Krishna Chaitanya T

JavaScript is mischievousHandle 3rd party content with care!

Security & Privacy Research LabInfosys Labs

A web application which combines content from

multiple origins to create a new service

Integrator-party combining the content

Gadget-integrated content

Provides more value add

Fun, easy to DIY. It’s all JS madness!

So we know what a mashup is..

Mashups…

Approaches Embedding external scripts Loading content via iframes

Requirements Interaction Communication

Security Isolation of origins Secure data exchange

Mashups & security

Browser has to isolate different origins Origin = protocol://host:port

http://bing.com, http://localhost:81/, https://icicibank.com

Privileges within origin Full network access Read/Write access to DOM Storage

Scripts of one origin cannot access DOM of another Strangely, scripts themselves are exempted from SOP!!

Same Origin Policy

Very good interactivity

Assumption – Script is from trusted source

No isolation of origin

Embedded scripts have privileges of imported page,

NOT source server

Ads, widgets, AJAX libraries all have same rights

Script based approach

“SOP-Prevents useful things. Allows dangerous things”

“If there is script from two or more sources, the

application is not secure. Period.”

“Fundamentally, XSS is a confusion of interests”

“A mashup is a self-inflicted XSS attack!”

From the master…

Douglas Crockford - JavaScript Architect, Yahoo

Restricting JavaScript to a subset

Object-capability security model Idea: If an object in JavaScript has no reference to

“XMLHttpRequest” object, an AJAX call cannot be made.

Popular JavaScript subsets: Caja (iGoogle) FBJS (Facebook) ADSafe (Yahoo)

Learning curve, usability issues

Script Isolation

Separate security context for each origin

Less interactive than JS approach

Comply with SOP

Isolation with Frames

<!-- This is allowed --> <iframe src="sameDomainPage.html"> </iframe> //page in same origin

alert(frames[0].contentDocument.body); //works fine

<!-- This is **NOT** allowed --> <iframe src="http://crossDomain.com"> </iframe> //page outside originalert(frames[0].contentDocument.body); //throws error

Beware! Frames can be navigated to different origins!

Frame navigation is NOT the same as SOP!

Frame-Frame relationships Can script in Frame A modify DOM of Frame B? Can Script in Frame A “navigate” Frame B?

Frame Navigation

<iframe src=“http://crossDomain.com"> </iframe>

<!-- This is **NOT** allowed --> alert(frames[0].src); //throws error – SOP restriction

<!-- This is allowed --> alert(frames[0].src=“http://bing.com”); //works fine - frame navigation

awglogin

window.open("https://attacker.com/", "awglogin");

Cross window attack

Courtesy: Stanford Web Security Lab

top.frames[1].location = "http://www.attacker.com/...";top.frames[2].location = "http://www.attacker.com/...";

...

Same window attack

Courtesy: Stanford Web Security Lab

Permissive

Child

Descendant

Window

Frame Navigation Policies

FIM=Fragment Identifier Messaging

Limited data, no acknowledgements.

Navigation doesn’t reload page

Not a secure channel

//Sender.htmlfunction send(){ iframe.src=“http://localhost/receiver.html#data”; }//Receiver.htmlwindow.onload=function(){ data=window.location.hash;}

Frame Communication - FIM

HTML5 postMessage API-the savior!

Cross-origin client side communication

Network-like channel between frames

Securely abstracts multiple principals

Frames can integrate widgets with improved trust!

Frame Communication – HTML5

targetOrigin can be a trusted source/wildcard [“*”]

//Posting message to a cross domain partner.frames[0].postMessage(“Hello Partner!”, "http://localhost:81/");

//Retrieving message from the senderwindow.onmessage = function (e) { if (e.origin == 'http://localhost') { //sanitize and accept data }};

otherwindow.postMessage(message, targetOrigin);

postMessage API

Syntax:

Sandbox – whitelisting restrictions on iframe content

<iframe sandbox

src="http://attacker.com"></iframe>

Disable scripts, forms, popups, top navigation etc.

CORS – Access-Control-Allow-Origin

HTML5 Sandbox and CORS

AJAX

PostMessageCORS

Framed sites are susceptible to clickjacking & frame

phishing attacks

Bust frames, avoid surprises.

Caution: Framing attacks

Left: Genuine communicationRight: Stealing data with Recursive Mashup Attack

References

“Secure Frame Communication in Browsers”-Adam

Barth, Collin Jackson, John Mitchell-Stanford Web

Security Research Lab

W3C HTML5 Specification -

http://www.w3.org/TR/html5/

Dive into HTML5 – http://diveintohtml5.info

http://novogeek.com

@novogeek

Thank you!