Beware of FinerGrained Origins

1
Beware of Finer-Grained Origins

• Collin Jackson
• Adam Barth
• Stanford University

2
Security Context Determined By URL

• "Origin"
• https//login.yahoo.com/config/login

(Port)
Scheme
Host
3
Sub-Origin Privileges
Origin Contamination
4
Trust Specified By URL

• Import
• ltscript src"prototype.js"gtlt/scriptgt
• ltlink rel"stylesheet" href"base.css"gt
• Export
• ltform action"login.cgi"gt
• var xhr new XMLHttpRequest()
• xhr.open("POST", "ajax.php")

5
Threat Models

• Web Attacker
• https//www.attacker.com
• Free user visit
• Upgrade Network Attacker
• Eavesdrop
• Corrupt network traffic
• Upgrade Cert-Mismatch Attacker
• User clicks through certificate errors
• Attacker still does not have trusted sites
  certificate
• Cross-Path Attacker
• Same origin as good site, different path

6
Browser Features
7
Mixed Content
8
WSKE

• Web Server Key-Enabled Cookies
• Secure cookies only sent for same TLS key

9
Locked SOP

• Finer-grained origin (scheme, host, port, broken)
• Broken HTTPS page cant script valid HTTPS page
• Banks often import libraries
• ltscript src"https//www.paypalobjects.com/..."gt
• User clicks through cert error for
  paypalobjects.com
• Real PayPal imports script from paypalobjects.com
• Attacker runs script as unbroken PayPal
• Sites cannot safely use ltscript src""gt, CSS,
  SWF, etc

10
More Anti-Phishing using Certificates

• Ignore the address bar, use cert instead
• Extended Validation
• Passpet
• Petname
• What about ?

11
TLS Forwarding

• Certificate belongs to bank
• Domain name belongs to attacker
• Attacker can hijack session at any time
• Certificate UI is confused

12
TLS Forwarding Example
13
TLS Forwarding - Consequences

• Might not be PayPal
• This is really PayPal, right?

14
TLS Forwarding Network Attack

• Origin contamination
• Polluted cache

15
Firefox enablePrivilege API
16
Abusing enablePrivilege

• Relies on certificate, ignores host name
• Signed HTML can import libraries and be scripted
  by its origin
• Is this code really from Yahoo!?

17
Cookie Paths

• http//www.stanford.edu/alice
• Set-Cookie skrt04f4 path/alice
• http//www.stanford.edu/eve
• Set-Cookie skrt52f9 path/eve
• ltiframe src"/alice"gtlt/iframegt
• alert(frames0.document.cookie)

18
DNS Rebinding Attack
DWF96, R01
ltiframe src"http//www.evil.com"gt
DNS-SEC cannot stop this attack
Firewall
ns.evil.com DNS server
www.evil.com web server
corporate web server
171.64.7.115
192.168.0.100

• Read permitted its the same origin

19
IP-based Origins

• Finer-grained origin (scheme, host, port, IP)
• www.evil.com192.168.0.100 imports
• ltscript src"prototype.js"gtlt/scriptgt
• www.evil.com171.64.7.115 serves evil script
• Read contents of document
• POST it back to www.evil.com

20
SOLUTIONS
21
Embrace

• Grant privileges to origins

Cross-site XHR
XDomainRequest
Frame Navigation
Local Storage
postMessage
Phishing Filter
Password Database
22
Extend

• Include fine-grained origin in URL
• YURL
• https//y-cl7h3f7jwyj3fvmw7jpnjfvf2xlcmayi.yurl.ne
  t/
• HTTPEV
• httpev//www.paypal.com/

23
Destroy

• Problem documents that lack the sub-origin
  privilege
• Eliminate privilege
• SafeLock
• Eliminate document
• ForceHTTPS
• ForceCertificate
• Strict Petname

24
Solutions
25
Solutions
26
Summary

• Sub-origin privileges dont work
• Origin contamination
• Privilege escalation via script injection
• Beware of finer-grained origins
• Trust specified by URL
• Import/Export
• Three approaches for new features
• Embrace, extend, destroy