• Aucun résultat trouvé

Origin Policy Enforcement in Modern Browsers A Case Study in Same Origin Implementations Frederik Braun

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "Origin Policy Enforcement in Modern Browsers A Case Study in Same Origin Implementations Frederik Braun"

Copied!
39
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

Origin Policy Enforcement in Modern Browsers

A Case Study in Same Origin Implementations

Frederik Braun

(2)

Table of Contents

1 about:me

2 Motivation

Ambient Authentication

The Severity of a Same Origin Policy Bypass

3 The Same Origin Policy

What is the Same Origin Policy?

What is an Origin?

Examples

4 Evaluation

SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010)

SOP Bypass: Java 7 Update 5-X (2012)

5 Other/Better Security Policies CSP

iframeSandbox

6 Conclusion

Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 2 / 32

(3)

Table of Contents

1 about:me

2 Motivation

Ambient Authentication

The Severity of a Same Origin Policy Bypass

3 The Same Origin Policy

What is the Same Origin Policy?

What is an Origin?

Examples

4 Evaluation

SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010)

SOP Bypass: Java 7 Update 5-X (2012)

5 Other/Better Security Policies CSP

iframeSandbox

6 Conclusion

(4)

Frederik Braun

Dipl. Ing. in IT-Security at Ruhr-Uni Bochum (2012)

I this research!

I https://frederik-braun.com/thesis Security Engineer at Mozilla in Berlin likes to play CTFs (hi FluxFingers!) willing to answer questions :)

Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 4 / 32

(5)

Table of Contents

1 about:me

2 Motivation

Ambient Authentication

The Severity of a Same Origin Policy Bypass

3 The Same Origin Policy

What is the Same Origin Policy?

What is an Origin?

Examples

4 Evaluation

SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010)

SOP Bypass: Java 7 Update 5-X (2012)

5 Other/Better Security Policies CSP

iframeSandbox

6 Conclusion

(6)

Ambient Authentication

Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 6 / 32

(7)

The Severity of a Same Origin Policy Bypass

(8)

Our Scope

My Thesis - This Talk The Same Origin Policy Formal Definition Actual Implementation Exceptions & Loopholes Other Policies

Analysis of Previous Bugs Classification

Bug Hunting

Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 8 / 32

(9)

Table of Contents

1 about:me

2 Motivation

Ambient Authentication

The Severity of a Same Origin Policy Bypass

3 The Same Origin Policy

What is the Same Origin Policy?

What is an Origin?

Examples

4 Evaluation

SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010)

SOP Bypass: Java 7 Update 5-X (2012)

5 Other/Better Security Policies CSP

iframeSandbox

6 Conclusion

(10)

The Same Origin Policy (SOP)

“An ‘origin’ (...) is often used as the scope of authority or privilege by user agents. ” — Barth

“The same-origin policy is the most important mechanism we have to keep hostile web applications at bay, but it’s also an imperfect one.” —

Zalewski

Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 10 / 32

(11)

What is an Origin?

scheme hostname port

http://www.example.com:8080/

origin

(12)

Examples

Compare for http://www.example.com/

URL same-origin?

http://www.example.com/help

3

https://www.example.com/ 7

about:blank 3

http://www.example.com:8000/phpMyAdmin 7/3a

aInternet Explorer doesn’t care about ports.

Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 12 / 32

(13)

Examples

Compare for http://www.example.com/

URL same-origin?

http://www.example.com/help 3

https://www.example.com/ 7

about:blank 3

http://www.example.com:8000/phpMyAdmin 7/3a

aInternet Explorer doesn’t care about ports.

(14)

Examples

Compare for http://www.example.com/

URL same-origin?

http://www.example.com/help 3

https://www.example.com/

7

about:blank 3

http://www.example.com:8000/phpMyAdmin 7/3a

aInternet Explorer doesn’t care about ports.

Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 12 / 32

(15)

Examples

Compare for http://www.example.com/

URL same-origin?

http://www.example.com/help 3

https://www.example.com/ 7

about:blank 3

http://www.example.com:8000/phpMyAdmin 7/3a

aInternet Explorer doesn’t care about ports.

(16)

Examples

Compare for http://www.example.com/

URL same-origin?

http://www.example.com/help 3

https://www.example.com/ 7

about:blank

3 http://www.example.com:8000/phpMyAdmin 7/3a

aInternet Explorer doesn’t care about ports.

Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 12 / 32

(17)

Examples

Compare for http://www.example.com/

URL same-origin?

http://www.example.com/help 3

https://www.example.com/ 7

about:blank 3

http://www.example.com:8000/phpMyAdmin 7/3a

aInternet Explorer doesn’t care about ports.

(18)

Examples

Compare for http://www.example.com/

URL same-origin?

http://www.example.com/help 3

https://www.example.com/ 7

about:blank 3

http://www.example.com:8000/phpMyAdmin

7/3a

aInternet Explorer doesn’t care about ports.

Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 12 / 32

(19)

Examples

Compare for http://www.example.com/

URL same-origin?

http://www.example.com/help 3

https://www.example.com/ 7

about:blank 3

http://www.example.com:8000/phpMyAdmin 7/3a

aInternet Explorer doesn’t care about ports.

(20)

JavaScript Object Hierarchy

window

history document

location frames

frame (ebay) frame (amazon)

Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 13 / 32

(21)

No Way Out? - Exceptions

Cookies

window.location setter

window.name persists

document.domain Internet Explorer Zones

CORS JSONP ...

(22)

SOP Wrap-Up

Summary read access vendor specific

JavaScript Engine (Object Capability) vs. DOM (Access Control) the SOP is highly inhomogenous

no consistent reference implementation

Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 15 / 32

(23)

Table of Contents

1 about:me

2 Motivation

Ambient Authentication

The Severity of a Same Origin Policy Bypass

3 The Same Origin Policy

What is the Same Origin Policy?

What is an Origin?

Examples

4 Evaluation

SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010)

SOP Bypass: Java 7 Update 5-X (2012)

5 Other/Better Security Policies CSP

iframeSandbox

6 Conclusion

(24)

All SOP Flaws are alike (CVE-2007-0981)

DNS, ASCIIZ JavaScript, UTF-16

harmless.com

Browser Server B

harmless.com\x00.attacker.com

attacker.com Server A

Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 17 / 32

(25)

All SOP Flaws are alike (CVE-2010-2179)

HTTP API Flash Plugin

harmless.com

Browser Server B

http://attacker.com@harmless.com

attacker.com Server A

(26)

All SOP Flaws are alike (CVE TBA)

HTTP API Java URL Handler

harmless.com

Browser Server B

jar:http://harmless.com/foo.odt

attacker.com Server A

Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 19 / 32

(27)

Demo

(28)

Table of Contents

1 about:me

2 Motivation

Ambient Authentication

The Severity of a Same Origin Policy Bypass

3 The Same Origin Policy

What is the Same Origin Policy?

What is an Origin?

Examples

4 Evaluation

SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010)

SOP Bypass: Java 7 Update 5-X (2012)

5 Other/Better Security Policies CSP

iframeSandbox

6 Conclusion

Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 21 / 32

(29)

Content Security Policy (CSP)

Content Security Policy Security Header

Whitelist approach for resource inclusion XSS Mitigation

The cool kids do it

(30)

Example: A quite strict policy

Content-Security-Policy: default-src: ’self’; img-src:

https://static.example.org; script-src:

https://static.example.org google-analytics.com

Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 23 / 32

(31)

CSP Adoption

Inline JavaScript

On more than 96% of the web

No easy way to safely allow inline JavaScript with CSP 1.0 Disadvantages with CSP 1.1 proposals for inline JS

(32)

Safe Content Inclusion

<iframe sandbox>

Displaying content. That’s it.

can be reduced with allow-values in the attribute Browser adoption is a problem

Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 25 / 32

(33)

Partial Sandbox Bypass in Mozilla Firefox

with allow-scriptsset

if (top != window) { top.location = window.location; } non-unique origin. popups, forms, plugins allowed.

(34)

Table of Contents

1 about:me

2 Motivation

Ambient Authentication

The Severity of a Same Origin Policy Bypass

3 The Same Origin Policy

What is the Same Origin Policy?

What is an Origin?

Examples

4 Evaluation

SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010)

SOP Bypass: Java 7 Update 5-X (2012)

5 Other/Better Security Policies CSP

iframeSandbox

6 Conclusion

Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 27 / 32

(35)

Conclusion: Same Origin Policy

an inconsistent policy vendor specific

theoretically, it’s a black list plugins

late 2012: Java in nearly 70% of all browsers but only 0.2% of websites

2013: exploits, Click-To-Play, ..

But: There are safe & well designed security models on the horizon

(36)

Future Work: Automation?

Picture by Jason Huggins on flickr

Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 29 / 32

(37)

“This same origin policy is the dumbest thing ever. . . . All this ‘protection’

serves to do is aggravate legitimate developers trying to get JavaScript to do the simplest of tasks.” — Somebody on stackoverflow.com

(38)

Thanks

(39)

References

Barth, Adam.

The web origin concept.

http://tools.ietf.org/html/rfc6454, December 2011.

Q-Success.

Usage of client-side programming languages for websites.

http://w3techs.com/technologies/overview/client side language/all.

Last visited 2012-10-17.

Michal Zalewski.

The Tangled Web: A Guide to Securing Modern Web Applications.

No Starch Press, November 2011.

For all references please see full thesis on https://frederik-braun.com/thesis

Références

Télécharger maintenant ( PDF - 39 Page - 1.22 MB )

Documents relatifs

Testing obligation policy enforcement using mutation analysis

In terms of functionality, testing the implementation of an obligation policy is a two-fold issue that our mutation analysis highlights: 1 test cases must ensure that what is

Testing Obligation Policy Enforcement using Mutation Analysis

• The obligation processor: receives notifications of service executions and updates the state of rules in the policy ac- cordingly. More precisely, given the user, the service and

Épreuve d'Anglais, BEPC, Zone 3, année 2017, Côte d'Ivoire

Musa Kabba and his two younger sisters, Khadija and Rugi, sat in the quiet hall of the Mama Gintay Maternity Hospital.. None of

A service dependency modeling framework for policy-based response enforcement

As such, the dependent service does not notice the fail- ure and/or inaccessibility of the antecedent service unless the former reaches an operational mode where it requires the

A case-control study on the origin of atypical scrapie in sheep, France.

If atypical scrapie had an infectious origin, it could be infl uenced by risk factors associated with a pattern of infec- tious disease transmission as described for classical

The origin of EU authority in criminal matters: a sociology of legal experts in European policy-making

KEY WORDS Criminal matters; Eurojust; European Arrest Warrant; legal experts; judicial co-operation;

The origin(s) of modern amphibians: a commentary.

We think that the support for a special relationship between Gerobatrachus and some lissamphibians is not significant, because it is not only small in absolute terms and much

Frederik van Eeden

Poursuivant parallèlement une carrière littéraire, Frederik van Eeden devient membre de l'association Flanor et fonde en 1885 avec Frank van der Goes, Willem Kloos, Willem Paap