IdentifyingCross-originResourceStatusUsingApplicationCache
2015NetworkandDistributedSystemSecuritySymposium
SanghoLee,Hyungsub Kim,andJongKimPOSTECH,Korea
February9,2015
Web,HTML5,andThreats
•WebandHTML5• Themostpopulardistributedapplicationplatform• RichfunctionalityintroducedbyHTML5
•Securityandprivacythreats• Popularityattractsalotofadversaries.• Richfunctionalityopenssecurityandprivacyholes.
•DiscoveringunrevealedthreatsoftheWebandHTML5isimportant.
NDSS2015 2
HTML5ApplicationCache(AppCache)
•Enablingtechnologytoofflinewebapplication• Specifyresourcestobecachedinawebbrowser• Allowfastandofflineaccesstothecachedresources
•PotentialthreatofAppCache• Arbitrarycross-originresourcesarecacheable.• Neitherserver- norclient-sidecontrol
• Errorhandingcanbreachuserprivacy.• Recognizewhetherausercancachespecificresources
NDSS2015 3
MotivationandGoal
•Motivation• In-depthsecurityanalysisofnewwebfunctionalitiesisnecessary.• SecurityanalysisofAppCache isinsufficientdespiteitswidedeployment.
•Researchgoal• AnalyzeandsolvesecurityproblemsofAppCache• DiscoversecurityproblemsofAppCache• Suggestaneffectivecountermeasureagainstthesecurityproblems
NDSS2015 4
Contents
• Introduction•AppCache Details• Declaration• ProcedureandFailure• Non-cacheableURLs
•URLStatusIdentificationAttack•Discussion•Conclusion
NDSS2015 5
AppCache Declaration
NDSS2015 6
<html manifest=“example.appcache”>…</html>
CACHE MANIFEST
CACHE:/logo.pnghttps://example.cdn.com/external.jpgNETWORK:*FALLBACK:/ /offline.html
HTMLdocumentdeclaringAppCache
AppCache manifest
AppCache Procedure
NDSS2015 7
VisitawebpagedeclaringAppCache
Fetchanddecodethemanifest
Re-fetchthemanifesttocheckchanges
Downloadtheresourceslistedinthemanifest
site1.com site2.comwebbrowser
WhenDoesAppCache Fail?
NDSS2015 8
VisitawebpagedeclaringAppCache
Fetchanddecodethemanifest
Re-fetchthemanifesttocheckchanges
Downloadtheresourceslistedinthemanifest
site1.com site2.com
invalidorerroneousmanifest
Non-cacheableresources
Changedmanifest
AnyfailurerollsbackAppCache tomaintaincontentconsistency.
webbrowser
Non-cacheableURLs
• InvalidURL• Nocontenttobecached
•DynamicURL• Cachingdynamiccontentislessmeaningful.• Cache-Control:no-storeornoContent-Length
•URLwithredirections• FinalURLcanbedynamicallychanged.• Violationofthesame-originpolicyispossible.• ReferacachedresourcewiththeURLspecifiedinamanifest
NDSS2015 9
Contents
• Introduction•AppCache Details•URLStatusIdentification• BasicsandAdvantages• AttackProcedure• ConcurrentAttack• Application:DeterminingLoginStatus
•Discussion•Conclusion
NDSS2015 10
URLStatusIdentification
•Basics• SpecifyatargetURLinanAppCache manifest• CheckwhetherAppCache succeedsorfails
•Advantages• Deterministicidentification:Don’tmeasuretiming• IdentificationofURLredirections• Scriptless attack
NDSS2015 11
AttackProcedure:CacheableURL
NDSS2015 12
VisitawebpagedeclaringAppCache
Fetchanddecodethemanifest
Re-fetchthemanifesttocheckchanges
Downloadthetargetresource
attack.com target.comwebbrowser
Recordbrowserinfo.
Identifysuccess
Succeed
Refresh(optional)
Re-fetchthemanifesttocheckchanges
PagerefreshingletsAppCache checkthemanifest’schanges.
AttackProcedure:Non-cacheableURL
NDSS2015 13
VisitawebpagedeclaringAppCache
Fetchanddecodethemanifest
Re-fetchthemanifesttocheckchanges
Downloadthetargetresource
Recordbrowserinfo.
Identifyfailure
Fail
Refresh(optional)
VisitawebpagedeclaringAppCache
…Abrowserdon’tre-fetchthemanifestwhenthe
targetURLisnon-cacheable.
PagerefreshinginitiatesanAppCache procedurefromthebeginning.
attack.com target.comwebbrowser
ConcurrentAttack
NDSS2015 14
ConcurrentlyinspectingmultipletargetURLswithmultipleiframetags,webpages,&manifests
<html manifest=“manifest.php?target=http://target1.com”></html>
<html><iframe src=“attack_each.php?target=http://target1.com”</iframe><iframe src=“attack_each.php?target=http://target2.com”</iframe>…</html>
CACHE MANIFESTCACHE:http://target1.comNETWORK:*
CACHE MANIFESTCACHE:http://target2.comNETWORK:*
<html manifest=“manifest.php?target=http://target2.com”></html>
attach_all.php attach_each.php manifest.php
…
…
Application:DeterminingLoginStatus
NDSS2015 15
amazon.com/gp/yourstore/home→amazon.com/ap/signin?...tumblr.com/dashboard→tumblr.com/login?redirect_to=/dashboardyoutube.com/feed/subscriptions→accounts.google.com/ServiceLogin?...
URLsredirectingnon-logged-inbrowserstologinpages
bitbucket.org/account/user/<user-id>github.com/<user-id>/<repository-name>/settings<blog-id>.wordpress.com/wp-admin
PrivateURLsreturningerrorstounauthorizedbrowsers
DetermineloginstatusbyinspectingURLswithconditionalredirectionsorerrors
Contents
• Introduction•AppCache Details•URLStatusIdentificationAttack•Discussion• ProblematicCountermeasures• Countermeasure:Cache-Origin• ServiceWorker
•Conclusion
NDSS2015 16
ProblematicCountermeasures
•AskuserpermissionforAppCache• Vulnerabletocarelessusers
•Always/nevercheckchangesinmanifests• Vulnerabletopagerefreshingattacks• Contentinconsistencyproblem
•Eliminatewebpageshavingconditionalbehaviors• Detectionandmodificationofallvulnerablewebpagesarechallenging.
NDSS2015 17
Countermeasure:Cache-Origin
•AttachaCache-OriginheaderwhenrequestingresourcesduringAppCache• Containthemanifest’sorigin• NotifyawebapplicationofwhoinitiateanAppCacheprocedure• ResembletheOriginheaderofCORS
•AbortsuspiciousAppCache proceduresbyreturningno-storeorerrorcode• Cachesensitiveresources• Beinitiatedbydoubtfulservers
NDSS2015 18
ServiceWorker
•ProvidescriptablecachesasanalternativetoAppCache• Interceptandrespondtonetworkrequestsfromcertainwebpages
•HavethesamepolicytohandleURLredirectionsanderrorswithAppCache• Alsovulnerabletoourattacks
NDSS2015 19
Conclusion
•WeintroducedanewwebprivacyattackusingHTML5AppCache.• Identifythestatusofcross-originresources• Donotrelyonclient-sidescripts• Canattackmajorwebbrowsers
•WesuggestedaCache-Originrequest-headerfieldtomitigateourattacks.•MinorvariationoftheOriginheader• Easydeployment
NDSS2015 20
Top Related