beware of finer-grained origins collin jackson adam barth stanford university
Post on 21-Dec-2015
215 Views
Preview:
TRANSCRIPT
Beware of Finer-Grained Origins
Collin JacksonAdam Barth
Stanford University
Security Context Determined By URL• "Origin" =
https://login.yahoo.com/config/login
Scheme Host (Port)
Sub-Origin Privileges
OriginContamination
Trust Specified By URL• Import
<script src="prototype.js"></script>
<link rel="stylesheet" href="base.css">
• Export<form action="login.cgi">
var xhr = new XMLHttpRequest();xhr.open("POST", "ajax.php");
Threat Models• Web Attacker
– https://www.attacker.com– Free user visit
• Upgrade: Network Attacker– Eavesdrop– Corrupt network traffic
• Upgrade: Cert-Mismatch Attacker– User clicks through certificate errors– Attacker still does not have trusted site’s certificate
• Cross-Path Attacker– Same “origin” as good site, different path
Browser FeaturesDefenses
Feature Sub-Origin Privilege Attacker Origin Contamination
Library Import
Data Export
Cookie Paths Read Cookie
WSKE Read Cookie
Certificate Errors (IE7) Show Lock
EV Show Organization
Locked Same-Origin Policy Read Cookie
Petname Toolbar Show Petname
Passpet Obtain Password
Mixed Content Show Lock N/A
enablePrivilege Install Software
IP-based Origins Network Requests
Mixed Content
WSKE
• Web Server Key-Enabled Cookies– “Secure” cookies only sent for same TLS key
Locked SOP
• Finer-grained origin (scheme, host, port, broken)– “Broken” HTTPS page can’t script valid HTTPS page
• Banks often import libraries– <script src="https://www.paypalobjects.com/...">– User clicks through cert error for paypalobjects.com– Real PayPal imports script from paypalobjects.com– Attacker runs script as “unbroken” PayPal
Sites cannot safely use <script src="…">, CSS, SWF, etc
More Anti-Phishing using Certificates• Ignore the address bar, use cert instead
• Extended Validation
• Passpet• Petname
• What about ?
TLS Forwarding• Certificate belongs to bank• Domain name belongs to attacker• Attacker can hijack session at any time
• Certificate UI is confused
TLS Forwarding Example
TLS Forwarding - Consequences
• Might not be PayPal
• This is really PayPal, right?
TLS Forwarding Network Attack
• Origin contamination • Polluted cache
Firefox enablePrivilege API
Abusing enablePrivilege• Relies on certificate, ignores host name• Signed HTML can import libraries and
be scripted by its origin
• Is this code really from Yahoo!?
Cookie Paths• http://www.stanford.edu/~aliceSet-Cookie: skrt=04f4; path=/~alice
• http://www.stanford.edu/~eve Set-Cookie: skrt=52f9; path=/~eve
<iframe src="/~alice"></iframe>alert(frames[0].document.cookie);
DNS Rebinding Attack
Read permitted: it’s the “same origin”F
irewall www.evil.com
web server
ns.evil.com
DNS server
171.64.7.115
www.evil.com?
corporateweb server
171.64.7.115TTL = 0
<iframe src="http://www.evil.com">
192.168.0.100
192.168.0.100
[DWF’96, R’01]
DNS-SEC cannot stop this attack
IP-based Origins• Finer-grained origin (scheme, host, port, IP)
• www.evil.com=192.168.0.100 imports<script src="prototype.js"></script>
• www.evil.com=171.64.7.115 serves evil script– Read contents of document– POST it back to www.evil.com
SOLUTIONS
Embrace• Grant privileges to origins
Frame Navigation
Phishing FilterPassword Database
Local StoragepostMessage
Cross-site XHRXDomainRequest
Extend• Include fine-grained origin in URL
• YURL:https://y-cl7h3f7jwyj3fvmw7jpnjfvf2xlcmayi.yurl.net/
• HTTPEV:httpev://www.paypal.com/
Destroy• Problem: documents that lack the sub-origin
privilege
• Eliminate privilege– SafeLock
• Eliminate document– ForceHTTPS– ForceCertificate– Strict Petname
SolutionsDefenses
Feature Sub-Origin Privilege Attacker Origin Contamination
Library Import
Data Export
Cookie Paths Read Cookie
WSKE Read Cookie
Certificate Errors (IE7) Show Lock
EV Show Organization
Locked Same-Origin Policy Read Cookie
Petname Toolbar Show Petname
Passpet Obtain Password
Mixed Content Show Lock N/A
enablePrivilege Install Software
IP-based Origins Network Requests
SolutionsDefenses
Feature Sub-Origin Privilege Attacker Origin Contamination
Library Import
Data Export
Cookie Paths Read Cookie Extend
WSKE Read Cookie
Certificate Errors (IE7) Show Lock Destroy
EV Show Organization Destroy
Locked Same-Origin Policy Read Cookie Extend
Petname Toolbar Show Petname Destroy
Passpet Obtain Password Destroy
Mixed Content Show Lock Destroy Destroy N/A
enablePrivilege Install Software Destroy
IP-based Origins Network Requests
Summary• Sub-origin privileges don’t work
– Origin contamination– Privilege escalation via script injection
• Beware of finer-grained origins– Trust specified by URL– Import/Export
• Three approaches for new features– Embrace, extend, destroy
top related