Cross Origin Resource Inclusion
Post on 07-Nov-2014
1263 Views
Preview:
DESCRIPTION
Transcript
Julian Cohen HockeyInJune@isis.poly.edu
OWASP DC August 2011
Asynchronous JavaScript and XML Web 2.0 Design Trends Same Origin Policy Cross-Origin Resource Sharing Exploitation Some Thoughts Solutions
HOW DO THEY WORK?
A simple way to refresh content dynamically Prevents having to refresh the entire page
Originally
AJAX used for continuously updating content only
Today
AJAX is used for EVERYTHING
AJAX is being used more Frameworks automatically use AJAX
Scripts are confined to their originating site XMLHttpRequest() follows SOP
Demonstration
HOW DO THEY WORK?
Allows XMLHttpRequest to make cross-origin requests
Checks the remote host to see if it allows cross-origin requests
http://www.w3.org/TR/cors/
Scripts are confined to their originating site XMLHttpRequest() follows SOP
Documents are confined to their originating site XMLHttpRequest() checks with the remote host
Document Object Children
site: safe.com <html>
<head>
<script src="http://malicious.com/">
</head>
</html>
Different Document Objects
Frames
Windows
Cookies
Demonstration
Cross-origin DOM objects are owned by different Document objects
Setting innerHTML changes the ownerDocument property of DOM objects
http://dev.w3.org/html5/spec/Overview.html#innerhtml
Cookies stolen in client-side because of injected resource
Cookies were never sent cross-origin by the browser
Functionality exists: Access-Control-Allow-Credentials
Static Analysis
grep XMLHttpRequest
Dynamic Analysis
Google Chrome Developer Tools breakpoint
Taint analysis
Make Cookies HttpOnly Set Access-Control-Allow-Origin to null
Access-Control-Allow-Origin null by default Only allow safe DOM objects on a cross-
origin request
http://isisblogs.poly.edu/?p=26
Julian Cohen HockeyInJune@isis.poly.edu
http://isisblogs.poly.edu/?p=26
top related