same origin policy - encsclark/courses/1901-6150/scribe/l1… · same origin policy scripting every...
TRANSCRIPT
Same Origin PolicyBrowse policy
Functionalitycool Features
User PrivacyWebsite InteA
oo Policy
OUsurer
Eii Hi IITS server
i Eincserver
Browse
cook included it
domains are sane or matchwildcard
request matches flagscook e is not expired
Cookies
Features keep you logged in
embedding from another website
Problems frackingcross site request
session hijacking
c.us s.tRests.LXsR2 news
iResponse
cruss srteRenvestsyoneb.ae CxsRqforgery
IN or
iron
Bankt
bank
bank.com accuunt.php trnnsfer loo to Eve
actions in URLs RESTful URLsallow
Singler webapeson mitigation
is encryetelPut cookie in URL too
HTTPS
bank.com accuunt.php trnnsfer loo to Bob cook.c B522A63
only real bank site could create such URL
Same Origin Policy scripting
every re ee on a page is tagged
by your browser with its origin
R c inuye frame script etc
Origin http encs.cuneord.u.eu 80 r
Override
Set documentdomfu.in
cuncurd.u.ca
Exumelis
samehttp
usus.ee s.cuncvrdru.cuc1nrk
index.htnltyoriyinhttp users cuncvrdiu.cn nmmannnn index.html
https users.encs.cuncvrdiu.cn clurk index.htn1Idiff
https cise.cuncvrdiu.cn c1urk inyey.htjdiff t
Embedded us framesEmbedded resources are given the originof the purge that embeds them
as if copied in line to purge
Resources in frames are isolatedf um website that embeds the frame
considered different origins
My Website yo.iginUsers en CsCu Curlin
Ea
In line script
my gf on
users
HEE
xss is allpowerful
over
rume from Facebook pageisluted from concord u
muifypagerecord
keystrokessteal
cookieneither origin can Seelchurye
Openconnections
etcisources of eachother by default SOP
over de change origin or Pustmissuye
xssat.at'sGet your script embedded into a website
store in a form
Ifrom URL
https cuncordia.cn search q I
iet
Poison an already embedded scriptmodify a non httpss r.pt
brv s.rs now block
If t.me Self inflicted Xss
some Xss vulune abilities can only be seen
by attackerin attackers admin panel inbox
profile etc
No problem
Vulnerable profile for Everuns scripttoys out Eve a d toys in
Alice e y XSRF
If t.me Click jackingg
Evil
i ai i's
Lessons from SOP all policies
Policies are hard to get right
Policies are hard to changebackwards computability
Tend to get a patchworknew policies addressing corner
cases of old policies
complexity is bad for securitygenerally
Policies compose with other
policies in unexpected ways