a breach in the same-origin policy induced by … · a breach in the same-origin policy induced by...
TRANSCRIPT
![Page 1: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/1.jpg)
A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY MIRRORING EXTERNAL CONTENT
Jacob Thompson
October 16, 2016
![Page 2: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/2.jpg)
About ISE● We are:
– Computer Scientists
– Academics
– Ethical Hackers
● Our customers are:– Fortune 500 enterprises
– Entertainment, software security, healthcare
● Our perspective is:– White box
![Page 3: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/3.jpg)
Cross-Site Scripting
![Page 4: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/4.jpg)
Same-Origin Policy
● spy.example.org cannot read cookies for secret.example.com
● spy.example.org JavaScript code cannot interact with DOM for secret.example.com
● Cross-server interaction strictly controlled● And so on...
![Page 5: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/5.jpg)
Example
![Page 6: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/6.jpg)
Seen This Before?
● http://www.example.net/fetch?url=http:%2f%2fsecret.example.com%2f
● http://www.example.net/fetch?url=http:%2f%2fspy.example.org%2f
![Page 7: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/7.jpg)
Mirror Site
● Serve a copy of HTML and JavaScript content from an origin other than where it originated
![Page 8: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/8.jpg)
“Pure” Mirrors
● Search engine page caches● Translation services● Internet Archive
![Page 9: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/9.jpg)
Proxy Sites
● Bad approximation of Tor?● Hide.me● Whoer.net● CGIProxy software● PHProxy software
![Page 10: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/10.jpg)
The Problem
● Mirroring security-relevant content causes a breakdown in the same-origin policy
● Privacy compromise– History leak
● Security compromise– Session leak
– Full same-origin bypass
● Let's see examples of different behavior
![Page 11: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/11.jpg)
Normal vs. Mirrored Behavior
![Page 12: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/12.jpg)
History Leak – Normal (safe)
![Page 13: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/13.jpg)
History Leak – Translator (unsafe)
![Page 14: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/14.jpg)
Session Leak – Normal (safe)
![Page 15: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/15.jpg)
Session Leak – Proxy (unsafe)
![Page 16: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/16.jpg)
Same Origin – Normal (safe)
![Page 17: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/17.jpg)
Same Origin – Proxy (unsafe)
![Page 18: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/18.jpg)
Mitigations by Mirror Sites
![Page 19: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/19.jpg)
Cookie Blocking
● HTTP headers● JavaScript document.cookie● Breaking legitimate sites● Verdict: no good
![Page 20: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/20.jpg)
Script/Object Stripping
● Breaks legitimate sites● Verdict: no good
![Page 21: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/21.jpg)
Clearing/Resetting Cookies
● Interesting?● Verdict: maybe
![Page 22: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/22.jpg)
One-to-One Unique Hostnames
● e.g., www.example.com => fBdnswUStgA08LmGKhlIg.proxy.example.net, www.example.org => STDMnt7vcf7ii72NzUA.proxy.example.net
● Verdict: probably
![Page 23: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/23.jpg)
Mirroring still seems risky regardless of these strategies...
![Page 24: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/24.jpg)
Mitigations by Websites?
![Page 25: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/25.jpg)
HttpOnly Flag
● Protects against cookie leakage via JavaScript● Can't protect against same origin policy bypass
attack● Verdict: no
![Page 26: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/26.jpg)
Authorization Header
● E.g., as in RESTful APIs● Can't be used in all situations● Verdict: maybe
![Page 27: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/27.jpg)
Hardening Headers
● Strict Transport Security● Public Key Pinning● Any workable proxy would have to strip these...● Verdict: no
![Page 28: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/28.jpg)
Blocking Proxy Sites
● Bad for usability?● Where would blacklist be found?
![Page 29: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/29.jpg)
No great solution to protect applications from broken mirror sites
![Page 30: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/30.jpg)
End users
● Use real proxies for anonymization (e.g., Tor)?● Caution with static mirrors
![Page 31: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/31.jpg)
Future Work
● Only about one week thinking about this issue● Worse exploits?● More examples?● Better mitigation techniques?● Blog to follow
![Page 32: A BREACH IN THE SAME-ORIGIN POLICY INDUCED BY … · a breach in the same-origin policy induced by mirroring external content jacob thompson october 16, 2016](https://reader033.vdocuments.net/reader033/viewer/2022042217/5ec20adfc1d93d1b3a6ce998/html5/thumbnails/32.jpg)
Questions?