same-origin policy: evaluation in modern browsers · embedded document (ed) sop read? write? read?...
TRANSCRIPT
Same-OriginPolicy:EvaluationinModernBrowsers
JörgSchwenk,MarcusNiemietz,ChristianMainka
Ruhr-UniversityBochum
Contents
1. Introduction &Foundations
2. Methodology &Evaluation
3. Limitations &AccessControlPolicies
4. Conclusions &FutureWork
2
1.Introduction &Foundations
3
4
window
document<html>
e.g.,main HTMLdocument
head<head>
body<body>
<img src="URL3"name="bear">
<script src="URL1">
doctypeHTML5
<linksrc="URL4">
img.src=URL3
Same-OriginPolicy
https://bank.com
!
Same-OriginPolicy
5
https://bank.com
https://bank.com
IBAN:DE234575684013Amount:$50
"
Same-OriginPolicy
6
https://bank.com
IBAN:DE234575684013Amount:$10
#JavaScript
https://bank.com
"
Same-OriginPolicy
7
https://attackers.org
https://bank.com
IBAN:DE133700000000Amount:$10,000
$JavaScript
%
❓
Same-OriginPolicy
8
https://attackers.org
https://bank.com
IBAN:DE234575684013Amount:$50
'JavaScript
"
9
window
document<html>
e.g.,main HTMLdocument e.g.,iFrame
head<head>
body<body>
<img src="URL3"name="bear">
<iframe src="URL2"id="ID1">
document<html>
doctypeXHTML
head<head>
<script src="URL1">
window.frames[0]
doctypeHTML5
body<body>
<linksrc="URL4">
img.src=URL3
id=ID1
DOM-SOP
!
DifferentSubsets Of SOPRules
• DOMaccess (SOP-DOM)• Local storage and session storage
• XMLHttpRequest
• Pseudoprotocols
• Plugins (e.g.,Flash,Silverlight,PDF)
• Window/tab
• HTTPcookies
10
Focus
• Subset of SOPrules according to these criteria– BrowserInteractions• Interactionof webobjects once they have been loaded
–WebOrigins(RFC6454as afoundation)• “Animageispassivecontentand,therefore,carriesnoauthority,meaningtheimagehasnoaccesstotheobjectsandresourcesavailabletoitsorigin”
11
Scalable Vector Graphics
<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns="http://www.w3.org/2000/svg" width="300" height="300"><script>alert(1)</script><circle cx="120" cy="120" r="110" fill="#fff" stroke="#000" stroke-width="8"/></svg>
<img src="test.svg"> <embed src="test.svg">
12
ResearchQuestions
• How is SOPfor DOMaccess (SOP-DOM)implemented inmodernbrowsers?
• Which parts of the HTMLmarkup influencesSOP-DOM?
• How does the detected behavior matchknown access control policies?
13
2.Methodology &Evaluation
14
SOP-DOMSetup:TestCases
EmbeddingElement(EE)
EmbeddedDocument(ED)
SOPread?
write?
read?
write?
HostDocument (HD)
WebObject
Subject:JavaScriptallowscriptexecution?
WebOriginED
{ee,sandbox,cors}
WebOriginHD
Subject:JavaScript
WebObject
15
Your-SOP.com Testbed
16
Your-SOP.com Testbed
17
DifferentBrowserBehaviors
§ >12%:Safari9§ Missingtype:image/svg+xml
§ FixedinSafari10.1
§ >35%:<canvas> andPNG/SVG(CORS)
§ >51%:<link> (CORS)
§ OneIE/EdgevulnerabilitywithoutusingCORS
18
Cross-OriginLoginOracleAttack
19
Cross-OriginLoginOracleAttack
• Webserverdelivers differentCSSfiles– Userlogged in or logged out?
• a.com attacks victim.com– <link type="text/css" rel="stylesheet"
href="//victim.com/style.css" />– <script>alert(document.styleSheets[0].cssRul
es[0].cssText)</script>
20
Cross-OriginLoginOracleAttack
21
3.Limitations &AccessControlPolicies
22
Limitations
• 15HTMLelements with src attributes– Several more with asimilar functionality
• Many sandbox attributes,ways to embed adocument,MIMEtypes,and pseudoprotocols
• <link>:imports,worker
• <svg>:JavaScriptviaxlink• Growing surface with each new feature
23
AccessControlPolicies
• Discretionary AccessControl(DAC)
• Role-Based AccessControl(RBAC)– EnhancedRBAC
• Attribute-Based AccessControl(ABAC)
24
4.Conclusions &FutureWork
25
Conclusions &FutureWork
• Differentbrowser data sets to identifyinconsistencies (edge cases are important)
• Discussion about access control policies mayhelp to understand the SOP-DOM
• FutureWork– OtherSOPsubsets,HTMLelements/attributes
– Pseudoprotocols
26