Secure web messaging in HTML5
Upcoming SlideShare
Loading in...5
×
 

Secure web messaging in HTML5

on

  • 2,761 views

 

Statistics

Views

Total Views
2,761
Views on SlideShare
2,740
Embed Views
21

Actions

Likes
0
Downloads
27
Comments
1

1 Embed 21

http://localhost 21

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Secure web messaging in HTML5 Secure web messaging in HTML5 Presentation Transcript

  • Secure Web Messaging inHTML5Krishna Chaitanya TMicrosoft MVP, Internet Explorer@novogeek MUGH Developer Day 29th Jan, 2012
  • AgendaWeb 2.0 Communicatio HTML5 SecurityA quick overview of n How the new Web Solved problems &new needs of Web 2.0 Messaging API helps new concerns Traditional dataeraCase study of few Mashups exchange & drawbacks Quick overview: Why there is a need for a new Reduced scope for XSS JavaScript, Ajax, specification for web based Improved trust modelUnderstanding their Browser Sandbox, SOP, messaging,technical limitations Frames, Navigation Newer security concerns policies, Fragment Counter measures Identifier
  • A mashup with widgets PageFlakes.com
  • An interactive mashup HousingMaps.com
  • Embedding Remote JS Assumption - script is from trusted source No isolation of origins Runs in the context of window “A mashup is a self-inflicted XSS Has complete access to DOM attack” -Douglas Crockford, Can read & export your data Inventor of JSON No user involvement needed
  • Same Origin Policy Browser has to isolate different origins Origin = protocol://host:port  Ex: http://bing.com, http://localhost:81/, https://icicibank.com Privileges within origin  Full network access  Read/Write access to DOM  Storage Embedded scripts have privileges of imported page, NOT source server AJAX calls to cross domains fail due to SOP.
  • DemoSame Origin Policy in action!
  • Isolation with Frames Different security contexts for different origins Brings modularity but less interactive than embedding JS No standard communication mechanism Comply with SOP - Run remote code safely <!-- This is allowed --> <iframe src="sameDomainPage.html"> </iframe> alert(frames[0].contentDocument.body); //works fine <!-- This is **NOT** allowed --> <iframe src="http://crossDomain.com"> </iframe> alert(frames[0].contentDocument.body); //throws error
  • Frame Navigation Beware! Frames can be navigated to different origins! Frame-Frame relationships  Can script in Frame A modify DOM of Frame B?  Can Script in Frame A “navigate” or change the origin of Frame B? Frame navigation is NOT the same as SOP - often mistaken! <iframe src=“http://crossDomain.com"> </iframe> <!-- This is **NOT** allowed --> alert(frames[0].src); //throws error – SOP restriction <!-- This is allowed --> alert(frames[0].src=“http://bing.com”); //works fine - frame navigation
  • Cross-Window Attack! awglogin window.open("https://attacker.com/", "awglogin"); Courtesy: Stanford Web Security Lab
  • Same-Window attack! top.frames[1].location = "http://www.attacker.com/..."; top.frames[2].location = "http://www.attacker.com/..."; ... Courtesy: Stanford Web Security Lab
  • Frame Navigation PoliciesPermissiveWindowDescendantChild
  • FrameCommunication
  • Fragment Identifier Messaging Work around before HTML5 Limited data, no acknowledgements. Navigation doesn’t reload page Not a secure channel. //Sender.html function send(){ iframe.src=“http://localhost/receiver.html#data”; } //Receiver.html window.onload=function(){ data=window.location.hash; }
  • HTML5 Post Message API Cross-origin client side communication Network-like channel between frames Securely abstracts multiple principals Frames can now integrate widgets with improved trust
  • HTML5 Post Message API Syntax: otherwindow.postMessage(message, targetOrigin); targetOrigin can be a trusted source or wild card *“*”+ //Posting message to a cross domain partner. frames[0].postMessage(“Hello Partner!”, "http://localhost:81/"); //Retrieving message from the sender window.onmessage = function (e) { if (e.origin == http://localhost) { //sanitize and accept data } };
  • Few security considerations Do not configure target origin to “*”.  Sensitive data can be leaked to unknown widgets Always check for sender’s origin  Client side DoS attacks can be launched Always validate data before use.  Do not consume data directly with eval() or innerHTML  Follow best practices of DOM based XSS prevention Eavesdropping with framing attacks!  In spite of above checks, data can still be lost  Ex: Recursive Mashup attack  Follow frame busting techniques
  • Demo Playing with HTML5 Post Message API Bonus (if time permits) – Recursive Mashup Attack!
  • References & Reading “Secure Frame Communication in Browsers”-Adam Barth, Collin Jackson, John Mitchell-Stanford Web Security Research Lab W3C HTML5 Web Messaging Specification - http://dev.w3.org/html5/postmsg/#authors Dive into HTML5 – http://diveintohtml5.info IE9 Guide for Developers - http://msdn.microsoft.com/en- us/ie/hh410106.aspx
  • Thank You!http://novogeek.com | @novogeek http://mugh.net