Beware of Finer-Grained Origins

Collin JacksonAdam Barth

Stanford University

Security Context Determined By URL• "Origin" =

https://login.yahoo.com/config/login

Scheme Host (Port)

Sub-Origin Privileges

OriginContamination

Trust Specified By URL• Import

<script src="prototype.js"></script>

<link rel="stylesheet" href="base.css">

• Export<form action="login.cgi">

var xhr = new XMLHttpRequest();xhr.open("POST", "ajax.php");

Threat Models• Web Attacker

– https://www.attacker.com– Free user visit

• Upgrade: Network Attacker– Eavesdrop– Corrupt network traffic

• Upgrade: Cert-Mismatch Attacker– User clicks through certificate errors– Attacker still does not have trusted site’s certificate

• Cross-Path Attacker– Same “origin” as good site, different path

Browser FeaturesDefenses

Feature Sub-Origin Privilege Attacker Origin Contamination

Library Import

Data Export

Cookie Paths Read Cookie

WSKE Read Cookie

Certificate Errors (IE7) Show Lock

EV Show Organization

Locked Same-Origin Policy Read Cookie

Petname Toolbar Show Petname

Passpet Obtain Password

Mixed Content Show Lock N/A

enablePrivilege Install Software

IP-based Origins Network Requests

Mixed Content

WSKE

• Web Server Key-Enabled Cookies– “Secure” cookies only sent for same TLS key

Locked SOP

• Finer-grained origin (scheme, host, port, broken)– “Broken” HTTPS page can’t script valid HTTPS page

• Banks often import libraries– <script src="https://www.paypalobjects.com/...">– User clicks through cert error for paypalobjects.com– Real PayPal imports script from paypalobjects.com– Attacker runs script as “unbroken” PayPal

Sites cannot safely use <script src="…">, CSS, SWF, etc

More Anti-Phishing using Certificates• Ignore the address bar, use cert instead

• Extended Validation

• Passpet• Petname

• What about ?

TLS Forwarding• Certificate belongs to bank• Domain name belongs to attacker• Attacker can hijack session at any time

• Certificate UI is confused

TLS Forwarding Example

TLS Forwarding - Consequences

• Might not be PayPal

• This is really PayPal, right?

TLS Forwarding Network Attack

• Origin contamination • Polluted cache

Firefox enablePrivilege API

Abusing enablePrivilege• Relies on certificate, ignores host name• Signed HTML can import libraries and

be scripted by its origin

• Is this code really from Yahoo!?

Cookie Paths• http://www.stanford.edu/~aliceSet-Cookie: skrt=04f4; path=/~alice

• http://www.stanford.edu/~eve Set-Cookie: skrt=52f9; path=/~eve

<iframe src="/~alice"></iframe>alert(frames[0].document.cookie);

DNS Rebinding Attack

Read permitted: it’s the “same origin”F

irewall www.evil.com

web server

ns.evil.com

DNS server

171.64.7.115

www.evil.com?

corporateweb server

171.64.7.115TTL = 0

<iframe src="http://www.evil.com">

192.168.0.100

192.168.0.100

[DWF’96, R’01]

DNS-SEC cannot stop this attack

IP-based Origins• Finer-grained origin (scheme, host, port, IP)

• www.evil.com=192.168.0.100 imports<script src="prototype.js"></script>

• www.evil.com=171.64.7.115 serves evil script– Read contents of document– POST it back to www.evil.com

SOLUTIONS

Embrace• Grant privileges to origins

Frame Navigation

Phishing FilterPassword Database

Local StoragepostMessage

Cross-site XHRXDomainRequest

Extend• Include fine-grained origin in URL

• YURL:https://y-cl7h3f7jwyj3fvmw7jpnjfvf2xlcmayi.yurl.net/

• HTTPEV:httpev://www.paypal.com/

Destroy• Problem: documents that lack the sub-origin

privilege

• Eliminate privilege– SafeLock

• Eliminate document– ForceHTTPS– ForceCertificate– Strict Petname

SolutionsDefenses

Feature Sub-Origin Privilege Attacker Origin Contamination

Library Import

Data Export

Cookie Paths Read Cookie

WSKE Read Cookie

Certificate Errors (IE7) Show Lock

EV Show Organization

Locked Same-Origin Policy Read Cookie

Petname Toolbar Show Petname

Passpet Obtain Password

Mixed Content Show Lock N/A

enablePrivilege Install Software

IP-based Origins Network Requests

SolutionsDefenses

Feature Sub-Origin Privilege Attacker Origin Contamination

Library Import

Data Export

Cookie Paths Read Cookie Extend

WSKE Read Cookie

Certificate Errors (IE7) Show Lock Destroy

EV Show Organization Destroy

Locked Same-Origin Policy Read Cookie Extend

Petname Toolbar Show Petname Destroy

Passpet Obtain Password Destroy

Mixed Content Show Lock Destroy Destroy N/A

enablePrivilege Install Software Destroy

IP-based Origins Network Requests

Summary• Sub-origin privileges don’t work

– Origin contamination– Privilege escalation via script injection

• Beware of finer-grained origins– Trust specified by URL– Import/Export

• Three approaches for new features– Embrace, extend, destroy