Origin Policy Enforcement in Modern Browsers

Transcription

1 Origin Policy Enforcement in Modern Browsers A Case Study in Same Origin Implementations Frederik Braun Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

2 Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is an Origin? What is the Same Origin Policy? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

3 Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is an Origin? What is the Same Origin Policy? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

4 Frederik Braun Dipl. Ing. in IT-Security at Ruhr-Uni Bochum (2012) this research! Security Engineer at Mozilla in Berlin likes to play CTFs (hi on twitter Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

5 Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is an Origin? What is the Same Origin Policy? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

6 Ambient Authentication Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

7 The Severity of a Same Origin Policy Bypass Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

8 Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is an Origin? What is the Same Origin Policy? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

9 What is an Origin? scheme hostname port origin Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

10 The Same Origin Policy (SOP) An origin (...) is often used as the scope of authority or privilege by user agents. Barth The same-origin policy is the most important mechanism we have to keep hostile web applications at bay, but it s also an imperfect one. Zalewski Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

11 Examples Compare for URL same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

12 Examples Compare for URL same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

13 Examples Compare for URL same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

14 Examples Compare for URL same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

15 Examples Compare for URL about:blank same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

16 Examples Compare for URL about:blank same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

17 Examples Compare for URL about:blank same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

18 Examples Compare for URL about:blank same-origin? / a a Internet Explorer doesn t care about ports. Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

19 JavaScript Object Hierarchy window history document location frames frame (ebay) frame (amazon) Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

20 No Way Out? - Exceptions Cookies window.location setter window.name persists document.domain Internet Explorer Zones CORS JSONP... Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

21 SOP Wrap-Up Summary read access vendor specific JavaScript Engine (Object Capability) vs. DOM (Access Control) the SOP is highly inhomogenous no consistent reference implementation Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

22 Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is an Origin? What is the Same Origin Policy? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

23 All SOP Flaws are alike (CVE ) Browser harmless.com\x00.attacker.com Server B harmless.com JavaScript, UTF-16 Server A DNS, ASCIIZ attacker.com Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

24 All SOP Flaws are alike (CVE ) Browser Server B harmless.com Flash Plugin Server A HTTP API attacker.com Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

25 All SOP Flaws are alike (CVE TBA) Browser jar: Server B harmless.com Java URL Handler Server A HTTP API attacker.com Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

26 Demo Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

27 Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is an Origin? What is the Same Origin Policy? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

28 Conclusion: Same Origin Policy an inconsistent policy vendor specific theoretically, it s a black list plugins late 2012: Java in nearly 70% of all browsers but only 0.2% of websites 2013: exploits, Click-To-Play,.. But: There are safe & well designed security models on the horizon Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

29 Future Work: Automation? Picture by Jason Huggins on flickr Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

30 This same origin policy is the dumbest thing ever.... All this protection serves to do is aggravate legitimate developers trying to get JavaScript to do the simplest of tasks. Somebody on stackoverflow.com Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25

31 Thanks

32 References Barth, Adam. The web origin concept. December Q-Success. Usage of client-side programming languages for websites. side language/all. Last visited Michal Zalewski. The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, November For all references please see full thesis on Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25