Turing Technology: Cross-Domain Security in Web Applications

I. Interaction between Web Pages from Different Domains

a. Possible interactions limited by same origin policy
- Links, embedded frames, data inclusion across domains still possible
- Client-side scripts can make requests cross-domain

b. HTTP & cookie authentication two common modes
- Cached credentials associated with browser instance
- Future requests don’t need further authentication

II. HTML, JavaScript, and the same-origin policy

a. Modern browsers use DHTML, CSS, JS
- Support style layout through CSS
- Behavior directives through Javascript

- Access Document Object Model allowing reading/modifying page and responding to events

b. Origin: protocol, hostname, port, but not path

c. Same-origin policy: scripts can only access properties (cookies, DOM objects) of documents of same origin

III. HTTP Request Authentication

a. HTTP is stateless, so web apps have to associate requests with users themselves

b. HTTP authentication: username/password automatically supplied in HTTP header

c. Cookie authentication: credentials requested in form, after POST app issues session token

d. Browser returns session cookie for each request

e. Hidden-form authentication: hidden form fields transfer session token

f. HTTP & cookie authentication credentials cached

IV. Cross-Site Scripting (XSS)

a. What if attacker can get a malicious script to be executed in our application?

b. Other Sources of Untrusted Data
- HTML form fields
- URL path

c. XSS Exploits

- Stealing Cookies

The malicious script could cause the browser to send attacker all cookies for our app’s domain
Gives attacker full access to Alice’s session

- Scripting the Vulnerable App

Complex script with specific goal
Doesn’t have to make a direct attack, revealing his IP address, harder to trace

- Modifying Web Pages

d. XSS Implications

- XSS is not just about stealing cookies

- Attacker gets to inject arbitrary script into our web application

- Browser thinks it is coming from your application

- XSS is a hole/backdoor that allows attacker to Control your web application

e. Reflected vs Stored XSS

- Reflected XSS: script injected into a request and reflected immediately in response

As in the query parameter example

- Stored XSS: script delivered to victim some time after being injected

Stored somewhere in the meantime
Attack is repeatable, more easily spread

- MySpace: stored XSS Worm, October 2005

Propagated from one user profile page to the next via friend connections
Went from 1 to over 1M “infected” profiles in < 6 hours
MySpace went offline to fix
Samy Kamkar: first FBI conviction for XSS attack

- Preventing XSS

- Input Validation vs Output Sanitization

XSS is not an input validation problem
Strings with HTML metachars not a problem until they’re displayed on the webpage
Might be valid elsewhere, e.g. in a database and thus not validated later when output to HTML
Output Sanitization/Escaping: check strings as you insert into HTML doc – library functions exist

- HTML Escaping

<  &It;
>  &rt;
“  "
&  &

IV. Types of XSS Mitigation

a. Cross-Site Request Forgery (XSRF)

- Malicious site can initiate HTTP requests to our app on Alice behalf without her knowledge

- Cached credentials sent to our server regardless who made the request

b. XSRF Impacts

- Malicious site can’t read info, but can make write requests to our app.

- No code injected into our app.

- Who should worry about XSRF?

Apps with server-side state: user info, updatable profiles such as usernames/passwords (e.g. Facebook)
Apps that do financial transactions for users (e.g. Amazon, eBay)
Any app that stores user data (e.g. calendars, tasks)

c. Preventing XSRF

- HTTP requests originating from user action are indistinguishable from those initiated by a script

- Need methods to distinguish valid requests

Inspecting Referer Headers
Validation via User-Provided Secret
Validation via Action Token

d. Validation via Action Token

- Add special action tokens as hidden fields to “genuine” forms to distinguish from forgeries

- Same-origin policy prevents 3rd party from inspecting the form to find the token

- Need to generate and validate tokens so that

Malicious 3rd party can’t guess or forge token
Then can use to distinguish genuine and forged forms

V. Action Tokens

a. Generating Action Tokens

- Concatenate value of timestamp or counter c with the Message Authentication Code (MAC) of c under secret key K:

Token: T = MACk(c)||c
Security dependent on crypto algorithm for MAC
|| denotes string concatenation, T can be parsed into individual components later

- Recall from 1.5 MACs are function of message and secret key

b. Validating Action Tokens

- Split token T into MAC and other components

- Compute expected MAC for given c and check that given MAC matches

- If MAC algorithm is secure and K is secret, 3rd party can’t create MACk(c), so can’t forge token

c. Problem with Scheme

- Application will accept any token we’ve previously generated for a browser

- Attacker can use our application as an oracle.

Uses own browser to go to page on our site with form
Extracts the token from hidden field in form

- Need to also verify that incoming request has action token sent to the same browser

d. Fixing the Problem

- Bind value of action token to a cookie

Same-origin policy prevents 3rd party from reading or setting our cookies
Use cookie to distinguish between browser instances

- New Scheme

Cookie C is unpredictable, unique to browser instance
C can be session authentication cookie
Or random 128 bits specifically for this purpose
L = action URL for form with action token
Compute T = MACk(C||d||L), d is separator (e.g. ;)
d ensures uniqueness of concatenation

e. Cross-Site script inclusion (XSSI)

- 3rd party can include <script> sourced from us

- Static script inclusion

Purpose is to enable code sharing, i.e providing JavaScript library for others to use
Including 3rd-party script dangerous without control since it runs in our context with full access to client data

- Script inclusion vulnerability