1 / 26

Beware of Finer-Grained Origins

Beware of Finer-Grained Origins. Collin Jackson Adam Barth Stanford University. Security Context Determined By URL. "Origin" = https://login.yahoo.com/config/login. (Port). Scheme. Host. Sub-Origin Privileges. Origin Contamination. Trust Specified By URL. Import

ciel
Download Presentation

Beware of Finer-Grained Origins

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Beware of Finer-Grained Origins Collin Jackson Adam Barth Stanford University

  2. Security Context Determined By URL "Origin" = https://login.yahoo.com/config/login (Port) Scheme Host

  3. Sub-Origin Privileges Origin Contamination

  4. Trust Specified By URL Import <script src="prototype.js"></script> <link rel="stylesheet" href="base.css"> Export <form action="login.cgi"> var xhr = new XMLHttpRequest(); xhr.open("POST", "ajax.php");

  5. Threat Models • Web Attacker • https://www.attacker.com • Free user visit • Upgrade: Network Attacker • Eavesdrop • Corrupt network traffic • Upgrade: Cert-Mismatch Attacker • User clicks through certificate errors • Attacker still does not have trusted site’s certificate • Cross-Path Attacker • Same “origin” as good site, different path

  6. Browser Features

  7. Mixed Content

  8. WSKE • Web Server Key-Enabled Cookies • “Secure” cookies only sent for same TLS key

  9. Locked SOP • Finer-grained origin (scheme, host, port, broken) • “Broken” HTTPS page can’t script valid HTTPS page • Banks often import libraries • <script src="https://www.paypalobjects.com/..."> • User clicks through cert error for paypalobjects.com • Real PayPal imports script from paypalobjects.com • Attacker runs script as “unbroken” PayPal Sites cannot safely use <script src="…">, CSS, SWF, etc

  10. More Anti-Phishing using Certificates Ignore the address bar, use cert instead Extended Validation Passpet Petname What about ?

  11. TLS Forwarding Certificate belongs to bank Domain name belongs to attacker Attacker can hijack session at any time Certificate UI is confused

  12. TLS Forwarding Example

  13. TLS Forwarding - Consequences Might not be PayPal This is really PayPal, right?

  14. TLS Forwarding Network Attack Origin contamination Polluted cache

  15. Firefox enablePrivilege API

  16. Abusing enablePrivilege Relies on certificate, ignores host name Signed HTML can import libraries and be scripted by its origin Is this code really from Yahoo!?

  17. Cookie Paths http://www.stanford.edu/~alice Set-Cookie: skrt=04f4; path=/~alice http://www.stanford.edu/~eve Set-Cookie: skrt=52f9; path=/~eve <iframe src="/~alice"></iframe> alert(frames[0].document.cookie);

  18. DNS Rebinding Attack Read permitted: it’s the “same origin” www.evil.com? 192.168.0.100 171.64.7.115 TTL = 0 [DWF’96, R’01] <iframe src="http://www.evil.com"> DNS-SEC cannot stop this attack Firewall ns.evil.com DNS server www.evil.com web server corporate web server 171.64.7.115 192.168.0.100

  19. IP-based Origins Finer-grained origin (scheme, host, port, IP) www.evil.com=192.168.0.100 imports <script src="prototype.js"></script> www.evil.com=171.64.7.115 serves evil script Read contents of document POST it back to www.evil.com

  20. SOLUTIONS

  21. Embrace Grant privileges to origins Cross-site XHR XDomainRequest Frame Navigation Local Storage postMessage Phishing Filter Password Database

  22. Extend Include fine-grained origin in URL YURL: https://y-cl7h3f7jwyj3fvmw7jpnjfvf2xlcmayi.yurl.net/ HTTPEV: httpev://www.paypal.com/

  23. Destroy Problem: documents that lack the sub-origin privilege Eliminate privilege SafeLock Eliminate document ForceHTTPS ForceCertificate Strict Petname

  24. Solutions

  25. Solutions

  26. Summary Sub-origin privileges don’t work Origin contamination Privilege escalation via script injection Beware of finer-grained origins Trust specified by URL Import/Export Three approaches for new features Embrace, extend, destroy

More Related