Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

JSFoo Chennai 2012

1,536 views

Published on

My presentation at JSFoo Chennai 2012, IIT Madras Research Park

Published in: Technology
  • Be the first to comment

  • Be the first to like this

JSFoo Chennai 2012

  1. 1. Krishna Chaitanya TSecurity & Privacy Research LabInfosys Labs
  2. 2.  A web application which combines content from multiple origins to create a new service Integrator-party combining the content Gadget-integrated content Provides more value add Fun, easy to DIY. It’s all JS madness!
  3. 3.  Approaches  Embedding external scripts  Loading content via iframes Requirements  Interaction  Communication Security  Isolation of origins  Secure data exchange
  4. 4.  Browser has to isolate different origins Origin = protocol://host:port  http://bing.com, http://localhost:81/, https://icicibank.com Privileges within origin  Full network access  Read/Write access to DOM  Storage Scripts of one origin cannot access DOM of another Strangely, scripts themselves are exempted from SOP!!
  5. 5.  Very good interactivity Assumption – Script is from trusted source No isolation of origin Embedded scripts have privileges of imported page, NOT source server Ads, widgets, AJAX libraries all have same rights 
  6. 6.  “SOP-Prevents useful things. Allows dangerous things” “If there is script from two or more sources, the application is not secure. Period.” “Fundamentally, XSS is a confusion of interests” “A mashup is a self-inflicted XSS attack!” Douglas Crockford - JavaScript Architect, Yahoo
  7. 7.  Restricting JavaScript to a subset Object-capability security model  Idea: If an object in JavaScript has no reference to “XMLHttpRequest” object, an AJAX call cannot be made. Popular JavaScript subsets:  Caja (iGoogle)  FBJS (Facebook)  ADSafe (Yahoo) Learning curve, usability issues
  8. 8.  Separate security context for each origin Less interactive than JS approach Comply with SOP <!-- This is allowed --> <iframe src="sameDomainPage.html"> </iframe> //page in same origin alert(frames[0].contentDocument.body); //works fine <!-- This is **NOT** allowed --> <iframe src="http://crossDomain.com"> </iframe> //page outside origin alert(frames[0].contentDocument.body); //throws error
  9. 9.  Beware! Frames can be navigated to different origins! Frame navigation is NOT the same as SOP! Frame-Frame relationships  Can script in Frame A modify DOM of Frame B?  Can Script in Frame A “navigate” Frame B? <iframe src=“http://crossDomain.com"> </iframe> <!-- This is **NOT** allowed --> alert(frames[0].src); //throws error – SOP restriction <!-- This is allowed --> alert(frames[0].src=“http://bing.com”); //works fine - frame navigation
  10. 10. awgloginwindow.open("https://attacker.com/", "awglogin"); Courtesy: Stanford Web Security Lab
  11. 11. top.frames[1].location = "http://www.attacker.com/...";top.frames[2].location = "http://www.attacker.com/..."; ... Courtesy: Stanford Web Security Lab
  12. 12. PermissiveWindowDescendantChild
  13. 13.  FIM=Fragment Identifier Messaging Limited data, no acknowledgements. Navigation doesn’t reload page Not a secure channel //Sender.html function send(){ iframe.src=“http://localhost/receiver.html#data”; } //Receiver.html window.onload=function(){ data=window.location.hash; }
  14. 14.  HTML5 postMessage API-the savior! Cross-origin client side communication Network-like channel between frames Securely abstracts multiple principals Frames can integrate widgets with improved trust!
  15. 15.  Syntax:otherwindow.postMessage(message, targetOrigin); targetOrigin can be a trusted source/wildcard *“*”+//Posting message to a cross domain partner.frames[0].postMessage(“Hello Partner!”, "http://localhost:81/");//Retrieving message from the senderwindow.onmessage = function (e) { if (e.origin == http://localhost) { //sanitize and accept data }};
  16. 16.  Sandbox – whitelisting restrictions on iframe content <iframe sandbox src="http://attacker.com"></iframe> Disable scripts, forms, popups, top navigation etc. CORS – Access-Control-Allow-Origin AJAX PostMessage CORS
  17. 17.  Framed sites are susceptible to clickjacking & frame phishing attacks Bust frames, avoid surprises. Left: Genuine communication Right: Stealing data with Recursive Mashup Attack
  18. 18. References “Secure Frame Communication in Browsers”-Adam Barth, Collin Jackson, John Mitchell-Stanford Web Security Research Lab W3C HTML5 Specification - http://www.w3.org/TR/html5/ Dive into HTML5 – http://diveintohtml5.info
  19. 19. http://novogeek.com@novogeek

×