The empire of the World Wide Web was built on shaky foundations due to simple short-sightedness of what this technology would later evolve to become. Behind the web, the protocol that powers the majority of the web today is known as the HyperText Transfer Protocol (HTTP). In its early days, rudimentary browsers were able to parse HTML and rendered data for its users. Most of the data rendered were static; very few dynamic plugins or features were present. Fast forward to the modern web; people use browsers to connect to websites to check their emails, handle banking transactions, purchases, and process sensitive documents (e.g., immigration).
The Shortcomings of HTTP
There are two significant shortcomings of the HTTP protocol that one must understand.
First, HTTP is in plaintext; this essentially means everything transmitted across the wire is using common words and verbs. This poses a significant privacy concern when people begin to use web sites to perform more sensitive actions such as banking, logins, and messaging, all of this can be intercepted by someone nefarious sitting on the same network.
Second, HTTP has no concept of the “state” between connections. Take, for example, an online shopping platform. User Bob bought a bicycle for his birthday, and user Alice purchased a pair of Apple Airpods. The HTTP protocol has no way of differentiating between the two users., and a result, the HTTP cookie was invented in June 1994 by Louis J. Montulli II at Netscape Communications Corporation as a way for websites to track “state.”
On February 12, 1996, HTTP cookies received media wide attention and were discussed in two U.S. Federal Trade Commission hearings due to potential privacy concerns. At the time, users of websites were not informed of cookies, and they were accepted by default.
Modern browsers (Chrome, Firefox, Microsoft Edge) have become extremely helpful to the end-user, which will automatically send any matching cookies scoped to the same domain on every request. Beyond privacy concerns, this also raises some security concerns.
Imagine sensitive web applications such as banking and financial transactions are all tied back to a user’s session cookie. Failing to address the security of cookies would lead to monstrous problems for cookie security.
It’s All About the SOP
If any website, that a user visits, can load and execute code, the Internet would have been a very dangerous place. In the early inception of the World Wide Web, it was like this for some time. However, developers of web browsers recognize the danger of executing arbitrary code and instilled two main security boundaries.
Bypassing the SOP
Critical web application vulnerabilities in the history of the Open Web Application Security Project (OWASP), listed Cross-site scripting, cross-site request forgery, and cross-origin resource sharing all have one thing in common. They are all either vulnerabilities or misconfigurations that end up bypassing the same-origin policy.
According to the same-origin policy, resources from another origin cannot write or modify that that belongs to another origin. The only exceptions to this rule are HTML requests and cookies. Cross-site request forgeries exploit these exceptions coupled with the browser’s helpfulness; it is on the server to verify whether or not these requests are legitimate.
Mitigations and How SOP can Help
When designing a security strategy for your web applications, one must rely on the SOP. Notice in most modern and security-aware banking applications, their login portals, and the security aspects of online banking are served on to different origins. If an application needs to allow untrusted input, always serve them from a different origin. Any content injection such as XSS discovered on authentication.td.com will not affect easyweb.td.com.
How We Can Help
The Packetlabs team is composed of highly trained and experienced web application penetration testers. Reach out today to have a discussion and learn more about how we can test your applications to ensure gaps are closed and how we can formulate a security strategy for your development processes.