Presented at
DEF CON China Beta (2018),
May 13, 2018, 11 a.m.
(60 minutes).
The default Same Origin Policy essentially restricts access of cross-origin network resources to be "write-only". However, many web applications require "read" access to contents from a different origin, so developers have come up with workarounds, such as JSON-P, to bypass the default Same Origin Policy restriction. Such ad-hoc workarounds leave a number of inherent security issues. CORS (cross-origin resource sharing) is a more disciplined mechanism supported by all web browsers to handle cross-origin network accesses. In this talk we present our empirical study about the real-world uses of CORS. We find that the design, implementation, and deployment of CORS are subject to a number of new security issues: 1) CORS relaxes the cross-origin "write" privilege in a number of subtle ways that are problematic in practice; 2) CORS brings new forms of risky trust dependencies into web interactions; 3) CORS is generally not well understood by developers, possibly due to its inexpressive policy and its complex and subtle interactions with other web mechanisms, leading to various misconfigurations. Finally, we propose protocol simplifications and clarifications to mitigate the security problems uncovered in our study.
Presenters:
-
Dr. Haixin Duan
- professor at the Institute for Network Science and Cyberspace, Tsinghua University
Jianjun Chen PhD student, Tsinghua University
Dr. Haixin Duan is a professor at the Institute for Network Science and Cyberspace, Tsinghua University.He was once a visiting scholar at UC Berkeley and a senior scientist in International Computer Science Institute(ICSI). Dr. Duan has been working on network security for more than 20 years. His recent research interests include protocol security, intrusion detection, underground economy detection and etc. Some of his research results were deployed by industries like Baidu, and published in top security conferences like Security & Privacy, USENIX Security, CCS and NDSS.
Jianjun Chen: is a PhD student at Tsinghua University supervised by Prof. Haixin Duan. In 2015, he visited UC Berkeley under the direction of Prof. Vern Paxson. Currently he has published three papers on top security conferences(NDSS, CCS, IEEE S&P). Among them, the NDSS paper on CDN forwarding loop attacks has won the conference's "Distinguished Paper Award". It is the first time that a Chinese scholar wins this award as the first author in top security conferences. His research work are not only recognized by the academic community, but also help many well-known industrial companies(eg. AKamai, Cloudflare, Tencent) and open-source software(eg. Squid) to fix multiple severe vulnerabilities.
Links:
Similar Presentations: