we still don t have secure cross domain requests an
play

We Still Dont Have Secure Cross-Domain Requests: an Empirical Study - PowerPoint PPT Presentation

Dec 24, 2022 •466 likes •897 views

We Still Dont Have Secure Cross-Domain Requests: an Empirical Study of CORS Jianjun Chen, Jian Jiang, Haixin Duan, Tao Wan, Shuo Chen, Vern Paxson, Min Yang Tsinghua University, Shape Security, Huawei Canada, Microsoft Research, UC Berkeley,

  1. We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS Jianjun Chen, Jian Jiang, Haixin Duan, Tao Wan, Shuo Chen, Vern Paxson, Min Yang Tsinghua University, Shape Security, Huawei Canada, Microsoft Research, UC Berkeley, Fudan University 1

  2. Same Origin Policy (SOP) • Isolate resources from different origins • Cross origin network access: Can send, Can’t Read Web server Security Isolation Web server (b.com) GET http://b.com (a.com) e s n o p s e r P T T H Browser a.com b.com 2

  3. Developers need cross origin reading • JSON with Padding (JSON-P) • A workaround to server the need • introduces many inherent security issues • Cross Origin Resource Sharing (CORS) • A more disciplined mechanism • Browsers support(2009), W3C standard(2014)

  4. Our work • Conducted an empirical study on CORS • Including its design, implementation and deployment • Discovered a number of security issues • 4 categories of browser-side issues • 7 categories of sever-side issues • Conducted a large-scale measurement on popular websites • 27.5% of CORS configured websites have insecure CORS configuration • Proposed mitigations and some of them have been adopted by web standard and major browsers.

  5. Contents • Web SOP and CORS background • Our discovery: CORS security issues • Browser-side: overly permissive sending • Server-side: CORS misconfigurations • CORS real-world deployments • Our large scale measurement • Disclosure and Mitigation

  6. Web & CORS background 6

  7. The default SOP prevents cross origin reading Shipping Website Online Shopping Website a.com b.com Browser Server Server Load JS GET http://b.com 200 OK HTTP response Same Origin Policy Developers need cross origin reading! 7

  8. Cross origin resource sharing (CORS) Explicit authorization access control mechanism • Browsers support(2009), W3C standard(2014) • a.com b.com Browser Server Server Load JS GET request Origin: http://a.com HTTP response with CORS policy Access-Control-Allow-Origin:http://a.com Browser enforce policy 8

  9. CORS JavaScript interfaces (e.g. XHR) • CORS allows JS to customize method, header and body var xhr=new XMLHttpRequest(); xhr.open(“PATCH“, ”http://b.com/r“, true); xhr.setRequestHeader(“X-Requested-With“, “XMLHttpRequest "); xhr.withCredentials = true; xhr.send(“any data”); Document of a.com But this interface is very powerful, and may break CSRF defense of many websites.

  10. Simple requests in CORS standard • Two categories of requests • Simple request: can be sent directly • Non-simple request: not to cover this in this talk (refer to the paper) • A simple request must satisfy all of the three conditions � 1. Request method is HEAD , GET or POST . 2. Request headers are not customized, except for 9 whitelisted headers: Accept, Accept-Language, Content-Language, Content-Type , etc. 3. Content-Type header value is one of three specific values: “text/plain”, “multipart/form-data”, and “application/x-form-uri-encoded”. 10

  11. Browser-side Issues: Overly Permissive Sending Permissions (4 categories of issues)

  12. Overly permissive request headers and bodies • CORS relax send restrictions unintentionally, allowing malicious customization of HTTP headers and bodies • The relaxation can be exploited by attackers Problems Attacks P1. Overly permissive header values RCE attack on intranet servers P2. Few limitations on header size Infer cookie presence for ANY website P3. Overly flexible body values Attack MacOS AFP server P4. Few limitations on body format Exploit previously unexploitable CSRF

  13. P1. Overly permissive header values • CORS allows JavaScript to modify 9 whitelisted headers. • CORS imposes few limitations on header values except “Content-Type” • eg. (, {, \x01,\x0b Intranet website(Shellshock vul) Attacker’s website GET /api HTTP/1.1 Victim Host: 192.168.1.1 Accept: (){:;}; /bin/rm –rf / Affected browser(4/5):

  14. P1. Overly permissive header values • CORS restricts “Content-Type” to three specific values • But the restriction can be bypassed due to browsers’ implementation flaws. Intranet website(Apache structs vul) Attacker’s website GET /api HTTP/1.1 Victim Host: 192.168.1.1 Content-Type: text/plain ; %{(apache struts exploit)} Affected browsers(5/5):

  15. Case study: obtain a shell on Intranet server by exploiting browsers Website File Server NAT/ Attacker Database Gateway Users Intranet Internet

  16. Demo: Obtain a shell on Intranet server by exploiting browsers(https://youtu.be/jO6hoXyXVqk) Attacker in Internet Victim’s browser in Intranet

  17. P2. Few limitations on header size • Both HTTP and CORS standards have no explicit limit on request header sizes. • Browsers’ header size limitation are more relaxed than servers. • Case study 2: Remotely infer cookie presence for ANY website.

  18. Remotely infer cookie presence for ANY website Step 1: Measure the header size limit of target server Issue HTTP request with head size 1 200 OK HTTP response Attacker Health.com (Max header size limitation: S) Victim

  19. Remotely infer cookie presence for ANY website Step 1: Measure the header size limit of target server Issue HTTP request with head size S+1 400 Bad Request HTTP response Attacker Health.com (Max header size limitation: S) Victim

  20. Remotely infer cookie presence for ANY website Step 2: Send request from the victim’s browser with header size slightly smaller than the measured limit. Attacker 1 - S e z i s d a e h h Health.com t i w 400 Bad request t Victim visits the attacker‘s website s e u (Max header size q e R limitation: S) Victim When Cookie is present, “400 Bad request” is returned

  21. Remotely infer cookie presence for ANY website Step 2: Send request from the victim’s browser with header size slightly smaller than the measured limit. Attacker 1 - S e z i s d a e h h Health.com t 200 OK HTTP Reply i w t Victim visits the attacker‘s website s e u (Max header size q e R limitation: S) Victim When Cookie is not present, “200 OK” is returned

  22. Remotely infer cookie presence for ANY website Step 3: Infer the response status through timing channel. Attacker 1 - S e z i s d a e h h Health.com t i w 400 Bad request t Victim visits the attacker‘s website s e u (Max header size q e R limitation: S) Victim One general timing channel is response time. • In Chrome, Performance.getEntries() directly exposes it. •

  23. Remotely infer cookie presence for ANY website • The presence of a cookie can leak private information. • victim’s health conditions • Financial considerations • Political preferences Affected browsers(5/5):

  24. P3. Overly flexible body values • CORS impose no limitations on the values of request body • CORS allows JavaScript to construct ANY binary data in request body MacOS AFP server Public attacker site Victim 1. visit attacker site 2. send cross site request POST / HTTP/1.1 Host: 192.168.1.1 3. ignore unknow headers, 01010101011111 perform AFP cmds Affected browsers(5/5):

  25. Demo: exploiting MacOS built-in Apple file server to create local files(https://youtu.be/WXIy94prfvs)

  26. Server-side issues: CORS misconfigurations (7 categories of issues) Inspired by these previous work: [1] James Kettle, “Exploiting CORS misconfigurations for Bitcoins and bounties”, AppSecUSA 2016 [2] Evan Johnson, “Misconfigured CORS and why web appsec is not getting easier”, AppSecUSA 2016 [3] Von Jens Müller, "CORS misconfigurations on a large scale"

  27. CORS misconfigurations 1. Origin reflection 2. Validation mistakes 3. HTTPS trust HTTP 4. Trust null 5. Wildcard origin with credentials 6. Trust all of its own subdomains 7. Lack of “Vary: Origin”

  28. How does CORS policy work? c.com a.com b.com Browser Server Server Server Load JS GET request Origin: http://a.com Access-Control-Allow-Origin:http://a.com Access-Control-Allow-Credentials: true Load JS GET request Origin: http://c.com Access-Control-Allow-Origin: http://a.com, http://c.com Access-Control-Allow-Credentials: true

  29. How does CORS policy work? c.com a.com b.com Browser Server Server Server Load JS GET request Origin: http://a.com Access-Control-Allow-Origin:http://a.com Access-Control-Allow-Credentials: true Load JS GET request Origin: http://c.com Access-Control-Allow-Origin: http://c.com • CORS Specification : Access-Control-Allow-Credentials: true • Access-Control-Allow-Origin = single origin, null or *

  30. P1: Origin reflection example.com attacker.com Server Browser Server Load JS GET /api HTTP/1.1 Host: example.com Origin: http://attacker.com HTTP/1.1 200 OK Access-Control-Allow-Origin: http://attacker.com Access-Control-Allow-Credentials: true

  31. P2: Validation mistakes 1) Prefix Match: $ • A example of insecure Nginx configuration : if ($http_origin ~ “http://(example.com|foo.com)”) { add_header "Access-Control-Allow-Origin" $http_origin; } GET /api HTTP/1.1 Host: www. example.com Origin: http://example.com.evil.com HTTP/1.1 200 OK Access-Control-Allow-Origin: http:// example.com.evil.com Access-Control-Allow-Credentials: true

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and

Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and

Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube Tabbed Browsing Rich Content Mash-ups Cookies JSON Ajax Implication of Cross Domain Attacks Implication of Cross Domain Attacks

580 views • 31 slides
CoNet: Collaborative Cross Networks for Cross-Domain Recommendation Guangneng Hu*, Yu Zhang, and

CoNet: Collaborative Cross Networks for Cross-Domain Recommendation Guangneng Hu*, Yu Zhang, and

CoNet: Collaborative Cross Networks for Cross-Domain Recommendation Guangneng Hu*, Yu Zhang, and Qiang Yang CIKM 2018 Oct 22-26 (Mo-Fr), Turin, Italy 1 Recommendations Are Ubiquitous: Products, Medias, Entertainment Amazon 300

277 views • 27 slides
Cross-Domain Learning-to-rank with SVM Erheng Zhong 1 1 Department of Computer Science and

Cross-Domain Learning-to-rank with SVM Erheng Zhong 1 1 Department of Computer Science and

Preliminary Cross-domain Learning-to-Rank Summary Cross-Domain Learning-to-rank with SVM Erheng Zhong 1 1 Department of Computer Science and Technology, HKUST COMP621U Presentation, 04/07/2011 Erheng Zhong Cross-Domain Learning-to-rank

620 views • 40 slides
Domain adaptation model for retinopathy detection from cross-domain OCT images Jing Wang 1;2 ,

Domain adaptation model for retinopathy detection from cross-domain OCT images Jing Wang 1;2 ,

Domain adaptation model for retinopathy detection from cross-domain OCT images Jing Wang 1;2 , Yiwei Chen 2 , Wanyue Li1; 2 , Wen Kong 1;2 , Yi He 2 , Chuihui Jiang *3 , Guohua Shi *2;4 1 University of Science and technology of China, Hefei 230026,

348 views • 9 slides
Cross-Layer and Cross-Domain QoS Signalling Using BGP 8th Wrzburg Workshop on IP: Joint

Cross-Layer and Cross-Domain QoS Signalling Using BGP 8th Wrzburg Workshop on IP: Joint

Cross-Layer and Cross-Domain QoS Signalling Using BGP 8th Wrzburg Workshop on IP: Joint EuroNF, ITC, and ITG Workshop on "Visions of Future Generation Networks" (EuroView2008) Thomas Martin Knoll Chemnitz University of Technology

101 views • 7 slides
Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.)

Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.)

Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.) Samuel Ranellucci (Unbound Tech) Xiao Wang (MIT & Boston U.) Secure Computation 4 parties each hold private data. They wish to compute C(x 1

414 views • 24 slides
Requirements for Policies in Cross-Domain Service

Requirements for Policies in Cross-Domain Service

Requirements for Policies in Cross-Domain Service Composi8on Ulrich Pinsdorf, Microso> Jan Schallaboeck, ULD Stuart Short, SAP

361 views • 7 slides
The Cross- -domain Information domain Information The Cross Exchange Framework (CIEF) Exchange

The Cross- -domain Information domain Information The Cross Exchange Framework (CIEF) Exchange

The Cross- -domain Information domain Information The Cross Exchange Framework (CIEF) Exchange Framework (CIEF) 20 May 2008 20 May 2008 Paul Shaw, SPAWARSYSCOM Paul Shaw, SPAWARSYSCOM Dr. David J. Roberts, iBASEt, Inc. Dr. David J.

856 views • 59 slides
A Hierarchical Framework for Cross Domain MapReduce Execution Yuan Luo 1 , Zhenhua Guo 1 ,

A Hierarchical Framework for Cross Domain MapReduce Execution Yuan Luo 1 , Zhenhua Guo 1 ,

A Hierarchical Framework for Cross Domain MapReduce Execution Yuan Luo 1 , Zhenhua Guo 1 , Yiming Sun 1 , Beth Plale 1 , Judy Qiu 1 , Wilfred W. Li 2 1 School of Informatics and Computing, Indiana University 2 San Diego Supercomputer Center,

356 views • 20 slides
Identifying Transferable Information Across Domains for Cross-domain Sentiment Classification

Identifying Transferable Information Across Domains for Cross-domain Sentiment Classification

Identifying Transferable Information Across Domains for Cross-domain Sentiment Classification Authors: Raksha Sharma, Pushpak Bhattacharyya, Sandipan Dandapat and Himanshu Sharad Bhatt Affiliation: IIT Bombay & Xerox Research Center of

125 views • 10 slides
Towards a Reference Architecture for Service- Oriented Cross Domain Security Infrastructures Wen

Towards a Reference Architecture for Service- Oriented Cross Domain Security Infrastructures Wen

Towards a Reference Architecture for Service- Oriented Cross Domain Security Infrastructures Wen Zhu Dr. Lowell Vizenor Dr. Avinash Srinivasan 7 th International Conference on Internet and Distributed Computing Systems Agenda Background

128 views • 12 slides
Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting Executing unauthorized code XSRF - Cross-site request forgery Remote execution for logged-in users SQL Injection A malicious variable placed into a

681 views • 18 slides
High Robustness Cross Domain Solutions Tiger Team John Mildner Jennifer Guild Layered

High Robustness Cross Domain Solutions Tiger Team John Mildner Jennifer Guild Layered

High Robustness Cross Domain Solutions Tiger Team John Mildner Jennifer Guild Layered Assurance Workshop - 2011 Purpose 2 Provide an overview of the High Robustness Cross Domain Solutions Tiger Team (HR CDS TT) Provide status on support to

465 views • 14 slides
Secure Xen on ARM: Status and Driver Domain Separation Sang-bum Suh sbuk.suh@samsung.com SW

Secure Xen on ARM: Status and Driver Domain Separation Sang-bum Suh sbuk.suh@samsung.com SW

Secure Xen on ARM: Status and Driver Domain Separation Sang-bum Suh sbuk.suh@samsung.com SW Laboratories Corporate Technology Operations Samsung Electronics Presented at Xen Summit Autumn 2007, Sun Microsystems Contributors Sang-bum Suh

705 views • 21 slides
Cross-Domain Recommendations via Segmented Models Shaghayegh Sahebi (Sherry) *,

Cross-Domain Recommendations via Segmented Models Shaghayegh Sahebi (Sherry) *,

Cross-Domain Recommendations via Segmented Models Shaghayegh Sahebi (Sherry) *, Trevor Walker + * Intelligent Systems Program, University of Pi>sburgh + Linkedin

796 views • 33 slides
Slides on cross-domain call and Remote Procedure Call (RPC)

Slides on cross-domain call and Remote Procedure Call (RPC)

Slides on cross-domain call and Remote Procedure Call (RPC) This classic paper is a good example of a microbenchmarking study. It also explains the RPC abstraction and serves as a case study of the

477 views • 44 slides
TBA (and beyond: Amplitudes/WLs, N=2 partition functions) 8-5-2018, GGI Conference

TBA (and beyond: Amplitudes/WLs, N=2 partition functions) 8-5-2018, GGI Conference

TBA (and beyond: Amplitudes/WLs, N=2 partition functions) 8-5-2018, GGI Conference Non-perturbative., Yassen ad memoriam Davide Fioravanti (INFN-Bologna) series of paper with M. Rossi, S.Piscaglia, A. Bonini;JE Bourgine 1 Duality:

675 views • 54 slides
Res esilienc iliency in in a a changing hanging en envir ironment onment Cons onsider

Res esilienc iliency in in a a changing hanging en envir ironment onment Cons onsider

Addressing Resiliency John Milton The WSDOT Experience Launching Enterprise Risk Management in Your Agency NCHRP 20-14 (105) Res esilienc iliency in in a a changing hanging en envir ironment onment Cons onsider idering ing ris isk

340 views • 18 slides
Oregon R n Reins nsur uranc nce Prog ogram Health I Insurer C Cost S Sharing Pr Program

Oregon R n Reins nsur uranc nce Prog ogram Health I Insurer C Cost S Sharing Pr Program

Division of Financial Regulation Oregon R n Reins nsur uranc nce Prog ogram Health I Insurer C Cost S Sharing Pr Program Claims Submission Requirements In Relation to (OAR-836-150-0010 to 836-150-0060) June 4 th 2019 To Topics

243 views • 21 slides
Hybrid SAN & Cluster Enterprise Network Storage Hikvision Enterprise Network Storage

Hybrid SAN & Cluster Enterprise Network Storage Hikvision Enterprise Network Storage

HIKVISION Storage Products Hybrid SAN & Cluster Enterprise Network Storage Hikvision Enterprise Network Storage History CONTENTS Network Storage Solutions Network Storage Products Network Storage Cases HIK Enterprise Network

738 views • 45 slides
Backup and Recovery Strategy About Stacy 10+ years of experience on various flavors of

Backup and Recovery Strategy About Stacy 10+ years of experience on various flavors of

Backup and Recovery Strategy About Stacy 10+ years of experience on various flavors of relational databases. Focus on performance tuning, code reviews, database deployment and infrastructure management for MySQL In her spare time, she

804 views • 48 slides
Limiting Personal Jurisdiction: Defeating Plaintiffs Attempts To Avoid Daimler Andrew J.

Limiting Personal Jurisdiction: Defeating Plaintiffs Attempts To Avoid Daimler Andrew J.

Limiting Personal Jurisdiction: Defeating Plaintiffs Attempts To Avoid Daimler Andrew J. Pincus Dan Himmelfarb Partner Partner +1 202 263 3220 +1 202 263 3035 apincus@mayerbrown.com dhimmelfarb@mayerbrown.com Gary A. Isaac Andrew

694 views • 35 slides
ALBERTO BERTI ALBERTO@ARSTECNICA.IT EuroPython 2017 in Rimini 1 TABLE OF CONTENTS What I mean

ALBERTO BERTI ALBERTO@ARSTECNICA.IT EuroPython 2017 in Rimini 1 TABLE OF CONTENTS What I mean

GET OVER THE BOUNDARIES BETWEEN CLIENT AND SERVER IN WEB APP DEVELOPMENT ALBERTO BERTI ALBERTO@ARSTECNICA.IT EuroPython 2017 in Rimini 1 TABLE OF CONTENTS What I mean with web app How a web app is today built using Python tools? Dealing with

746 views • 40 slides
Verification and validation of the computer codes Marin Kri tof, NNEES Content of the lecture

Verification and validation of the computer codes Marin Kri tof, NNEES Content of the lecture

IAEA Safety Assessment Education and Training (SAET) Programme Joint ICTP-IAEA Essential Knowledge Workshop on Deterministic Safety Assessment and Engineering Aspects Important to Safety Verification and validation of the computer codes Marin

629 views • 44 slides

More recommend