• Corpus ID: 14671036

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites

@inproceedings{Son2013ThePA,
  title={The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites},
  author={Sooel Son and Vitaly Shmatikov},
  booktitle={NDSS},
  year={2013}
}
The postMessage mechanism in HTML5 enables Web content from different origins to communicate with each other, thus relaxing the same origin policy. [] Key Method The first uses pseudo-random tokens to authenticate the source of messages and is intended for the implementors of third-party content. The second, based on a Content Security Policy extension, is intended for website owners. The two defenses are independent and can be deployed jointly or separately.
Privacy Breach by Exploiting postMessage in HTML5: Identification, Evaluation, and Countermeasure
TLDR
It is found that the DangerNeighbor attack is a real threat to the sites adopting the postMessage mechanism and an easily deployable approach is proposed to protect messages from being eavesdropped by a malicious provider.
Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem
TLDR
The results show that the security of a consistent number of websites is severely harmed by cryptographic weaknesses that, in many cases, are due to external or related-domain hosts.
PostMessage Vulnerability in Chrome Extensions
Browser extensions are a popular way for a user to customize their online experience. These extensions allow for various types of functionality including but not limited to dynamically changing page
Study and Mitigation of Origin Stripping Vulnerabilities in Hybrid-postMessage Enabled Mobile Applications
TLDR
The novel security issue caused by hybrid postMessage is named "Origin Stripping Vulnerability" (OSV), and three new postMessage APIs are designed and implemented, called OSV-Free, which is shown to be generic and resilient to the notorious Android fragmentation problem.
Careful Who You Trust: Studying the Pitfalls of Cross-Origin Communication
TLDR
By analyzing the interactions between sites, an interconnected graph of the trust relations necessary to run the Web is built and the damage caused through exploitation of existing XSS flaws on trusted sites is estimated.
The SICILIAN Defense: Signature-based Whitelisting of Web JavaScript
TLDR
This paper presents SICILIAN, a novel multi-layered approach for whitelisting scripts that can tolerate changes in them without sacrificing the security, and comes with a deployment model called progressive lockdown, which lets browsers assist the server in composing the whitelist.
Untangling the Web of Client-Side Cross-Site Scripting
TLDR
A concept for a filter targeting Client-Side Cross-Site Scripting is presented, combining taint tracking in the browser in conjunction with taint-aware HTML and JavaScript parsers, allowing us to robustly protect users from such attacks.
PMForce: Systematically Analyzing postMessage Handlers at Scale
TLDR
This work presents an automated analysis framework, which uses selective forced execution paired with lightweight dynamic taint tracking to find traces in the analyzed handlers that end in sinks allowing for code-execution or state alterations, and conducts the most comprehensive experiment studying the security issues of postMessage handlers found throughout the top 100,000 most influential sites yet.
Rethinking Security of Web-Based System Applications
TLDR
PowerGate enables application developers to write well-defined native-object access policies with explicit principals such as "application's own local code and "third-party Web code," is easy to configure, and incurs negligible performance overhead.
...
...

References

SHOWING 1-10 OF 23 REFERENCES
Securing frame communication in browsers
TLDR
This work analyzes two techniques for interframe communication between isolated frames and proposes improvements in the <code>postMessage</code> API to provide confidentiality, which has been standardized and adopted in browser implementations.
Towards Client-side HTML Security Policies
TLDR
It is argued that current systems are insufficient for the needs of web applications, and research needs to be done to determine the set of properties an HTML security policy system should have.
NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications
TLDR
A novel approach for automatically detecting potential server-side vulnerabilities of this kind in existing (legacy) web applications through blackbox analysis is presented and the design and implementation of NoTamper, a tool that realizes this approach are discussed.
An empirical study of privacy-violating information flows in JavaScript web applications
TLDR
An expressive, fine-grained information flow policy language is designed that allows to specify and detect different kinds of privacy-violating flows in JavaScript code, and a new rewriting-based JavaScript information flow engine is implemented within the Chrome browser to mitigate the privacy threat from covert flows in browsers.
On the Incoherencies in Web Browser Access Control Policies
TLDR
This paper analyzes three major access control flaws in today's browsers and builds WebAnalyzer, a crawler-based framework for measuring real-world usage of browser features, and used it to study the top 100,000 popular web sites ranked by Alexa.
The Emperor ’ s New APIs : On the ( In ) Secure Usage of New Client-side Primitives
TLDR
It is found that, in practice, these abstractions are used insecurely, which leads to severe vulnerabilities and can increase the attack surface for web applications in unexpected ways.
AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements
TLDR
A novel framework for addressing security threats posed by third-party advertisements is proposed, with an innovative isolation mechanism that enables publishers to transparently interpose between advertisements and end users.
Analyzing the Crossdomain Policies of Flash Applications
TLDR
The findings suggest that Flash’s crossdomain policy mechanism may be liable to misconfiguration in practice, and proposes some techniques for mitigating the security problems that might arise from such mis configuration.
ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser
TLDR
ConScript, a client-side advice implementation for security, built on top of Internet Explorer 8, is presented and it is concluded that it is significantly lower than that of other systems proposed in the literature, both on micro-benchmarks as well as large, widely-used applications such as MSN, GMail, Google Maps, and Live Desktop.
Busting frame busting a study of clickjacking vulnerabilities on popular sites
TLDR
This work studies frame busting practices for the Alexa Top-500 sites and shows that all can be circumvented in one way or another.
...
...