JSFoo Chennai 2012

Krishna Chaitanya TSecurity & Privacy Research LabInfosys Labs

 A web application which combines content from multiple origins to create a new service Integrator-party combining the content Gadget-integrated content Provides more value add Fun, easy to DIY. It’s all JS madness!

 Approaches  Embedding external scripts  Loading content via iframes Requirements  Interaction  Communication Security  Isolation of origins  Secure data exchange

 Browser has to isolate different origins Origin = protocol://host:port  http://bing.com, http://localhost:81/, https://icicibank.com Privileges within origin  Full network access  Read/Write access to DOM  Storage Scripts of one origin cannot access DOM of another Strangely, scripts themselves are exempted from SOP!!

 Very good interactivity Assumption – Script is from trusted source No isolation of origin Embedded scripts have privileges of imported page, NOT source server Ads, widgets, AJAX libraries all have same rights 

 “SOP-Prevents useful things. Allows dangerous things” “If there is script from two or more sources, the application is not secure. Period.” “Fundamentally, XSS is a confusion of interests” “A mashup is a self-inflicted XSS attack!” Douglas Crockford - JavaScript Architect, Yahoo

 Restricting JavaScript to a subset Object-capability security model  Idea: If an object in JavaScript has no reference to “XMLHttpRequest” object, an AJAX call cannot be made. Popular JavaScript subsets:  Caja (iGoogle)  FBJS (Facebook)  ADSafe (Yahoo) Learning curve, usability issues

 Separate security context for each origin Less interactive than JS approach Comply with SOP  <iframe src="sameDomainPage.html"> </iframe> //page in same origin alert(frames[0].contentDocument.body); //works fine  <iframe src="http://crossDomain.com"> </iframe> //page outside origin alert(frames[0].contentDocument.body); //throws error

 Beware! Frames can be navigated to different origins! Frame navigation is NOT the same as SOP! Frame-Frame relationships  Can script in Frame A modify DOM of Frame B?  Can Script in Frame A “navigate” Frame B? <iframe src=“http://crossDomain.com"> </iframe>  alert(frames[0].src); //throws error – SOP restriction  alert(frames[0].src=“http://bing.com”); //works fine - frame navigation

awgloginwindow.open("https://attacker.com/", "awglogin"); Courtesy: Stanford Web Security Lab

top.frames[1].location = "http://www.attacker.com/...";top.frames[2].location = "http://www.attacker.com/..."; ... Courtesy: Stanford Web Security Lab

PermissiveWindowDescendantChild

 FIM=Fragment Identifier Messaging Limited data, no acknowledgements. Navigation doesn’t reload page Not a secure channel //Sender.html function send(){ iframe.src=“http://localhost/receiver.html#data”; } //Receiver.html window.onload=function(){ data=window.location.hash; }

 HTML5 postMessage API-the savior! Cross-origin client side communication Network-like channel between frames Securely abstracts multiple principals Frames can integrate widgets with improved trust!

 Syntax:otherwindow.postMessage(message, targetOrigin); targetOrigin can be a trusted source/wildcard *“*”+//Posting message to a cross domain partner.frames[0].postMessage(“Hello Partner!”, "http://localhost:81/");//Retrieving message from the senderwindow.onmessage = function (e) { if (e.origin == http://localhost) { //sanitize and accept data }};

 Sandbox – whitelisting restrictions on iframe content <iframe sandbox src="http://attacker.com"></iframe> Disable scripts, forms, popups, top navigation etc. CORS – Access-Control-Allow-Origin AJAX PostMessage CORS

 Framed sites are susceptible to clickjacking & frame phishing attacks Bust frames, avoid surprises. Left: Genuine communication Right: Stealing data with Recursive Mashup Attack

References “Secure Frame Communication in Browsers”-Adam Barth, Collin Jackson, John Mitchell-Stanford Web Security Research Lab W3C HTML5 Specification - http://www.w3.org/TR/html5/ Dive into HTML5 – http://diveintohtml5.info

http://novogeek.com@novogeek

JSFoo Chennai 2012

by Krishna T on Feb 19, 2012

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 37

Statistics

JSFoo Chennai 2012 — Presentation Transcript