COVER FEATURE Security Vulnerabilities in the Same-Origin Policy: Implications and Alternatives
Hossein Saiedian, University of Kansas Dan S. Broyles, Sprint Nextel
The same-origin policy, a fundamental se- However, by using the
0018-9162/11/$26.00 © 2011 IEEE Published by the IEEE Computer Society SEPTEMBER 2011 29 COVER FEATURE
statelessness and code mobility.1 To further complicate formance. However, the SOP makes it difficult for Web matters, SOP rules and implementations differ between applications from one source to obtain and display data resources, DOM objects, XMLHttpRequests, cookies, from another. Developers use two common and powerful Flash, Java, JavaScript, ActiveX, Silverlight, plug-ins, and techniques to circumvent the SOP and obtain data from browsers. other domains; the first uses an Ajax proxy, and the second Inexperienced Web programmers who do not know that uses JavaScript object notation with padding (JSONP) script certain objects and actions—such as form submissions tag injection. and tags like Today, banks employ various measures to thwart such attacks, but other sites do not, especially those of small- The remote server will return the requested data so that and medium-size companies whose Web developers do not it calls the callback function, showCurrent: see the need for security measures covering SOP exploits. s h o w C u r r e n t({ Using the Referrer header could be effective against CSRF, but Web applications frequently block this header because “ticker”:”msft”, of privacy concerns, so an application that enforces it “c u r r e n t ”:”2 4.5”, will exclude many users. Applications also strip Referrer “lastclose”:”24.0”, headers from all HTTPS requests. Still worse, hackers can modify the Referrer header, making it unreliable.3 “pctchange”:”2.1”, “30dayavg”:”23.45” The SOP is not the correct security }); mechanism and requires redesign to The webpage will execute the returned JavaScript as meet the access-control requirements if it were native to the page. However, if a hacker were to of Web-based assets. alter the getyourstocks.com site so that it returns malicious JavaScript instead of stock quote data, the browser running this Web app will execute the malicious code. By circum- Adam Barth and his colleagues recommended augmenting venting SOP, the developer has introduced a security hole. browser policy to use an Origin header as opposed to the So how do developers obtain data for a Web application Referrer header to provide CSRF and click-jacking protec- and still maintain security? They need a better security tion.4 The Mozilla security model currently proposes this policy. Basic security logic suggests that third-party entities fix (https://wiki.mozilla.org/Security/Origin). should not have the same access rights as trusted enti- ties, so a policy that lets application developers determine Cross-site scripting access rights for each object might solve many SOP issues. There are two basic ways attackers implement XSS. The first method, considered nonpersistent, introduces mali- HACKER EXPLOITS cious scripts in GET or POST requests that show up in pages Hackers use various exploits to take advantage of SOP returned by the server. For example, an attacker sends an deficiencies. There are many variations of these attacks, e-mail containing a specially crafted hyperlink to a trusted and hackers create new exploits all the time. Here, the website; the URL string includes malicious instructions purpose is not to enumerate every SOP vulnerability and reflected in the page returned by the webserver. The attack attack, but to outline the fundamental flaws in the SOP so takes place when the user clicks on the hyperlink. that readers can better analyze the proposed solutions. The second attack, considered persistent, occurs when the attacker injects malicious scripts into GET or POST Cross-site request forgery actions that the server stores and then dynamically pres- Security experts identified the earliest CSRF as a con- ents to the victim. For example, a malicious user logs into a fused deputy attack. In this type of attack, hackers lure a forum and adds comments containing malicious JavaScript victim to a malicious website to submit a form that points to a discussion thread as follows.5 to a trusted target site in which the victim might have an active session. The trusted webserver receives and pro-
Scavenger Hunt! CSRF includes any malicious webpage with scripts that make unauthorized requests to trusted sites, hoping to
take advantage of users who have an active session with Paul: I will award the student the trusted site. For example, a user visits her bank’s web- bringing me the following items:
take advantage of users who have an active session with
Paul: I will award the student the trusted site. For example, a user visits her bank’s web- bringing me the following items:
SEPTEMBER 2011 31 COVER FEATURE
- Flash and other embedded programmable objects that have
- Yellow #2 pencil access to user-manipulated DOM objects and environment variables. In DOMXSS attacks, the client-side code embeds
- Secretary’s middle name the malicious code into the webpage; in traditional XSS at-
- Number of ceiling tiles in our lab tacks, the server embeds the malicious code.
(DNS) hijacking to deliver a Web document with mali-