Tweet
Tweet

Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

ABOUT ME ABOUT ME Bharath Kumar Security Engineer @ Offensive Security Certified Professional(OSCP) Appsecco

Slide 3

Slide 3 text

THE PLAN THE PLAN Understand Same Origin Policy(SOP) Limitations of Same Origin Policy(SOP) Mechanisms to work around Same Origin Policy(SOP)

Slide 4

Slide 4 text

SAME ORIGIN POLICY SAME ORIGIN POLICY The same-origin policy is a critical (browser) security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy

Slide 5

Slide 5 text

SUBSETS OF SAME ORIGIN SUBSETS OF SAME ORIGIN POLICY RULES POLICY RULES Document Object Model(DOM) XMLHttpRequest (XHR) Web Storage API HTTP cookies Pseudo protocols Flash/PDF/Silverlight ...

Slide 6

Slide 6 text

SOP - SCENARIO 1 SOP - SCENARIO 1 Accessing resources inside the browser

Slide 7

Slide 7 text

SOP - SCENARIO 2 SOP - SCENARIO 2 Accessing resources over the network

Slide 8

Slide 8 text

WEB ORIGIN WEB ORIGIN RFC 6454: The Web Origin Concept

Slide 9

Slide 9 text

WEB ORIGIN - POP QUIZ WEB ORIGIN - POP QUIZ Compare the origin with http://store.company.com/dir/page.html

Slide 10

Slide 10 text

WEB ORIGIN - POP QUIZ WEB ORIGIN - POP QUIZ Compare the origin with http://store.company.com/dir/page.html

Slide 11

Slide 11 text

DOCUMENT OBJECT DOCUMENT OBJECT MODEL(DOM) MODEL(DOM) DOM connects web pages to scripts or programming languages DOM is a programming interface for HTML and XML documents DOM represents the page so that programs can change the document structure, style, and content https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model

Slide 12

Slide 12 text

DOM DOM Element: Element: Element: Text: "My title" Element: <h1> Text: "A heading" Element: <a> Text: "Link text" DOM Document Object Model document Attribut: href Root element: <html>

Slide 13

Slide 13 text

DEMO - DOM DEMO - DOM

Slide 14

Slide 14 text

SOP - DOM SOP - DOM

Slide 15

Slide 15 text

SOP - DOM SOP - DOM

Slide 16

Slide 16 text

DEMO - SOP DOM DEMO - SOP DOM

Slide 17

Slide 17 text

SOP - FRAMES/IFRAME SOP - FRAMES/IFRAME

Slide 18

Slide 18 text

SOP - FRAMES/IFRAME SOP - FRAMES/IFRAME Each frame/Iframe is isolated and gets a seperate JavaScript execution context Frames/Iframes can manipulate the parent location using window.parent.location even if the parent has different origin

Slide 19

Slide 19 text

DEMO - SOP FRAMES/IFRAMES DEMO - SOP FRAMES/IFRAMES

Slide 20

Slide 20 text

XMLHTTPREQUEST XMLHTTPREQUEST XMLHttpRequest (XHR) objects allow JavaScript to interact with servers Using XHR you can retrieve data from a URL without having to do a full page refresh XHR can be used to retrieve any type of data, not just XML, and it supports protocols other than HTTP XHR requests can be made with cookies and custom HTTP headers https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest

Slide 21

Slide 21 text

SOP - XMLHTTPREQUEST SOP - XMLHTTPREQUEST

Slide 22

Slide 22 text

DEMO - SOP - XMLHTTPREQUEST DEMO - SOP - XMLHTTPREQUEST

Slide 23

Slide 23 text

WEB STORAGE API WEB STORAGE API Local storage Shared between windows with same origin Origin-specific storage that survives browser shutdowns Session storage Accessible only to current window Cleared when the window is closed https://developer.mozilla.org/en-US/docs/Web/API/Storage

Slide 24

Slide 24 text

SOP - WEB STORAGE SOP - WEB STORAGE

Slide 25

Slide 25 text

DEMO - SOP - WEB STORAGE DEMO - SOP - WEB STORAGE

Slide 26

Slide 26 text

SOP - COOKIES SOP - COOKIES Cookie security rules slightly vary from SOP rules The Domain and Path directives define the scope of the cookie: what URLs the cookies should be sent to Cookies are identified by (name, domain, path) Set-Cookie: =; Domain=

Slide 27

Slide 27 text

LIMITATIONS OF SOP 1 LIMITATIONS OF SOP 1 SOP is too broad to isolate between path based resources such as home pages or profiles https://null.co.in/profile/1 https://null.co.in/profile/352

Slide 28

Slide 28 text

SPECIFICATIONS/FEATURES SPECIFICATIONS/FEATURES THAT EXTEND ORIGIN THAT EXTEND ORIGIN Content Security Policy(CSP) ... Suborigins First Party Isolation

Slide 29

Slide 29 text

LIMITATIONS OF SOP 2 LIMITATIONS OF SOP 2 SOP makes it difficult for legitimately cooperating sites to exchange data store.wikimedia.org payment.wikimedia.org

Slide 30

Slide 30 text

SPECS/FEATURES TO ENABLE SPECS/FEATURES TO ENABLE CROSS-DOMAIN INTERACTIONS CROSS-DOMAIN INTERACTIONS document.domain (Applies to SOP DOM) postMessage (Applies to SOP DOM) Cross Origin Resource Sharing (Applies to SOP XMLHttpRequest)

Slide 31

Slide 31 text

DOCUMENT.DOMAIN DOCUMENT.DOMAIN The domain property of the Document interface gets/sets the domain portion of the origin of the current document This property can be used by two cooperating websites that share a common top-level domain to agree that for the purpose of future same-origin checks they want to be viewed as same origin This feature although looks simple, it is a security tarpit

Slide 32

Slide 32 text

DEMO - DOCUMENT.DOMAIN FOR DEMO - DOCUMENT.DOMAIN FOR CROSS-DOMAIN INTERACTIONS CROSS-DOMAIN INTERACTIONS

Slide 33

Slide 33 text

POSTMESSAGE POSTMESSAGE postMessage() API is an HTML5 extension that permits cross window communications between non-same- origin sites The window.postMessage() method safely enables cross-origin communication between Window objects; e.g., between a page and a pop-up that it spawned, or between a page and an iframe embedded within it

Slide 34

Slide 34 text

DEMO - POSTMESSAGE DEMO - POSTMESSAGE

Slide 35

Slide 35 text

CROSS ORIGIN RESOURCE CROSS ORIGIN RESOURCE SHARING(CORS) SHARING(CORS) CORS is a mechanism that uses additional HTTP headers to tell a browser to let a web application running at one origin (domain) have permission to access selected resources from a server at a different origin. https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Slide 36

Slide 36 text

CORS - SIMPLE REQUEST CORS - SIMPLE REQUEST A simple CORS request doesn't trigger pre-flight request Browser makes a GET/POST/HEAD request and the server responds with Access-Control-Allow- Origin headers Access-Control-Allow-Origin let's the server determine which origins are allowed to read the responses

Slide 37

Slide 37 text

CORS - SIMPLE REQUEST CORS - SIMPLE REQUEST

Slide 38

Slide 38 text

REQUESTS WITH CREDENTIALS REQUESTS WITH CREDENTIALS The most interesting capability exposed by both XMLHttpRequest or Fetch and CORS is the ability to make "credentialed" requests that are aware of HTTP cookies and HTTP Authentication information

Slide 39

Slide 39 text

REQUESTS WITH CREDENTIALS REQUESTS WITH CREDENTIALS On the browser side, the XMLHttpRequest request made has to set withCredentials to true in order to make the invocation with Cookies On the server side, the server has to send Access- Control-Allow-Credentials: true header to let the browser know that the server agrees to share response of a request made with credentials

Slide 40

Slide 40 text

REQUESTS WITH CREDENTIALS REQUESTS WITH CREDENTIALS

Slide 41

Slide 41 text

CREDENTIALED REQUESTS AND CREDENTIALED REQUESTS AND WILDCARDS WILDCARDS What can go wrong? Assisted suicide for the application! Almost all browsers don't support this setting! Access-Control-Allow-Origin: "*" Access-Control-Allow-Credentials: true

Slide 42

Slide 42 text

CORS WITH REFLECTED ORIGIN CORS WITH REFLECTED ORIGIN Each time the browser makes a cross- domain request (a request to another domain) it adds an origin header. That header has the value of the domain the request originates from, almost like the referer header. https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/

Slide 43

Slide 43 text

REFERENCES REFERENCES [Free book] [Video] Browser Security Handbook The Tangled Web: A Guide to Securing Modern Web Applications Same-origin policy: The core of web security by Kirk Jackson Same-Origin Policy: Evaluation in Modern Browsers, USENIX Security 2017 Learn SOP while modeling with Alloy The Browser Hacker's Handbook https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and- bounties

Slide 44

Slide 44 text

THANKS THANKS @yamakira_