A note for reading 'Mastering Modern Web Penetration Testing', Chapter 1
Chapter 1
SOP(Same-origin policy)
Explanation by Wikipedia:
In computing, the same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. An origin is defined as a combination of URI scheme, host name, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model.
Reference:
Same-origin policy - Wikipedia
Applicable Scope:
Same-origin policy can protect JS, cookies, AJAX, Flash, and so on. Data stored inside localStorage is also governed by this policy. That means, we can't get the data from another domain through JS, JSON, DOM, AJAX, etc.
For example, a cookie named PHPSESSION is generated by server http://example.com. Assume you are hosting the server 'http://www.attacker.com', you can't get the DOM data 'PHPSESSION' in http://example.com .Switching origins:
JS provides a way to change origins if certain conditions are met.
Domain: http://attacker.example.com/ Target: http://victim.example.com/document.domain='example.com'; ->By setting document.domain, all of the DOM data in the current page will be shared in the scope of *.example.com.
This change allowed when the current page is the subset of the main domain.
If the current page isn't the subset of the main domain, an error message will be shown in the console log.
- Quirks with Internet Explorer
It skips the policy checks in the following situation: - The origin falls under the Trust Zone. e.g. internal corporate websites.
- IE doesn't give any importance to port number. e.g. port 8081 and port 8080 can be considered as the same origin.
Possible bugs:
1. SOP bypass in IE for the port number.
2. An SOP bypass in Firefox abusing the PDF reader. (CVE-2015-4495)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4495
Cross-domain messaging
Sometimes, there exists a need to communicate across different origins.
Cross-domain messaging(CDM) allows sending messages or data across different origins.AJAX and the same-origin policy
AJAX allows the browser to silently exchange data with the server without reloading the page.
AJAX works using the XMLHTTPRequest() method of JS.
XMLHttpRequest:XMLHttpRequest (XHR) is an API in the form of an object whose methods transfer data between a web browser and a web server.
CORS(Cross-Origin Resource Sharing)
CORS allows cross-domain HTTP data exchange, which means a page running at origin A can send/receive data from a server at origin B.
'Access-Control-Allow-Origin' will allow Cross-Origin Resource Sharing.
e.g.
Access-Control-Allow-Origin: *.example.com
Access-Control-Allow-Methods: OPTIONS, GET, POST
Access-Control-Allow-Headers: X-custom
Access-Control-Allow-Credentials: true