Krishna T, profile picture
Uploaded byKrishna T
PPTX, PDF1,010 views

JSFoo Chennai 2012

This document discusses security challenges with web applications that combine content from multiple sources (mashups). It covers how the same-origin policy isolates origins but exempts scripts, allowing cross-site scripting attacks. Frame-based communication and the postMessage API provide secure cross-origin messaging capabilities. The document recommends sandboxing iframes and using features like CORS to mitigate risks in mashups.

Technology
Related topics:
Web Security Overview

Embed presentation

Downloaded 14 times
Krishna Chaitanya T Security & Privacy Research Lab Infosys Labs
 A web application which combines content from multiple origins to create a new service  Integrator-party combining the content  Gadget-integrated content  Provides more value add  Fun, easy to DIY. It’s all JS madness!
 Approaches  Embedding external scripts  Loading content via iframes  Requirements  Interaction  Communication  Security  Isolation of origins  Secure data exchange
 Browser has to isolate different origins  Origin = protocol://host:port  http://bing.com, http://localhost:81/, https://icicibank.com  Privileges within origin  Full network access  Read/Write access to DOM  Storage  Scripts of one origin cannot access DOM of another  Strangely, scripts themselves are exempted from SOP!!
 Very good interactivity  Assumption – Script is from trusted source  No isolation of origin  Embedded scripts have privileges of imported page, NOT source server  Ads, widgets, AJAX libraries all have same rights 
 “SOP-Prevents useful things. Allows dangerous things”  “If there is script from two or more sources, the application is not secure. Period.”  “Fundamentally, XSS is a confusion of interests”  “A mashup is a self-inflicted XSS attack!” Douglas Crockford - JavaScript Architect, Yahoo
 Restricting JavaScript to a subset  Object-capability security model  Idea: If an object in JavaScript has no reference to “XMLHttpRequest” object, an AJAX call cannot be made.  Popular JavaScript subsets:  Caja (iGoogle)  FBJS (Facebook)  ADSafe (Yahoo)  Learning curve, usability issues
 Separate security context for each origin  Less interactive than JS approach  Comply with SOP <!-- This is allowed --> <iframe src="sameDomainPage.html"> </iframe> //page in same origin alert(frames[0].contentDocument.body); //works fine <!-- This is **NOT** allowed --> <iframe src="http://crossDomain.com"> </iframe> //page outside origin alert(frames[0].contentDocument.body); //throws error
 Beware! Frames can be navigated to different origins!  Frame navigation is NOT the same as SOP!  Frame-Frame relationships  Can script in Frame A modify DOM of Frame B?  Can Script in Frame A “navigate” Frame B? <iframe src=“http://crossDomain.com"> </iframe> <!-- This is **NOT** allowed --> alert(frames[0].src); //throws error – SOP restriction <!-- This is allowed --> alert(frames[0].src=“http://bing.com”); //works fine - frame navigation
awglogin window.open("https://attacker.com/", "awglogin"); Courtesy: Stanford Web Security Lab
top.frames[1].location = "http://www.attacker.com/..."; top.frames[2].location = "http://www.attacker.com/..."; ... Courtesy: Stanford Web Security Lab
Permissive Window Descendant Child
 FIM=Fragment Identifier Messaging  Limited data, no acknowledgements.  Navigation doesn’t reload page  Not a secure channel //Sender.html function send(){ iframe.src=“http://localhost/receiver.html#data”; } //Receiver.html window.onload=function(){ data=window.location.hash; }
 HTML5 postMessage API-the savior!  Cross-origin client side communication  Network-like channel between frames  Securely abstracts multiple principals  Frames can integrate widgets with improved trust!
 Syntax: otherwindow.postMessage(message, targetOrigin);  targetOrigin can be a trusted source/wildcard *“*”+ //Posting message to a cross domain partner. frames[0].postMessage(“Hello Partner!”, "http://localhost:81/"); //Retrieving message from the sender window.onmessage = function (e) { if (e.origin == 'http://localhost') { //sanitize and accept data } };
 Sandbox – whitelisting restrictions on iframe content <iframe sandbox src="http://attacker.com"></iframe>  Disable scripts, forms, popups, top navigation etc.  CORS – Access-Control-Allow-Origin AJAX PostMessage CORS
 Framed sites are susceptible to clickjacking & frame phishing attacks  Bust frames, avoid surprises. Left: Genuine communication Right: Stealing data with Recursive Mashup Attack
References  “Secure Frame Communication in Browsers”-Adam Barth, Collin Jackson, John Mitchell-Stanford Web Security Research Lab  W3C HTML5 Specification - http://www.w3.org/TR/html5/  Dive into HTML5 – http://diveintohtml5.info
http://novogeek.com @novogeek

More Related Content

PPTX
Secure web messaging in HTML5
byKrishna T
 
PPTX
Html5 security
byKrishna T
 
PPTX
Clickjacking DevCon2011
byKrishna T
 
PPTX
Browser Internals-Same Origin Policy
byKrishna T
 
PDF
Html5 for Security Folks
byn|u - The Open Security Community
 
PDF
Attacking Web Proxies
byInMobi Technology
 
PPT
Browser Security
byRoberto Suggi Liverani
 
PPTX
Dom based xss
byLê Giáp
 
Secure web messaging in HTML5
byKrishna T
 
Html5 security
byKrishna T
 
Clickjacking DevCon2011
byKrishna T
 
Browser Internals-Same Origin Policy
byKrishna T
 
Html5 for Security Folks
byn|u - The Open Security Community
 
Attacking Web Proxies
byInMobi Technology
 
Browser Security
byRoberto Suggi Liverani
 
Dom based xss
byLê Giáp
 

What's hot

PDF
New Insights into Clickjacking
byMarco Balduzzi
 
PPTX
Owasp Top 10 A3: Cross Site Scripting (XSS)
byMichael Hendrickx
 
PPTX
Top Ten Web Hacking Techniques of 2012
byJeremiah Grossman
 
PPT
Top Ten Web Hacking Techniques – 2008
byJeremiah Grossman
 
PDF
Rich Web App Security - Keeping your application safe
byJeremiah Grossman
 
PPT
Starwest 2008
byCaleb Sima
 
PDF
Html5 localstorage attack vectors
byShreeraj Shah
 
PDF
When Ajax Attacks! Web application security fundamentals
bySimon Willison
 
PPT
Web browser privacy and security
byamiable_indian
 
PPTX
Java script, security and you - Tri-Cities Javascript Developers Group
byAdam Caudill
 
PDF
Top Ten Web Hacking Techniques (2008)
byJeremiah Grossman
 
PPTX
Browser Security 101
byStormpath
 
PPT
Web Application Security: The Land that Information Security Forgot
byJeremiah Grossman
 
PDF
The Hidden XSS - Attacking the Desktop & Mobile Platforms
bykosborn
 
PDF
BsidesDelhi 2018: DomGoat - the DOM Security Playground
byBSides Delhi
 
PDF
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
byAbraham Aranguren
 
PPT
Xss is more than a simple threat
byAvădănei Andrei
 
PPTX
Understanding Cross-site Request Forgery
byDaniel Miessler
 
PPT
Phishing with Super Bait
byJeremiah Grossman
 
PDF
Top Ten Web Hacking Techniques (2010)
byJeremiah Grossman
 
New Insights into Clickjacking
byMarco Balduzzi
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
byMichael Hendrickx
 
Top Ten Web Hacking Techniques of 2012
byJeremiah Grossman
 
Top Ten Web Hacking Techniques – 2008
byJeremiah Grossman
 
Rich Web App Security - Keeping your application safe
byJeremiah Grossman
 
Starwest 2008
byCaleb Sima
 
Html5 localstorage attack vectors
byShreeraj Shah
 
When Ajax Attacks! Web application security fundamentals
bySimon Willison
 
Web browser privacy and security
byamiable_indian
 
Java script, security and you - Tri-Cities Javascript Developers Group
byAdam Caudill
 
Top Ten Web Hacking Techniques (2008)
byJeremiah Grossman
 
Browser Security 101
byStormpath
 
Web Application Security: The Land that Information Security Forgot
byJeremiah Grossman
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
bykosborn
 
BsidesDelhi 2018: DomGoat - the DOM Security Playground
byBSides Delhi
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
byAbraham Aranguren
 
Xss is more than a simple threat
byAvădănei Andrei
 
Understanding Cross-site Request Forgery
byDaniel Miessler
 
Phishing with Super Bait
byJeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
byJeremiah Grossman
 

Similar to JSFoo Chennai 2012

PDF
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
byIvo Andreev
 
PPTX
HTML5 - The Promise & The Peril
bySecurity Innovation
 
PDF
The Same-Origin Policy
byFabrizio Farinacci
 
PDF
Javascript cross domain communication
byChenKuo Chen
 
PPT
HTML5 hacking
byBlueinfy Solutions
 
PDF
Talk about html5 security
byHuang Toby
 
PDF
Secure java script-for-developers
byn|u - The Open Security Community
 
PPTX
W3 conf hill-html5-security-realities
byBrad Hill
 
PPT
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
byVagner Santana
 
PPTX
W3 conf hill-html5-security-realities
byBrad Hill
 
PDF
Building Client-Side Attacks with HTML5 Features
byConviso Application Security
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
bySam Bowne
 
PPT
Web 20 Security - Vordel
byguest2a1135
 
PPT
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
byShreeraj Shah
 
PPTX
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
byCyber Security Alliance
 
PDF
Krzysztof Kotowicz - Hacking HTML5
byDefconRussia
 
PDF
Designing & Building Secure Web APIs
byCodeOps Technologies LLP
 
PDF
Chapter 13 web security
bynewbie2019
 
PPTX
Presentation on Top 10 Vulnerabilities in Web Application
byMd Mahfuzur Rahman
 
PPTX
Web Application Security in front end
byErlend Oftedal
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
byIvo Andreev
 
HTML5 - The Promise & The Peril
bySecurity Innovation
 
The Same-Origin Policy
byFabrizio Farinacci
 
Javascript cross domain communication
byChenKuo Chen
 
HTML5 hacking
byBlueinfy Solutions
 
Talk about html5 security
byHuang Toby
 
Secure java script-for-developers
byn|u - The Open Security Community
 
W3 conf hill-html5-security-realities
byBrad Hill
 
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
byVagner Santana
 
W3 conf hill-html5-security-realities
byBrad Hill
 
Building Client-Side Attacks with HTML5 Features
byConviso Application Security
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
bySam Bowne
 
Web 20 Security - Vordel
byguest2a1135
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
byShreeraj Shah
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
byCyber Security Alliance
 
Krzysztof Kotowicz - Hacking HTML5
byDefconRussia
 
Designing & Building Secure Web APIs
byCodeOps Technologies LLP
 
Chapter 13 web security
bynewbie2019
 
Presentation on Top 10 Vulnerabilities in Web Application
byMd Mahfuzur Rahman
 
Web Application Security in front end
byErlend Oftedal
 

Recently uploaded

PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
final.pdf
byomarbishtawi04
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
apidays New York 2025 | AI in Application Security
byapidays
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
final.pdf
byomarbishtawi04
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 

JSFoo Chennai 2012

  • 1.
    Krishna Chaitanya T Security& Privacy Research Lab Infosys Labs
  • 2.
     A webapplication which combines content from multiple origins to create a new service  Integrator-party combining the content  Gadget-integrated content  Provides more value add  Fun, easy to DIY. It’s all JS madness!
  • 4.
     Approaches  Embedding external scripts  Loading content via iframes  Requirements  Interaction  Communication  Security  Isolation of origins  Secure data exchange
  • 5.
     Browser hasto isolate different origins  Origin = protocol://host:port  http://bing.com, http://localhost:81/, https://icicibank.com  Privileges within origin  Full network access  Read/Write access to DOM  Storage  Scripts of one origin cannot access DOM of another  Strangely, scripts themselves are exempted from SOP!!
  • 6.
     Very goodinteractivity  Assumption – Script is from trusted source  No isolation of origin  Embedded scripts have privileges of imported page, NOT source server  Ads, widgets, AJAX libraries all have same rights 
  • 7.
     “SOP-Prevents usefulthings. Allows dangerous things”  “If there is script from two or more sources, the application is not secure. Period.”  “Fundamentally, XSS is a confusion of interests”  “A mashup is a self-inflicted XSS attack!” Douglas Crockford - JavaScript Architect, Yahoo
  • 8.
     Restricting JavaScriptto a subset  Object-capability security model  Idea: If an object in JavaScript has no reference to “XMLHttpRequest” object, an AJAX call cannot be made.  Popular JavaScript subsets:  Caja (iGoogle)  FBJS (Facebook)  ADSafe (Yahoo)  Learning curve, usability issues
  • 9.
     Separate securitycontext for each origin  Less interactive than JS approach  Comply with SOP <!-- This is allowed --> <iframe src="sameDomainPage.html"> </iframe> //page in same origin alert(frames[0].contentDocument.body); //works fine <!-- This is **NOT** allowed --> <iframe src="http://crossDomain.com"> </iframe> //page outside origin alert(frames[0].contentDocument.body); //throws error
  • 10.
     Beware! Framescan be navigated to different origins!  Frame navigation is NOT the same as SOP!  Frame-Frame relationships  Can script in Frame A modify DOM of Frame B?  Can Script in Frame A “navigate” Frame B? <iframe src=“http://crossDomain.com"> </iframe> <!-- This is **NOT** allowed --> alert(frames[0].src); //throws error – SOP restriction <!-- This is allowed --> alert(frames[0].src=“http://bing.com”); //works fine - frame navigation
  • 11.
  • 12.
    top.frames[1].location = "http://www.attacker.com/..."; top.frames[2].location= "http://www.attacker.com/..."; ... Courtesy: Stanford Web Security Lab
  • 13.
  • 14.
     FIM=Fragment IdentifierMessaging  Limited data, no acknowledgements.  Navigation doesn’t reload page  Not a secure channel //Sender.html function send(){ iframe.src=“http://localhost/receiver.html#data”; } //Receiver.html window.onload=function(){ data=window.location.hash; }
  • 15.
     HTML5 postMessageAPI-the savior!  Cross-origin client side communication  Network-like channel between frames  Securely abstracts multiple principals  Frames can integrate widgets with improved trust!
  • 16.
     Syntax: otherwindow.postMessage(message, targetOrigin); targetOrigin can be a trusted source/wildcard *“*”+ //Posting message to a cross domain partner. frames[0].postMessage(“Hello Partner!”, "http://localhost:81/"); //Retrieving message from the sender window.onmessage = function (e) { if (e.origin == 'http://localhost') { //sanitize and accept data } };
  • 17.
     Sandbox –whitelisting restrictions on iframe content <iframe sandbox src="http://attacker.com"></iframe>  Disable scripts, forms, popups, top navigation etc.  CORS – Access-Control-Allow-Origin AJAX PostMessage CORS
  • 18.
     Framed sitesare susceptible to clickjacking & frame phishing attacks  Bust frames, avoid surprises. Left: Genuine communication Right: Stealing data with Recursive Mashup Attack
  • 19.
    References  “Secure FrameCommunication in Browsers”-Adam Barth, Collin Jackson, John Mitchell-Stanford Web Security Research Lab  W3C HTML5 Specification - http://www.w3.org/TR/html5/  Dive into HTML5 – http://diveintohtml5.info
  • 20.