The Postman Always Rings Twice Attacking Defending post
- Slides: 19
The Postman Always Rings Twice: Attacking & Defending post. Message in HTML 5 Websites Ankur Verma University of Central Florida, Orlando University of Central Florida
University of Central Florida Prior/After HTML 5 Protocol + Host + Port Same Origin Policy communication Cross Site Communication post. Message
University of Central Florida New Web Approach • post. Message enhance user experience
University of Central Florida post. Message: Inter-frame Communication Different Frames
University of Central Florida What Worries? Changing Web Landscape: Inclination on Client Side Greater Functionality Java. Script Application Logic Fast Query Response Extended Functionality
University of Central Florida Usage Message Target Origin Usage: target. Window. post. Message(<Traffic Data Request>, <Google Analytics>) Third Party
University of Central Florida Security Perspective • post. Message guarantees confidentiality and authenticity • Sender specifies recipient’s origin, specifying URL(Target Origin) • Recipient origin can also be ‘*’ Developer’s responsibility. To be used Cautiously! 68% websites vulnerable to XSS
University of Central Florida Cause of Concern • 25% of top 10, 000 websites use post. Message: Alexa • Over 70% of websites do not perform origin check. • Nearly 12% perform semantically incorrect checks
University of Central Florida Sample Demonstration (I) • Origin Check: Failing which enables XSS attacks. http: //www. abc. com http: //www. xyz. com Window. add. Event. Listner(“ message”, Get. Msg, false); Var new. Win=window. open (http: //www. xyz. com); new. Win. post. Message(“Hi”, target. Origin http: //www. xyz. com); function Get. Msg(event) { Origin Check if (event. origin == “ http: //www. abc. com") return; event. source. post. Message(“ Hi ABC”, event. origin); }
University of Central Florida Sample Demonstration (II) • Semantically Incorrect Checks http: //www. abc. com http: //www. xyz. com Window. add. Event. Listner(“ message”, Get. Msg, false); Var new. Win=window. open (http: //www. xyz. com); new. Win. post. Message(“Hi”, target. Origin http: //www. xyz. com); function Get. Msg(event) { Origin Var w=/abc. com(: [0 -9])? $/; Check if (!event. origin. match(w)) return; Evilabc. com event. source. post. Message(“ Hi ABC”, event. origin); }
University of Central Florida Defense from Attacker Website • For third party content providers like Facebook – Based on Pseudo Random Token • Frame with 3 rd party content accepts messages only from the origin of the page that loads this frame. X. com Or (More Restrictive) • Frame with third party content accepts messages only from the parent frame. Y. com X. com attacker. com X. com – XSS can’t be prevented, if attacker includes 3 rd party frame
University of Central Florida Defenses • Attacker including 3 rd party frame. – Frame with 3 rd party content accepts messages only from content provider’s scripts running in any origin. Example: www. facebook. com https: //developers. facebook. com/docs/plugins/like-button/ www. attacker. com www. facebook. com Receivers
University of Central Florida Defense from Third Party Content • For website that use untrusted third party content – Based on Content Security Policy (CSP) extension • Restricts origin of messages sent to X. com from attacker. com. • Requires browser support, no cooperation X. com From third party content provider. attacker. com
University of Central Florida Using post. Message: Simple Example Origin Check Data Target Origin Sender Origin Check
University of Central Florida “Light” Threat Model Child C sends message to B via A Third Party Frames Attacker Honest
University of Central Florida “Heavy” Threat Model Attacker directly included third party frame attacker. com Attacker can put any script or data in local storage novice. com Provided Script Can cause session hijacking if website stores user’s identity Can cause also steal stored cookies
University of Central Florida X-Frame-Options Header • Allows/ disallows rendering of the document when inside an iframe. • It may have three possible values: – SAMEORIGIN: The document will be rendered in an frame only if the frame and it’s parent have the same origin. – DENY: Document may not be rendered inside a frame. – ALLOW-FROM: Document can be frame in specific uri • Needs to be added to web server’s config file. • 3% of websites posing serious threat, do not use this feature
University of Central Florida Defense Techniques Pseudo Random Token • Protect against “Light” threat model – Guarantees only the origin that loaded a third-party frame can send messages to this frame. Shared secret pseudo random token between site owner and inner frame – Web-Kit browsers, provide crypto. get. Random. Number API – http: //random. org via an XMLHttp. Request – Outer script attaches token to src attribute of frame it create Content Security Policy • Enforce security policy on 3 rd party scripts. Require structural changes, by removing inline Java. Script • CSP is HTTP header starting with X-Content-Security-Policy • Only 3 out of Alexa top 10, 000 websites use this
University of Central Florida Questions ?
- Attacking a castle
- Beltlining and blame are two face-attacking strategies.
- Chameleon attacking in dream
- Bloodborne pathogens attacking the liver are
- Yellow throated marten attacking a panda
- The attacking firm goes head-to-head with its competitor.
- Example of attacking the motive fallacy
- The ultimate attacking shot in badminton
- The postman predicate
- Neil postman
- Colored in
- What belief does postman hold about television
- Neil postman five things
- Connector problem in graph theory
- Chinese postman problem
- Underwood and postman 1960
- Neil postman
- Always low prices always
- Defending sola scriptura
- Was magellan worth defending