Sven Morgenroth of Netsparker gave a technical presentation entitled ‘How to Circumvent the SOP and How to Get Hacked in the Process' during episode #550 of Paul’s Security Weekly. The presentation was about the Same-origin Policy (SOP), one of the most important security policies in web browsers, and during the presentation Sven explained:
- The origin of SOP and how it works, during which he also noted that SOP isn't a single, standardized policy because it has developed over time.
- Why Web developers tend to hate SOP. Hint, it makes life inconvenient for them. Developers want to bypass the SOP to let their web application from a different origin (including domains <> subdomains communication) communicate with each other without having to deal with the intrications of SOP.
- Why SOP is a good security measure, but why it also comes with a cost. On the positive side, it is restrictive, and those restrictions can be lifted to allow web applications from different origins to communicate. The problem is allowing websites from other origins to access your data. There are different ways to achieve this, but all of them can create further problems if improperly implemented.
During the presentation Sven also ran a demo showing several exploits by which developers can circumvent the SOP:
- JSON with Padding (a way to format JSON to include it with a script tag),
- Cross Origin Resource Sharing (CORS),
- Setting document.domain to the value of the main domain, and the postMessage API.
For each, Sven talked about how it works and what the dangers are. There are powerful tools to disable the SOP but they have to be used with care, as it is easy to get them wrong. The episode ended with a brief Q&A session, as Joff Thyer and Keith Hoodlet joined the show.
Slides for the Same-origin Policy Presentation & Demo
Here are the slides Sven used during the presentation and demo of Same-origin Policy.