Tuesday 13 October 2009

A Cross-Domain Conversation

RIA Security Flash!

Adobe Senior Security Researcher Peleus Uhley recently wrote a Microsoft BlueHat blog guest post, on the subject of web sites' permissions for cross-domain access, and some security issues with these arrangements:

http://blogs.technet.com/bluehat/archive/2009/10/06/collaborating-on-ria-security.aspx

It's interesting to see how security considerations encourage companies such as Adobe and Microsoft to work together. The MS BlueHat Conference Series in particular now has a history of "building bridges" between their developers and executives, key security program partners, and members of the security research community.

Peleus gives multiple examples of threats, based on a vulnerability introduced by cross-domain XMLHttpRequest. More generally, the gotcha to look out for is the transitivity of cross-domain permissions. Commenting on this research in the MS-SDL blog, Bryan Sullivan puts it like this:

If site A grants privileges to site B, and site B grants privileges to site C, then site A is implicitly and perhaps unknowingly granting privileges to site C.

So, let's assume I've provided cross-domain XMLHttpRequest Level 2 (XHR2) permissions, for MySite, to YourSite. Let's also say YourSite serves interactive third-party SWF advertisements, provided with JavaScript access via the allowScriptAccess parameter. Then we have this situation:

[AdSite] -> [YourSite] -> [MySite]

Obviously I never intended to give AdSite's advertisements access to MySite, but that's exactly what I've done! As Peleus notes, this is the vulnerability recently exploited by the Renren worm.

Bryan goes into some detail about the history of these issues and their mitigation, also linking to one of his earlier (April 2008) articles, provocatively titled Cross-domain XHR will destroy the internet. Try not clicking on that!

Peleus concludes his BlueHat article, "Combining research makes it easier to communicate common risks with deploying RIA technologies." The next BlueHat conference, "Microsoft BlueHat Security Briefings: Fall 2009 Sessions", is being held next week:

BlueHat v9 will again bring leading external security researchers to campus to present timely and lively presentations that showcase ongoing research, state-of-the-art hacking tools and techniques, and emergency security threats. Our main themes for BlueHat v9 will be around e-crime attacks, the exploit economy, the global threat landscape, online services, security in the Cloud, mobile (in)security, and cool tools and mitigations.

BlueHat v9: Through the Looking Glass, October 22-23 at the Microsoft corporate headquarters

No comments:

Post a Comment