JSFoo Chennai 2012
Upcoming SlideShare
Loading in...5
×
 

JSFoo Chennai 2012

on

  • 1,247 views

My presentation at JSFoo Chennai 2012, IIT Madras Research Park

My presentation at JSFoo Chennai 2012, IIT Madras Research Park

Statistics

Views

Total Views
1,247
Views on SlideShare
1,187
Embed Views
60

Actions

Likes
0
Downloads
11
Comments
0

2 Embeds 60

http://funnel.hasgeek.com 59
https://funnel.hasgeek.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

JSFoo Chennai 2012 JSFoo Chennai 2012 Presentation Transcript

  • Krishna Chaitanya TSecurity & Privacy Research LabInfosys Labs
  •  A web application which combines content from multiple origins to create a new service Integrator-party combining the content Gadget-integrated content Provides more value add Fun, easy to DIY. It’s all JS madness!
  •  Approaches  Embedding external scripts  Loading content via iframes Requirements  Interaction  Communication Security  Isolation of origins  Secure data exchange View slide
  •  Browser has to isolate different origins Origin = protocol://host:port  http://bing.com, http://localhost:81/, https://icicibank.com Privileges within origin  Full network access  Read/Write access to DOM  Storage Scripts of one origin cannot access DOM of another Strangely, scripts themselves are exempted from SOP!! View slide
  •  Very good interactivity Assumption – Script is from trusted source No isolation of origin Embedded scripts have privileges of imported page, NOT source server Ads, widgets, AJAX libraries all have same rights 
  •  “SOP-Prevents useful things. Allows dangerous things” “If there is script from two or more sources, the application is not secure. Period.” “Fundamentally, XSS is a confusion of interests” “A mashup is a self-inflicted XSS attack!” Douglas Crockford - JavaScript Architect, Yahoo
  •  Restricting JavaScript to a subset Object-capability security model  Idea: If an object in JavaScript has no reference to “XMLHttpRequest” object, an AJAX call cannot be made. Popular JavaScript subsets:  Caja (iGoogle)  FBJS (Facebook)  ADSafe (Yahoo) Learning curve, usability issues
  •  Separate security context for each origin Less interactive than JS approach Comply with SOP <!-- This is allowed --> <iframe src="sameDomainPage.html"> </iframe> //page in same origin alert(frames[0].contentDocument.body); //works fine <!-- This is **NOT** allowed --> <iframe src="http://crossDomain.com"> </iframe> //page outside origin alert(frames[0].contentDocument.body); //throws error
  •  Beware! Frames can be navigated to different origins! Frame navigation is NOT the same as SOP! Frame-Frame relationships  Can script in Frame A modify DOM of Frame B?  Can Script in Frame A “navigate” Frame B? <iframe src=“http://crossDomain.com"> </iframe> <!-- This is **NOT** allowed --> alert(frames[0].src); //throws error – SOP restriction <!-- This is allowed --> alert(frames[0].src=“http://bing.com”); //works fine - frame navigation
  • awgloginwindow.open("https://attacker.com/", "awglogin"); Courtesy: Stanford Web Security Lab
  • top.frames[1].location = "http://www.attacker.com/...";top.frames[2].location = "http://www.attacker.com/..."; ... Courtesy: Stanford Web Security Lab
  • PermissiveWindowDescendantChild
  •  FIM=Fragment Identifier Messaging Limited data, no acknowledgements. Navigation doesn’t reload page Not a secure channel //Sender.html function send(){ iframe.src=“http://localhost/receiver.html#data”; } //Receiver.html window.onload=function(){ data=window.location.hash; }
  •  HTML5 postMessage API-the savior! Cross-origin client side communication Network-like channel between frames Securely abstracts multiple principals Frames can integrate widgets with improved trust!
  •  Syntax:otherwindow.postMessage(message, targetOrigin); targetOrigin can be a trusted source/wildcard *“*”+//Posting message to a cross domain partner.frames[0].postMessage(“Hello Partner!”, "http://localhost:81/");//Retrieving message from the senderwindow.onmessage = function (e) { if (e.origin == http://localhost) { //sanitize and accept data }};
  •  Sandbox – whitelisting restrictions on iframe content <iframe sandbox src="http://attacker.com"></iframe> Disable scripts, forms, popups, top navigation etc. CORS – Access-Control-Allow-Origin AJAX PostMessage CORS
  •  Framed sites are susceptible to clickjacking & frame phishing attacks Bust frames, avoid surprises. Left: Genuine communication Right: Stealing data with Recursive Mashup Attack
  • References “Secure Frame Communication in Browsers”-Adam Barth, Collin Jackson, John Mitchell-Stanford Web Security Research Lab W3C HTML5 Specification - http://www.w3.org/TR/html5/ Dive into HTML5 – http://diveintohtml5.info
  • http://novogeek.com@novogeek