cors background · success response with ‘set-cookie’ header session established tuesday,...
TRANSCRIPT
CORS Background
Tuesday, November 3, 2009
Cookies: Login
(A) Login Page
Server A
BrowserLogin Page Request
Login Page Response
Server A
Login Form Submission(contains username, password)
(A) Login Success Response with ‘Set-Cookie’ header
SessionEstablished
Tuesday, November 3, 2009
Cookies: Buying Stuff
(A) Purchase Page
Server A
BrowserPurchase Page Request(with Cookie header)
Purchase Page Response
Server A
Purchase Form Submission(with Cookie header)
(A) Purchase Success
Purchase Success Response
PurchaseTakes Place!
Tuesday, November 3, 2009
Cookies: CSRF
(M) Malware Page
BrowserMalware Page Request
Server A
Purchase Form Submission(with Cookie header)
(A) Purchase Success
Purchase Success Response
PurchaseTakes Place!
Server M
OOPS!
Tuesday, November 3, 2009
Can’t Easily Avoid
Tuesday, November 3, 2009
Can’t Easily Avoid
• Need second factor to tell if submission actually came from Site A
Tuesday, November 3, 2009
Can’t Easily Avoid
• Need second factor to tell if submission actually came from Site A
• Origin
Tuesday, November 3, 2009
Can’t Easily Avoid
• Need second factor to tell if submission actually came from Site A
• Origin
• Secret token (embedded in form)
Tuesday, November 3, 2009
CSRF: Origin Defense
(M) Malware Page
BrowserMalware Page Request
Server A
Purchase Form Submission(with Cookie + Origin: M)
(A) Purchase Failed
Purchase Failure Response
No Purchase!
Server M
Tuesday, November 3, 2009
CORS Scenario
• I want to let Site A (an upcoming events side) add calendar events to Site B (my calendar)
Tuesday, November 3, 2009
Requirements
Tuesday, November 3, 2009
Requirements
• Grant permission just once
Tuesday, November 3, 2009
Requirements
• Grant permission just once
• No manual steps to copy data between sites
Tuesday, November 3, 2009
Requirements
• Grant permission just once
• No manual steps to copy data between sites
• “AJAX” UI (avoid full page loads)
Tuesday, November 3, 2009
Requirements
• Grant permission just once
• No manual steps to copy data between sites
• “AJAX” UI (avoid full page loads)
• No server-to-server communication
Tuesday, November 3, 2009
Requirements
• Grant permission just once
• No manual steps to copy data between sites
• “AJAX” UI (avoid full page loads)
• No server-to-server communication
• No need for prior bilateral arrangement between A and B, just published API
Tuesday, November 3, 2009
CORS: Login
(A) Login Page
Server A
BrowserLogin Page Request
Login Page Response
Server A
Login Form Submission(contains username, password)
(A) Login Success Response with ‘Set-Cookie’ header
SessionEstablished
Tuesday, November 3, 2009
CORS: Access Grant
(A) Grant Page
Server A
BrowserGrant Page Request(includes Cookie)
Login Page Response
Server A
Grant Request, user picked Site B(includes Cookie)
(A) Grant Success Success Response
SessionEstablished
Tuesday, November 3, 2009
CORS: Request
(B) Event Page
Server B
BrowserEvent Page Request
Event Page Response
Server A
XHR to add calendar item(carries Cookie for A, Origin: B)
XHR Response indicating success
Calendar EventAdded
Tuesday, November 3, 2009
No Confused Deputy
Tuesday, November 3, 2009
No Confused Deputy
• Server M can’t forge Origin in the browser
Tuesday, November 3, 2009
No Confused Deputy
• Server M can’t forge Origin in the browser
• Server M can’t send session cookie for A outside the browser
Tuesday, November 3, 2009
No Confused Deputy
• Server M can’t forge Origin in the browser
• Server M can’t send session cookie for A outside the browser
• Combination of Origin and Cookie soundly identifies combination of user and site
Tuesday, November 3, 2009
Fancier ScenariosCan Have CD
Tuesday, November 3, 2009
Fancier ScenariosCan Have CD
• Site A asking Site B to do something on Site C
Tuesday, November 3, 2009
Fancier ScenariosCan Have CD
• Site A asking Site B to do something on Site C
• Can also have Confused Deputy without CORS - for example poorly implemented secret tokens
Tuesday, November 3, 2009
How to Avoid Confused Deputy
Tuesday, November 3, 2009
How to Avoid Confused Deputy
• Don’t be a deputy!
Tuesday, November 3, 2009
How to Avoid Confused Deputy
• Don’t be a deputy!
• Never ask one server to do something on behalf of another.
Tuesday, November 3, 2009
How to Avoid Confused Deputy
• Don’t be a deputy!
• Never ask one server to do something on behalf of another.
• If you must...
Tuesday, November 3, 2009
How to Avoid Confused Deputy
• Don’t be a deputy!
• Never ask one server to do something on behalf of another.
• If you must...
• Guarantee that requests on behalf of a third party look different from your own
Tuesday, November 3, 2009
The Bad Way
(B) Event Page
Server B
BrowserEvent Page Request
Event Page Response
Server A
XHR to add calendar item(carries Site A user, pw)
XHR Response indicating success
Calendar EventAdded
User Gives Site B
their Site A credentials
OOPS!
Server B
Server B
Server B logs in to Server A as
user(!)
Tuesday, November 3, 2009
Non-CORS Solutions
Tuesday, November 3, 2009
Non-CORS Solutions
• For example, OAuth
Tuesday, November 3, 2009
Non-CORS Solutions
• For example, OAuth
• Generally require server-to-server communication
Tuesday, November 3, 2009
Non-CORS Solutions
• For example, OAuth
• Generally require server-to-server communication
• Relies on bilateral agreement (shared secret)
Tuesday, November 3, 2009
OAuth
(B) Event Page
Server B
BrowserEvent Page Request
Event Page Response
Server A
Ask For Request Token(signed w/ shared secret)
Server B Request Token
Redirect to Request Authorization Token(includes Cookie, A’s Request Token)
Server A
Redirect Back with Auth Token
(B) Event Page
(auth’d)
Server B
Server A
XHR to add calendar item(incl Auth Token)
Request to add calendar item(incl Auth Token)
Server B
Calendar EventAdded
SuccessSuccess
There is an error in this diagram, the process of exchanging a Request Token for an Authorization Token is oversimplified!
Tuesday, November 3, 2009