same-origin policy: evaluation in modern browsers · embedded document (ed) sop read? write? read?...
TRANSCRIPT
![Page 1: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/1.jpg)
Same-OriginPolicy:EvaluationinModernBrowsers
JörgSchwenk,MarcusNiemietz,ChristianMainka
Ruhr-UniversityBochum
![Page 2: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/2.jpg)
Contents
1. Introduction &Foundations
2. Methodology &Evaluation
3. Limitations &AccessControlPolicies
4. Conclusions &FutureWork
2
![Page 3: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/3.jpg)
1.Introduction &Foundations
3
![Page 4: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/4.jpg)
4
window
document<html>
e.g.,main HTMLdocument
head<head>
body<body>
<img src="URL3"name="bear">
<script src="URL1">
doctypeHTML5
<linksrc="URL4">
img.src=URL3
Same-OriginPolicy
https://bank.com
!
![Page 5: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/5.jpg)
Same-OriginPolicy
5
https://bank.com
https://bank.com
IBAN:DE234575684013Amount:$50
"
![Page 6: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/6.jpg)
Same-OriginPolicy
6
https://bank.com
IBAN:DE234575684013Amount:$10
#JavaScript
https://bank.com
"
![Page 7: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/7.jpg)
Same-OriginPolicy
7
https://attackers.org
https://bank.com
IBAN:DE133700000000Amount:$10,000
$JavaScript
%
❓
![Page 8: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/8.jpg)
Same-OriginPolicy
8
https://attackers.org
https://bank.com
IBAN:DE234575684013Amount:$50
'JavaScript
"
![Page 9: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/9.jpg)
9
window
document<html>
e.g.,main HTMLdocument e.g.,iFrame
head<head>
body<body>
<img src="URL3"name="bear">
<iframe src="URL2"id="ID1">
document<html>
doctypeXHTML
head<head>
<script src="URL1">
window.frames[0]
doctypeHTML5
body<body>
<linksrc="URL4">
img.src=URL3
id=ID1
DOM-SOP
!
![Page 10: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/10.jpg)
DifferentSubsets Of SOPRules
• DOMaccess (SOP-DOM)• Local storage and session storage
• XMLHttpRequest
• Pseudoprotocols
• Plugins (e.g.,Flash,Silverlight,PDF)
• Window/tab
• HTTPcookies
10
![Page 11: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/11.jpg)
Focus
• Subset of SOPrules according to these criteria– BrowserInteractions• Interactionof webobjects once they have been loaded
–WebOrigins(RFC6454as afoundation)• “Animageispassivecontentand,therefore,carriesnoauthority,meaningtheimagehasnoaccesstotheobjectsandresourcesavailabletoitsorigin”
11
![Page 12: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/12.jpg)
Scalable Vector Graphics
<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns="http://www.w3.org/2000/svg" width="300" height="300"><script>alert(1)</script><circle cx="120" cy="120" r="110" fill="#fff" stroke="#000" stroke-width="8"/></svg>
<img src="test.svg"> <embed src="test.svg">
12
![Page 13: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/13.jpg)
ResearchQuestions
• How is SOPfor DOMaccess (SOP-DOM)implemented inmodernbrowsers?
• Which parts of the HTMLmarkup influencesSOP-DOM?
• How does the detected behavior matchknown access control policies?
13
![Page 14: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/14.jpg)
2.Methodology &Evaluation
14
![Page 15: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/15.jpg)
SOP-DOMSetup:TestCases
EmbeddingElement(EE)
EmbeddedDocument(ED)
SOPread?
write?
read?
write?
HostDocument (HD)
WebObject
Subject:JavaScriptallowscriptexecution?
WebOriginED
{ee,sandbox,cors}
WebOriginHD
Subject:JavaScript
WebObject
15
![Page 16: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/16.jpg)
Your-SOP.com Testbed
16
![Page 17: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/17.jpg)
Your-SOP.com Testbed
17
![Page 18: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/18.jpg)
DifferentBrowserBehaviors
§ >12%:Safari9§ Missingtype:image/svg+xml
§ FixedinSafari10.1
§ >35%:<canvas> andPNG/SVG(CORS)
§ >51%:<link> (CORS)
§ OneIE/EdgevulnerabilitywithoutusingCORS
18
![Page 19: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/19.jpg)
Cross-OriginLoginOracleAttack
19
![Page 20: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/20.jpg)
Cross-OriginLoginOracleAttack
• Webserverdelivers differentCSSfiles– Userlogged in or logged out?
• a.com attacks victim.com– <link type="text/css" rel="stylesheet"
href="//victim.com/style.css" />– <script>alert(document.styleSheets[0].cssRul
es[0].cssText)</script>
20
![Page 21: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/21.jpg)
Cross-OriginLoginOracleAttack
21
![Page 22: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/22.jpg)
3.Limitations &AccessControlPolicies
22
![Page 23: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/23.jpg)
Limitations
• 15HTMLelements with src attributes– Several more with asimilar functionality
• Many sandbox attributes,ways to embed adocument,MIMEtypes,and pseudoprotocols
• <link>:imports,worker
• <svg>:JavaScriptviaxlink• Growing surface with each new feature
23
![Page 24: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/24.jpg)
AccessControlPolicies
• Discretionary AccessControl(DAC)
• Role-Based AccessControl(RBAC)– EnhancedRBAC
• Attribute-Based AccessControl(ABAC)
24
![Page 25: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/25.jpg)
4.Conclusions &FutureWork
25
![Page 26: Same-Origin Policy: Evaluation in Modern Browsers · Embedded Document (ED) SOP read? write? read? write? Host Document(HD) Web Object Subject: allow script execution? JavaScript](https://reader036.vdocuments.net/reader036/viewer/2022081600/6024e17825e02f20ad19f9f7/html5/thumbnails/26.jpg)
Conclusions &FutureWork
• Differentbrowser data sets to identifyinconsistencies (edge cases are important)
• Discussion about access control policies mayhelp to understand the SOP-DOM
• FutureWork– OtherSOPsubsets,HTMLelements/attributes
– Pseudoprotocols
26