Same-OriginPolicy:EvaluationinModernBrowsers

JörgSchwenk,MarcusNiemietz,ChristianMainka

Ruhr-UniversityBochum

Contents

1. Introduction &Foundations

2. Methodology &Evaluation

3. Limitations &AccessControlPolicies

4. Conclusions &FutureWork

2

1.Introduction &Foundations

3

4

window

document<html>

e.g.,main HTMLdocument

head<head>

body<body>

<img src="URL3"name="bear">

<script src="URL1">

doctypeHTML5

<linksrc="URL4">

img.src=URL3

Same-OriginPolicy

https://bank.com

!

Same-OriginPolicy

5

https://bank.com

https://bank.com

IBAN:DE234575684013Amount:$50

"

Same-OriginPolicy

6

https://bank.com

IBAN:DE234575684013Amount:$10

#JavaScript

https://bank.com

"

Same-OriginPolicy

7

https://attackers.org

https://bank.com

IBAN:DE133700000000Amount:$10,000

$JavaScript

%

❓

Same-OriginPolicy

8

https://attackers.org

https://bank.com

IBAN:DE234575684013Amount:$50

'JavaScript

"

9

window

document<html>

e.g.,main HTMLdocument e.g.,iFrame

head<head>

body<body>

<img src="URL3"name="bear">

<iframe src="URL2"id="ID1">

document<html>

doctypeXHTML

head<head>

<script src="URL1">

window.frames[0]

doctypeHTML5

body<body>

<linksrc="URL4">

img.src=URL3

id=ID1

DOM-SOP

!

DifferentSubsets Of SOPRules

• DOMaccess (SOP-DOM)• Local storage and session storage

• XMLHttpRequest

• Pseudoprotocols

• Plugins (e.g.,Flash,Silverlight,PDF)

• Window/tab

• HTTPcookies

10

Focus

• Subset of SOPrules according to these criteria– BrowserInteractions• Interactionof webobjects once they have been loaded

–WebOrigins(RFC6454as afoundation)• “Animageispassivecontentand,therefore,carriesnoauthority,meaningtheimagehasnoaccesstotheobjectsandresourcesavailabletoitsorigin”

11

Scalable Vector Graphics

<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns="http://www.w3.org/2000/svg" width="300" height="300"><script>alert(1)</script><circle cx="120" cy="120" r="110" fill="#fff" stroke="#000" stroke-width="8"/></svg>

<img src="test.svg"> <embed src="test.svg">

12

ResearchQuestions

• How is SOPfor DOMaccess (SOP-DOM)implemented inmodernbrowsers?

• Which parts of the HTMLmarkup influencesSOP-DOM?

• How does the detected behavior matchknown access control policies?

13

2.Methodology &Evaluation

14

SOP-DOMSetup:TestCases

EmbeddingElement(EE)

EmbeddedDocument(ED)

SOPread?

write?

read?

write?

HostDocument (HD)

WebObject

Subject:JavaScriptallowscriptexecution?

WebOriginED

{ee,sandbox,cors}

WebOriginHD

Subject:JavaScript

WebObject

15

Your-SOP.com Testbed

16

Your-SOP.com Testbed

17

DifferentBrowserBehaviors

§ >12%:Safari9§ Missingtype:image/svg+xml

§ FixedinSafari10.1

§ >35%:<canvas> andPNG/SVG(CORS)

§ >51%:<link> (CORS)

§ OneIE/EdgevulnerabilitywithoutusingCORS

18

Cross-OriginLoginOracleAttack

19

Cross-OriginLoginOracleAttack

• Webserverdelivers differentCSSfiles– Userlogged in or logged out?

• a.com attacks victim.com– <link type="text/css" rel="stylesheet"

href="//victim.com/style.css" />– <script>alert(document.styleSheets[0].cssRul

es[0].cssText)</script>

20

Cross-OriginLoginOracleAttack

21

3.Limitations &AccessControlPolicies

22

Limitations

• 15HTMLelements with src attributes– Several more with asimilar functionality

• Many sandbox attributes,ways to embed adocument,MIMEtypes,and pseudoprotocols

• <link>:imports,worker

• <svg>:JavaScriptviaxlink• Growing surface with each new feature

23

AccessControlPolicies

• Discretionary AccessControl(DAC)

• Role-Based AccessControl(RBAC)– EnhancedRBAC

• Attribute-Based AccessControl(ABAC)

24

4.Conclusions &FutureWork

25

Conclusions &FutureWork

• Differentbrowser data sets to identifyinconsistencies (edge cases are important)

• Discussion about access control policies mayhelp to understand the SOP-DOM

• FutureWork– OtherSOPsubsets,HTMLelements/attributes

– Pseudoprotocols

26

Thank you for your attention

marcus.niemietz@rub.de@mniemietz

27