Krishna Chaitanya T JavaScript is mischievous Handle 3 rd party content with care! Security & Privacy Research Lab Infosys Labs
Jan 15, 2015
Krishna Chaitanya T
JavaScript is mischievousHandle 3rd party content with care!
Security & Privacy Research LabInfosys Labs
A web application which combines content from
multiple origins to create a new service
Integrator-party combining the content
Gadget-integrated content
Provides more value add
Fun, easy to DIY. It’s all JS madness!
So we know what a mashup is..
Mashups…
Approaches Embedding external scripts Loading content via iframes
Requirements Interaction Communication
Security Isolation of origins Secure data exchange
Mashups & security
Browser has to isolate different origins Origin = protocol://host:port
http://bing.com, http://localhost:81/, https://icicibank.com
Privileges within origin Full network access Read/Write access to DOM Storage
Scripts of one origin cannot access DOM of another Strangely, scripts themselves are exempted from SOP!!
Same Origin Policy
Very good interactivity
Assumption – Script is from trusted source
No isolation of origin
Embedded scripts have privileges of imported page,
NOT source server
Ads, widgets, AJAX libraries all have same rights
Script based approach
“SOP-Prevents useful things. Allows dangerous things”
“If there is script from two or more sources, the
application is not secure. Period.”
“Fundamentally, XSS is a confusion of interests”
“A mashup is a self-inflicted XSS attack!”
From the master…
Douglas Crockford - JavaScript Architect, Yahoo
Restricting JavaScript to a subset
Object-capability security model Idea: If an object in JavaScript has no reference to
“XMLHttpRequest” object, an AJAX call cannot be made.
Popular JavaScript subsets: Caja (iGoogle) FBJS (Facebook) ADSafe (Yahoo)
Learning curve, usability issues
Script Isolation
Separate security context for each origin
Less interactive than JS approach
Comply with SOP
Isolation with Frames
<!-- This is allowed --> <iframe src="sameDomainPage.html"> </iframe> //page in same origin
alert(frames[0].contentDocument.body); //works fine
<!-- This is **NOT** allowed --> <iframe src="http://crossDomain.com"> </iframe> //page outside originalert(frames[0].contentDocument.body); //throws error
Beware! Frames can be navigated to different origins!
Frame navigation is NOT the same as SOP!
Frame-Frame relationships Can script in Frame A modify DOM of Frame B? Can Script in Frame A “navigate” Frame B?
Frame Navigation
<iframe src=“http://crossDomain.com"> </iframe>
<!-- This is **NOT** allowed --> alert(frames[0].src); //throws error – SOP restriction
<!-- This is allowed --> alert(frames[0].src=“http://bing.com”); //works fine - frame navigation
awglogin
window.open("https://attacker.com/", "awglogin");
Cross window attack
Courtesy: Stanford Web Security Lab
top.frames[1].location = "http://www.attacker.com/...";top.frames[2].location = "http://www.attacker.com/...";
...
Same window attack
Courtesy: Stanford Web Security Lab
Permissive
Child
Descendant
Window
Frame Navigation Policies
FIM=Fragment Identifier Messaging
Limited data, no acknowledgements.
Navigation doesn’t reload page
Not a secure channel
//Sender.htmlfunction send(){ iframe.src=“http://localhost/receiver.html#data”; }//Receiver.htmlwindow.onload=function(){ data=window.location.hash;}
Frame Communication - FIM
HTML5 postMessage API-the savior!
Cross-origin client side communication
Network-like channel between frames
Securely abstracts multiple principals
Frames can integrate widgets with improved trust!
Frame Communication – HTML5
targetOrigin can be a trusted source/wildcard [“*”]
//Posting message to a cross domain partner.frames[0].postMessage(“Hello Partner!”, "http://localhost:81/");
//Retrieving message from the senderwindow.onmessage = function (e) { if (e.origin == 'http://localhost') { //sanitize and accept data }};
otherwindow.postMessage(message, targetOrigin);
postMessage API
Syntax:
Sandbox – whitelisting restrictions on iframe content
<iframe sandbox
src="http://attacker.com"></iframe>
Disable scripts, forms, popups, top navigation etc.
CORS – Access-Control-Allow-Origin
HTML5 Sandbox and CORS
AJAX
PostMessageCORS
Framed sites are susceptible to clickjacking & frame
phishing attacks
Bust frames, avoid surprises.
Caution: Framing attacks
Left: Genuine communicationRight: Stealing data with Recursive Mashup Attack
References
“Secure Frame Communication in Browsers”-Adam
Barth, Collin Jackson, John Mitchell-Stanford Web
Security Research Lab
W3C HTML5 Specification -
http://www.w3.org/TR/html5/
Dive into HTML5 – http://diveintohtml5.info
http://novogeek.com
@novogeek
Thank you!