Careful Who You Trust: Studying the Pitfalls ...
Type de document :
Communication dans un congrès avec actes
Titre :
Careful Who You Trust: Studying the Pitfalls of Cross-Origin Communication
Auteur(s) :
Meiser, Gordon [Auteur]
Helmholtz Center for Information Security [Saarbrücken] [CISPA]
Laperdrix, Pierre [Auteur]
Self-adaptation for distributed services and large software systems [SPIRALS]
Stock, Ben [Auteur]
Helmholtz Center for Information Security [Saarbrücken] [CISPA]
Helmholtz Center for Information Security [Saarbrücken] [CISPA]
Laperdrix, Pierre [Auteur]
Self-adaptation for distributed services and large software systems [SPIRALS]
Stock, Ben [Auteur]
Helmholtz Center for Information Security [Saarbrücken] [CISPA]
Titre de la manifestation scientifique :
ASIACCS 2021 - 16th ACM Asia Conference on Computer and Communications Security
Ville :
Hong Kong / Virtual
Pays :
Chine
Date de début de la manifestation scientifique :
2021-06-07
Titre de la revue :
16th ACM Asia Conference on Computer and Communications Security
Discipline(s) HAL :
Informatique [cs]/Web
Informatique [cs]/Cryptographie et sécurité [cs.CR]
Informatique [cs]
Informatique [cs]/Cryptographie et sécurité [cs.CR]
Informatique [cs]
Résumé en anglais : [en]
In the past, Web applications were mostly static and most of the content was provided by the site itself. Nowadays, they have turned into rich client-side experiences customized for the user where third parties supply a ...
Lire la suite >In the past, Web applications were mostly static and most of the content was provided by the site itself. Nowadays, they have turned into rich client-side experiences customized for the user where third parties supply a considerable amount of content, e.g., analytics, advertisements, or integration with social media platforms and external services. By default, any exchange of data between documents is governed by the Same-Origin Policy, which only permits to exchange data with other documents sharing the same protocol, host, and port. Given the move to a more interconnected Web, standard bodies and browser vendors have added new mechanisms to enable cross-origin communication, primarily domain relaxation, postMessages, and CORS. While prior work has already shown the pitfalls of not using these mechanisms securely (e.g., omitting origin checks for incoming postMessages), we instead focus on the increased attack surface created by the trust that is necessarily put into the communication partners. We report on a study of the Tranco Top 5,000 to measure the prevalence of cross-origin communication. By analyzing the interactions between sites, we build an interconnected graph of the trust relations necessary to run the Web. Subsequently, based on this graph, we estimate the damage caused through exploitation of existing XSS flaws on trusted sites.Lire moins >
Lire la suite >In the past, Web applications were mostly static and most of the content was provided by the site itself. Nowadays, they have turned into rich client-side experiences customized for the user where third parties supply a considerable amount of content, e.g., analytics, advertisements, or integration with social media platforms and external services. By default, any exchange of data between documents is governed by the Same-Origin Policy, which only permits to exchange data with other documents sharing the same protocol, host, and port. Given the move to a more interconnected Web, standard bodies and browser vendors have added new mechanisms to enable cross-origin communication, primarily domain relaxation, postMessages, and CORS. While prior work has already shown the pitfalls of not using these mechanisms securely (e.g., omitting origin checks for incoming postMessages), we instead focus on the increased attack surface created by the trust that is necessarily put into the communication partners. We report on a study of the Tranco Top 5,000 to measure the prevalence of cross-origin communication. By analyzing the interactions between sites, we build an interconnected graph of the trust relations necessary to run the Web. Subsequently, based on this graph, we estimate the damage caused through exploitation of existing XSS flaws on trusted sites.Lire moins >
Langue :
Anglais
Comité de lecture :
Oui
Audience :
Internationale
Vulgarisation :
Non
Collections :
Source :
Fichiers
- https://hal.archives-ouvertes.fr/hal-03021256/document
- Accès libre
- Accéder au document
- https://hal.archives-ouvertes.fr/hal-03021256/document
- Accès libre
- Accéder au document
- https://hal.archives-ouvertes.fr/hal-03021256/document
- Accès libre
- Accéder au document
- document
- Accès libre
- Accéder au document
- meiser2021cwyt.pdf
- Accès libre
- Accéder au document