Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Same-Origin Policy and How to Circumvent It [Video]

DZone's Guide to

Same-Origin Policy and How to Circumvent It [Video]

This presentation is about the Same-Origin Policy (SOP), one of the most important security policies in web browsers, and how to prevent this vulnerability.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Sven Morgenroth of Netsparker gave a technical presentation entitled 'How to Circumvent the SOP and How to Get Hacked in the Process' during episode #550 of Paul's Security Weekly. The presentation was about the Same-Origin Policy (SOP), one of the most important security policies in web browsers, and during the presentation, Sven explained:

  • The origin of SOP and how it works, during which he also noted that SOP isn't a single, standardized policy because it has developed over time.
  • Why web developers tend to hate SOP. Hint, it makes life inconvenient for them. Developers want to bypass the SOP to let their web application from a different origin (including domains <> subdomains communication) communicate with each other without having to deal with the intricacies of SOP.
  • Why SOP is a good security measure, but why it also comes at a cost. On the positive side, it is restrictive, and those restrictions can be lifted to allow web applications from different origins to communicate. The problem is allowing websites from other origins to access your data. There are different ways to achieve this, but all of them can create further problems if improperly implemented.

During the presentation Sven also ran a demo showing several exploits by which developers can circumvent the SOP:

  • JSON with Padding (a way to format JSON to include it with a script tag).
  • Cross-Origin Resource Sharing (CORS).
  • Setting document.domain to the value of the main domain, and the postMessage API.

For each, Sven talked about how it works and what the dangers are. There are powerful tools to disable the SOP but they have to be used with care, as it is easy to get them wrong. The episode ended with a brief Q&A session, as Joff Thyer and Keith Hoodlet joined the show.


Slides for the Same-Origin Policy Presentation and Demo

Here are the slides Sven used during the presentation and demo of Same-Origin Policy.

from Netsparker

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
security ,web application security ,same-origin policy ,cybersecurity

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}