTTPREQUEST

    View Slide

  23. WEB STORAGE API
    WEB STORAGE API
    Local storage
    Shared between windows with same origin
    Origin-specific storage that survives browser
    shutdowns
    Session storage
    Accessible only to current window
    Cleared when the window is closed
    https://developer.mozilla.org/en-US/docs/Web/API/Storage

    View Slide

  24. SOP - WEB STORAGE
    SOP - WEB STORAGE

    View Slide

  25. DEMO - SOP - WEB STORAGE
    DEMO - SOP - WEB STORAGE

    View Slide

  26. SOP - COOKIES
    SOP - COOKIES
    Cookie security rules slightly vary from SOP rules
    The Domain and Path directives define the scope of
    the cookie: what URLs the cookies should be sent to
    Cookies are identified by (name, domain,
    path)
    Set-Cookie: =; Domain=

    View Slide

  27. LIMITATIONS OF SOP 1
    LIMITATIONS OF SOP 1
    SOP is too broad to isolate between path based
    resources such as home pages or profiles
    https://null.co.in/profile/1
    https://null.co.in/profile/352

    View Slide

  28. SPECIFICATIONS/FEATURES
    SPECIFICATIONS/FEATURES
    THAT EXTEND ORIGIN
    THAT EXTEND ORIGIN
    Content Security Policy(CSP)
    ...
    Suborigins
    First Party Isolation

    View Slide

  29. LIMITATIONS OF SOP 2
    LIMITATIONS OF SOP 2
    SOP makes it difficult for legitimately cooperating
    sites to exchange data
    store.wikimedia.org
    payment.wikimedia.org

    View Slide

  30. SPECS/FEATURES TO ENABLE
    SPECS/FEATURES TO ENABLE
    CROSS-DOMAIN INTERACTIONS
    CROSS-DOMAIN INTERACTIONS
    document.domain (Applies to SOP DOM)
    postMessage (Applies to SOP DOM)
    Cross Origin Resource Sharing (Applies to SOP
    XMLHttpRequest)

    View Slide

  31. DOCUMENT.DOMAIN
    DOCUMENT.DOMAIN
    The domain property of the Document interface
    gets/sets the domain portion of the origin of the
    current document
    This property can be used by two cooperating
    websites that share a common top-level domain to
    agree that for the purpose of future same-origin
    checks they want to be viewed as same origin
    This feature although looks simple, it is a security
    tarpit

    View Slide

  32. DEMO - DOCUMENT.DOMAIN FOR
    DEMO - DOCUMENT.DOMAIN FOR
    CROSS-DOMAIN INTERACTIONS
    CROSS-DOMAIN INTERACTIONS

    View Slide

  33. POSTMESSAGE
    POSTMESSAGE
    postMessage() API is an HTML5 extension that
    permits cross window communications between
    non-same- origin sites
    The window.postMessage() method safely
    enables cross-origin communication between
    Window objects; e.g., between a page and a pop-up
    that it spawned, or between a page and an iframe
    embedded within it

    View Slide

  34. DEMO - POSTMESSAGE
    DEMO - POSTMESSAGE

    View Slide

  35. CROSS ORIGIN RESOURCE
    CROSS ORIGIN RESOURCE
    SHARING(CORS)
    SHARING(CORS)
    CORS is a mechanism that uses
    additional HTTP headers to tell a
    browser to let a web application
    running at one origin (domain) have
    permission to access selected resources
    from a server at a different origin.
    https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

    View Slide

  36. CORS - SIMPLE REQUEST
    CORS - SIMPLE REQUEST
    A simple CORS request doesn't trigger pre-flight
    request
    Browser makes a GET/POST/HEAD request and the
    server responds with Access-Control-Allow-
    Origin headers
    Access-Control-Allow-Origin let's the
    server determine which origins are allowed to read
    the responses

    View Slide

  37. CORS - SIMPLE REQUEST
    CORS - SIMPLE REQUEST

    View Slide

  38. REQUESTS WITH CREDENTIALS
    REQUESTS WITH CREDENTIALS
    The most interesting capability exposed by both
    XMLHttpRequest or Fetch and CORS is the ability to
    make "credentialed" requests that are aware of
    HTTP cookies and HTTP Authentication information

    View Slide

  39. REQUESTS WITH CREDENTIALS
    REQUESTS WITH CREDENTIALS
    On the browser side, the XMLHttpRequest request
    made has to set withCredentials to true in
    order to make the invocation with Cookies
    On the server side, the server has to send Access-
    Control-Allow-Credentials: true header
    to let the browser know that the server agrees to
    share response of a request made with credentials

    View Slide

  40. REQUESTS WITH CREDENTIALS
    REQUESTS WITH CREDENTIALS

    View Slide

  41. CREDENTIALED REQUESTS AND
    CREDENTIALED REQUESTS AND
    WILDCARDS
    WILDCARDS
    What can go wrong?
    Assisted suicide for the application! Almost all
    browsers don't support this setting!
    Access-Control-Allow-Origin: "*"
    Access-Control-Allow-Credentials: true

    View Slide

  42. CORS WITH REFLECTED ORIGIN
    CORS WITH REFLECTED ORIGIN
    Each time the browser makes a cross-
    domain request (a request to another
    domain) it adds an origin header. That
    header has the value of the domain the
    request originates from, almost like the
    referer header.
    https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/

    View Slide

  43. REFERENCES
    REFERENCES
    [Free book]
    [Video]
    Browser Security Handbook
    The Tangled Web: A Guide to Securing Modern Web Applications
    Same-origin policy: The core of web security by Kirk Jackson
    Same-Origin Policy: Evaluation in Modern Browsers, USENIX Security 2017
    Learn SOP while modeling with Alloy
    The Browser Hacker's Handbook
    https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-
    bounties

    View Slide

  44. THANKS
    THANKS
    @yamakira_

    View Slide