260 likes | 348 Views
Beware of Finer-Grained Origins. Collin Jackson Adam Barth Stanford University. Security Context Determined By URL. "Origin" = https://login.yahoo.com/config/login. (Port). Scheme. Host. Sub-Origin Privileges. Origin Contamination. Trust Specified By URL. Import
E N D
Beware of Finer-Grained Origins Collin Jackson Adam Barth Stanford University
Security Context Determined By URL "Origin" = https://login.yahoo.com/config/login (Port) Scheme Host
Sub-Origin Privileges Origin Contamination
Trust Specified By URL Import <script src="prototype.js"></script> <link rel="stylesheet" href="base.css"> Export <form action="login.cgi"> var xhr = new XMLHttpRequest(); xhr.open("POST", "ajax.php");
Threat Models • Web Attacker • https://www.attacker.com • Free user visit • Upgrade: Network Attacker • Eavesdrop • Corrupt network traffic • Upgrade: Cert-Mismatch Attacker • User clicks through certificate errors • Attacker still does not have trusted site’s certificate • Cross-Path Attacker • Same “origin” as good site, different path
WSKE • Web Server Key-Enabled Cookies • “Secure” cookies only sent for same TLS key
Locked SOP • Finer-grained origin (scheme, host, port, broken) • “Broken” HTTPS page can’t script valid HTTPS page • Banks often import libraries • <script src="https://www.paypalobjects.com/..."> • User clicks through cert error for paypalobjects.com • Real PayPal imports script from paypalobjects.com • Attacker runs script as “unbroken” PayPal Sites cannot safely use <script src="…">, CSS, SWF, etc
More Anti-Phishing using Certificates Ignore the address bar, use cert instead Extended Validation Passpet Petname What about ?
TLS Forwarding Certificate belongs to bank Domain name belongs to attacker Attacker can hijack session at any time Certificate UI is confused
TLS Forwarding - Consequences Might not be PayPal This is really PayPal, right?
TLS Forwarding Network Attack Origin contamination Polluted cache
Abusing enablePrivilege Relies on certificate, ignores host name Signed HTML can import libraries and be scripted by its origin Is this code really from Yahoo!?
Cookie Paths http://www.stanford.edu/~alice Set-Cookie: skrt=04f4; path=/~alice http://www.stanford.edu/~eve Set-Cookie: skrt=52f9; path=/~eve <iframe src="/~alice"></iframe> alert(frames[0].document.cookie);
DNS Rebinding Attack Read permitted: it’s the “same origin” www.evil.com? 192.168.0.100 171.64.7.115 TTL = 0 [DWF’96, R’01] <iframe src="http://www.evil.com"> DNS-SEC cannot stop this attack Firewall ns.evil.com DNS server www.evil.com web server corporate web server 171.64.7.115 192.168.0.100
IP-based Origins Finer-grained origin (scheme, host, port, IP) www.evil.com=192.168.0.100 imports <script src="prototype.js"></script> www.evil.com=171.64.7.115 serves evil script Read contents of document POST it back to www.evil.com
Embrace Grant privileges to origins Cross-site XHR XDomainRequest Frame Navigation Local Storage postMessage Phishing Filter Password Database
Extend Include fine-grained origin in URL YURL: https://y-cl7h3f7jwyj3fvmw7jpnjfvf2xlcmayi.yurl.net/ HTTPEV: httpev://www.paypal.com/
Destroy Problem: documents that lack the sub-origin privilege Eliminate privilege SafeLock Eliminate document ForceHTTPS ForceCertificate Strict Petname
Summary Sub-origin privileges don’t work Origin contamination Privilege escalation via script injection Beware of finer-grained origins Trust specified by URL Import/Export Three approaches for new features Embrace, extend, destroy