Beware of Finer-Grained Origins
Download
Report
Transcript Beware of Finer-Grained Origins
Beware of Finer-Grained Origins
Collin Jackson
Adam Barth
Stanford University
Security Context Determined By URL
• "Origin" =
https://login.yahoo.com/config/login
Scheme
Host
(Port)
Sub-Origin Privileges
Origin
Contamination
Trust Specified By URL
• Import
<script src="prototype.js"></script>
<link rel="stylesheet" href="base.css">
• Export
<form action="login.cgi">
var xhr = new XMLHttpRequest();
xhr.open("POST", "ajax.php");
Threat Models
• Web Attacker
– https://www.attacker.com
– Free user visit
• Upgrade: Network Attacker
– Eavesdrop
– Corrupt network traffic
• Upgrade: Cert-Mismatch Attacker
– User clicks through certificate errors
– Attacker still does not have trusted site’s certificate
• Cross-Path Attacker
– Same “origin” as good site, different path
Browser Features
Defenses
Feature
Sub-Origin Privilege
Cookie Paths
Attacker
Origin
Contamination
Library
Import
Data Export
Read Cookie
WSKE
Read Cookie
Certificate Errors (IE7)
Show Lock
EV
Show Organization
Locked Same-Origin Policy
Read Cookie
Petname Toolbar
Show Petname
Passpet
Obtain Password
Mixed Content
Show Lock
N/A
enablePrivilege
Install Software
IP-based Origins
Network Requests
Mixed Content
WSKE
• Web Server Key-Enabled Cookies
– “Secure” cookies only sent for same TLS key
Locked SOP
• Finer-grained origin (scheme, host, port, broken)
– “Broken” HTTPS page can’t script valid HTTPS page
• Banks often import libraries
–
–
–
–
<script src="https://www.paypalobjects.com/...">
User clicks through cert error for paypalobjects.com
Real PayPal imports script from paypalobjects.com
Attacker runs script as “unbroken” PayPal
Sites cannot safely use <script src="…">, CSS, SWF, etc
More Anti-Phishing using Certificates
• Ignore the address bar, use cert instead
• Extended Validation
• Passpet
• Petname
• What about
?
TLS Forwarding
• Certificate belongs to bank
• Domain name belongs to attacker
• Attacker can hijack session at any time
• Certificate UI is confused
TLS Forwarding Example
TLS Forwarding - Consequences
• Might not be PayPal
• This is really PayPal, right?
TLS Forwarding Network Attack
• Origin contamination
• Polluted cache
Firefox enablePrivilege API
Abusing enablePrivilege
• Relies on certificate, ignores host name
• Signed HTML can import libraries and
be scripted by its origin
• Is this code really from Yahoo!?
Cookie Paths
• http://www.stanford.edu/~alice
Set-Cookie: skrt=04f4; path=/~alice
• http://www.stanford.edu/~eve
Set-Cookie: skrt=52f9; path=/~eve
<iframe src="/~alice"></iframe>
alert(frames[0].document.cookie);
[DWF’96, R’01]
DNS Rebinding Attack
<iframe src="http://www.evil.com">
Firewall
corporate
web server
192.168.0.100
DNS-SEC cannot
stop this attack
www.evil.com?
171.64.7.115
TTL = 0
192.168.0.100
ns.evil.com
DNS server
www.evil.com
web server
171.64.7.115
Read permitted: it’s the “same origin”
IP-based Origins
• Finer-grained origin (scheme, host, port, IP)
• www.evil.com=192.168.0.100 imports
<script src="prototype.js"></script>
• www.evil.com=171.64.7.115 serves evil script
– Read contents of document
– POST it back to www.evil.com
SOLUTIONS
Embrace
• Grant privileges to origins
XDomainRequest
Cross-site XHR
Frame Navigation
Local Storage
postMessage
Phishing Filter
Password Database
Extend
• Include fine-grained origin in URL
• YURL:
https://y-cl7h3f7jwyj3fvmw7jpnjfvf2xlcmayi.yurl.net/
• HTTPEV:
httpev://www.paypal.com/
Destroy
• Problem: documents that lack the sub-origin
privilege
• Eliminate privilege
– SafeLock
• Eliminate document
– ForceHTTPS
– ForceCertificate
– Strict Petname
Solutions
Defenses
Feature
Sub-Origin Privilege
Cookie Paths
Attacker
Origin
Contamination
Library
Import
Data Export
Read Cookie
WSKE
Read Cookie
Certificate Errors (IE7)
Show Lock
EV
Show Organization
Locked Same-Origin Policy
Read Cookie
Petname Toolbar
Show Petname
Passpet
Obtain Password
Mixed Content
Show Lock
N/A
enablePrivilege
Install Software
IP-based Origins
Network Requests
Solutions
Defenses
Feature
Sub-Origin Privilege
Attacker
Origin
Contamination
Cookie Paths
Read Cookie
WSKE
Read Cookie
Certificate Errors (IE7)
Show Lock
Destroy
EV
Show Organization
Destroy
Locked Same-Origin Policy
Read Cookie
Extend
Petname Toolbar
Show Petname
Destroy
Passpet
Obtain Password
Destroy
Mixed Content
Show Lock
enablePrivilege
Install Software
IP-based Origins
Network Requests
Destroy
Library
Import
Data Export
Extend
Destroy
N/A
Destroy
Summary
• Sub-origin privileges don’t work
– Origin contamination
– Privilege escalation via script injection
• Beware of finer-grained origins
– Trust specified by URL
– Import/Export
• Three approaches for new features
– Embrace, extend, destroy