identifying cross-origin resource status using application ...appcache-slides.pdfidentifying...

IdentifyingCross-originResourceStatusUsingApplicationCache

2015NetworkandDistributedSystemSecuritySymposium

SanghoLee,Hyungsub Kim,andJongKimPOSTECH,Korea

February9,2015

Web,HTML5,andThreats

•WebandHTML5• Themostpopulardistributedapplicationplatform• RichfunctionalityintroducedbyHTML5

•Securityandprivacythreats• Popularityattractsalotofadversaries.• Richfunctionalityopenssecurityandprivacyholes.

•DiscoveringunrevealedthreatsoftheWebandHTML5isimportant.

NDSS2015 2

HTML5ApplicationCache(AppCache)

•Enablingtechnologytoofflinewebapplication• Specifyresourcestobecachedinawebbrowser• Allowfastandofflineaccesstothecachedresources

•PotentialthreatofAppCache• Arbitrarycross-originresourcesarecacheable.• Neitherserver- norclient-sidecontrol

• Errorhandingcanbreachuserprivacy.• Recognizewhetherausercancachespecificresources

NDSS2015 3

MotivationandGoal

•Motivation• In-depthsecurityanalysisofnewwebfunctionalitiesisnecessary.• SecurityanalysisofAppCache isinsufficientdespiteitswidedeployment.

•Researchgoal• AnalyzeandsolvesecurityproblemsofAppCache• DiscoversecurityproblemsofAppCache• Suggestaneffectivecountermeasureagainstthesecurityproblems

NDSS2015 4

Contents

• Introduction•AppCache Details• Declaration• ProcedureandFailure• Non-cacheableURLs

•URLStatusIdentificationAttack•Discussion•Conclusion

NDSS2015 5

AppCache Declaration

NDSS2015 6

<html manifest=“example.appcache”>…</html>

CACHE MANIFEST

CACHE:/logo.pnghttps://example.cdn.com/external.jpgNETWORK:*FALLBACK:/ /offline.html

HTMLdocumentdeclaringAppCache

AppCache manifest

AppCache Procedure

NDSS2015 7

VisitawebpagedeclaringAppCache

Fetchanddecodethemanifest

Re-fetchthemanifesttocheckchanges

Downloadtheresourceslistedinthemanifest

site1.com site2.comwebbrowser

WhenDoesAppCache Fail?

NDSS2015 8




Downloadtheresourceslistedinthemanifest

site1.com site2.com

invalidorerroneousmanifest

Non-cacheableresources

Changedmanifest

AnyfailurerollsbackAppCache tomaintaincontentconsistency.

webbrowser

Non-cacheableURLs

• InvalidURL• Nocontenttobecached

•DynamicURL• Cachingdynamiccontentislessmeaningful.• Cache-Control:no-storeornoContent-Length

•URLwithredirections• FinalURLcanbedynamicallychanged.• Violationofthesame-originpolicyispossible.• ReferacachedresourcewiththeURLspecifiedinamanifest

NDSS2015 9

Contents

• Introduction•AppCache Details•URLStatusIdentification• BasicsandAdvantages• AttackProcedure• ConcurrentAttack• Application:DeterminingLoginStatus

•Discussion•Conclusion

NDSS2015 10

URLStatusIdentification

•Basics• SpecifyatargetURLinanAppCache manifest• CheckwhetherAppCache succeedsorfails

•Advantages• Deterministicidentification:Don’tmeasuretiming• IdentificationofURLredirections• Scriptless attack

NDSS2015 11

AttackProcedure:CacheableURL

NDSS2015 12




Downloadthetargetresource

attack.com target.comwebbrowser

Recordbrowserinfo.

Identifysuccess

Succeed

Refresh(optional)


PagerefreshingletsAppCache checkthemanifest’schanges.

AttackProcedure:Non-cacheableURL

NDSS2015 13





Recordbrowserinfo.

Identifyfailure

Fail

Refresh(optional)


…Abrowserdon’tre-fetchthemanifestwhenthe

targetURLisnon-cacheable.

PagerefreshinginitiatesanAppCache procedurefromthebeginning.


ConcurrentAttack

NDSS2015 14

ConcurrentlyinspectingmultipletargetURLswithmultipleiframetags,webpages,&manifests

<html manifest=“manifest.php?target=http://target1.com”></html>

<html><iframe src=“attack_each.php?target=http://target1.com”</iframe><iframe src=“attack_each.php?target=http://target2.com”</iframe>…</html>

CACHE MANIFESTCACHE:http://target1.comNETWORK:*

CACHE MANIFESTCACHE:http://target2.comNETWORK:*

<html manifest=“manifest.php?target=http://target2.com”></html>

attach_all.php attach_each.php manifest.php

…

…

Application:DeterminingLoginStatus

NDSS2015 15

amazon.com/gp/yourstore/home→amazon.com/ap/signin?...tumblr.com/dashboard→tumblr.com/login?redirect_to=/dashboardyoutube.com/feed/subscriptions→accounts.google.com/ServiceLogin?...

URLsredirectingnon-logged-inbrowserstologinpages

bitbucket.org/account/user/<user-id>github.com/<user-id>/<repository-name>/settings<blog-id>.wordpress.com/wp-admin

PrivateURLsreturningerrorstounauthorizedbrowsers

DetermineloginstatusbyinspectingURLswithconditionalredirectionsorerrors

Contents

• Introduction•AppCache Details•URLStatusIdentificationAttack•Discussion• ProblematicCountermeasures• Countermeasure:Cache-Origin• ServiceWorker

•Conclusion

NDSS2015 16

ProblematicCountermeasures

•AskuserpermissionforAppCache• Vulnerabletocarelessusers

•Always/nevercheckchangesinmanifests• Vulnerabletopagerefreshingattacks• Contentinconsistencyproblem

•Eliminatewebpageshavingconditionalbehaviors• Detectionandmodificationofallvulnerablewebpagesarechallenging.

NDSS2015 17

Countermeasure:Cache-Origin

•AttachaCache-OriginheaderwhenrequestingresourcesduringAppCache• Containthemanifest’sorigin• NotifyawebapplicationofwhoinitiateanAppCacheprocedure• ResembletheOriginheaderofCORS

•AbortsuspiciousAppCache proceduresbyreturningno-storeorerrorcode• Cachesensitiveresources• Beinitiatedbydoubtfulservers

NDSS2015 18

ServiceWorker

•ProvidescriptablecachesasanalternativetoAppCache• Interceptandrespondtonetworkrequestsfromcertainwebpages

•HavethesamepolicytohandleURLredirectionsanderrorswithAppCache• Alsovulnerabletoourattacks

NDSS2015 19

Conclusion

•WeintroducedanewwebprivacyattackusingHTML5AppCache.• Identifythestatusofcross-originresources• Donotrelyonclient-sidescripts• Canattackmajorwebbrowsers

•WesuggestedaCache-Originrequest-headerfieldtomitigateourattacks.•MinorvariationoftheOriginheader• Easydeployment

NDSS2015 20

BackupSlides

NDSS2015 21

Script-basedIdentification

NDSS2015 22

ExecutionTimeofConcurrentAttack

NDSS2015 23

0.11sforeachURL

0.27s

0.95s

Scriptless URLTiming

NDSS2015 24






Recordbrowserinfo.

Measureelapsedtime

identifying cross-origin resource status using application ...appcache-slides.pdfidentifying...

Documents