Embed Size (px)
Citation preview
Origin Policy Enforcement in Modern BrowsersA Case Study in Same Origin Implementations
Frederik Braun
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 1 / 25
Table of Contents
1 about:me
2 MotivationAmbient AuthenticationThe Severity of a Same Origin Policy Bypass
3 The Same Origin PolicyWhat is an Origin?What is the Same Origin Policy?Examples
4 EvaluationSOP Bypass: Firefox (2007)SOP Bypass: Flash (2010)SOP Bypass: Java 7 Update 5-X (2012)
5 Conclusion
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 2 / 25
Table of Contents
1 about:me
2 MotivationAmbient AuthenticationThe Severity of a Same Origin Policy Bypass
3 The Same Origin PolicyWhat is an Origin?What is the Same Origin Policy?Examples
4 EvaluationSOP Bypass: Firefox (2007)SOP Bypass: Flash (2010)SOP Bypass: Java 7 Update 5-X (2012)
5 Conclusion
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 3 / 25
Frederik Braun
Dipl. Ing. in IT-Security at Ruhr-Uni Bochum (2012)I this research!I https://frederik-braun.com/thesis
Security Engineer at Mozilla in Berlin
likes to play CTFs (hi FluxFingers!)
@freddyb on twitter
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 4 / 25
Table of Contents
1 about:me
2 MotivationAmbient AuthenticationThe Severity of a Same Origin Policy Bypass
3 The Same Origin PolicyWhat is an Origin?What is the Same Origin Policy?Examples
4 EvaluationSOP Bypass: Firefox (2007)SOP Bypass: Flash (2010)SOP Bypass: Java 7 Update 5-X (2012)
5 Conclusion
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 5 / 25
Ambient Authentication
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 6 / 25
The Severity of a Same Origin Policy Bypass
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 7 / 25
Table of Contents
1 about:me
2 MotivationAmbient AuthenticationThe Severity of a Same Origin Policy Bypass
3 The Same Origin PolicyWhat is an Origin?What is the Same Origin Policy?Examples
4 EvaluationSOP Bypass: Firefox (2007)SOP Bypass: Flash (2010)SOP Bypass: Java 7 Update 5-X (2012)
5 Conclusion
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 8 / 25
What is an Origin?
scheme hostname port
http://www.example.com:8080/
origin
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 9 / 25
The Same Origin Policy (SOP)
“An ‘origin’ (...) is often used as the scope of authority or privilege by useragents. ” — Barth
“The same-origin policy is the most important mechanism we have to keephostile web applications at bay, but it’s also an imperfect one.” —Zalewski
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 10 / 25
Examples
Compare for http://www.example.com/
URL same-origin?
http://www.example.com/help
3
https://www.example.com/ 7
about:blank 3
http://www.example.com:8000/phpMyAdmin 7/3a
aInternet Explorer doesn’t care about ports.
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 11 / 25
Examples
Compare for http://www.example.com/
URL same-origin?
http://www.example.com/help 3
https://www.example.com/ 7
about:blank 3
http://www.example.com:8000/phpMyAdmin 7/3a
aInternet Explorer doesn’t care about ports.
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 11 / 25
Examples
Compare for http://www.example.com/
URL same-origin?
http://www.example.com/help 3
https://www.example.com/
7
about:blank 3
http://www.example.com:8000/phpMyAdmin 7/3a
aInternet Explorer doesn’t care about ports.
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 11 / 25
Examples
Compare for http://www.example.com/
URL same-origin?
http://www.example.com/help 3
https://www.example.com/ 7
about:blank 3
http://www.example.com:8000/phpMyAdmin 7/3a
aInternet Explorer doesn’t care about ports.
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 11 / 25
Examples
Compare for http://www.example.com/
URL same-origin?
http://www.example.com/help 3
https://www.example.com/ 7
about:blank
3
http://www.example.com:8000/phpMyAdmin 7/3a
aInternet Explorer doesn’t care about ports.
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 11 / 25
Examples
Compare for http://www.example.com/
URL same-origin?
http://www.example.com/help 3
https://www.example.com/ 7
about:blank 3
http://www.example.com:8000/phpMyAdmin 7/3a
aInternet Explorer doesn’t care about ports.
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 11 / 25
Examples
Compare for http://www.example.com/
URL same-origin?
http://www.example.com/help 3
https://www.example.com/ 7
about:blank 3
http://www.example.com:8000/phpMyAdmin
7/3a
aInternet Explorer doesn’t care about ports.
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 11 / 25
Examples
Compare for http://www.example.com/
URL same-origin?
http://www.example.com/help 3
https://www.example.com/ 7
about:blank 3
http://www.example.com:8000/phpMyAdmin 7/3a
aInternet Explorer doesn’t care about ports.
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 11 / 25
JavaScript Object Hierarchy
window
history document
location frames
frame (ebay) frame (amazon)
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 12 / 25
No Way Out? - Exceptions
Cookies
window.locationsetter
window.namepersists
document.domain
Internet ExplorerZones
CORS
JSONP
...
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 13 / 25
SOP Wrap-Up
Summary
read access
vendor specific
JavaScript Engine (Object Capability) vs. DOM (Access Control)
the SOP is highly inhomogenous
no consistent reference implementation
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 14 / 25
Table of Contents
1 about:me
2 MotivationAmbient AuthenticationThe Severity of a Same Origin Policy Bypass
3 The Same Origin PolicyWhat is an Origin?What is the Same Origin Policy?Examples
4 EvaluationSOP Bypass: Firefox (2007)SOP Bypass: Flash (2010)SOP Bypass: Java 7 Update 5-X (2012)
5 Conclusion
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 15 / 25
All SOP Flaws are alike (CVE-2007-0981)
DNS, ASCIIZ
JavaScript, UTF-16
harmless.com
Browser Server B
harmless.com\x00.attacker.com
attacker.com
Server A
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 16 / 25
All SOP Flaws are alike (CVE-2010-2179)
HTTP API
Flash Plugin
harmless.com
Browser Server B
http://[email protected]
attacker.com
Server A
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 17 / 25
All SOP Flaws are alike (CVE TBA)
HTTP API
Java URL Handler
harmless.com
Browser Server B
jar:http://harmless.com/foo.odt
attacker.com
Server A
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 18 / 25
Demo
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 19 / 25
Table of Contents
1 about:me
2 MotivationAmbient AuthenticationThe Severity of a Same Origin Policy Bypass
3 The Same Origin PolicyWhat is an Origin?What is the Same Origin Policy?Examples
4 EvaluationSOP Bypass: Firefox (2007)SOP Bypass: Flash (2010)SOP Bypass: Java 7 Update 5-X (2012)
5 Conclusion
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 20 / 25
Conclusion: Same Origin Policy
an inconsistent policy
vendor specific
theoretically, it’s a black list
plugins
late 2012: Java in nearly 70% of all browsers
but only 0.2% of websites
2013: exploits, Click-To-Play, ..
But: There are safe & well designed security models on the horizon
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 21 / 25
Future Work: Automation?
Picture by Jason Huggins on flickr
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 22 / 25
“This same origin policy is the dumbest thing ever. . . . All this ‘protection’serves to do is aggravate legitimate developers trying to get JavaScript todo the simplest of tasks.” — Somebody on stackoverflow.com
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 23 / 25
Thanks
References
Barth, Adam.The web origin concept.http://tools.ietf.org/html/rfc6454, December 2011.
Q-Success.Usage of client-side programming languages for websites.http://w3techs.com/technologies/overview/client side language/all.Last visited 2012-10-17.
Michal Zalewski.The Tangled Web: A Guide to Securing Modern Web Applications.No Starch Press, November 2011.
For all references please see full thesis onhttps://frederik-braun.com/thesis
Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, 2013 25 / 25
