Problems with Same Origin Policy (Transcript of Discussion)

2011 ◽  
pp. 86-92
Author(s):  
Dieter Gollmann
Keyword(s):  
Same Origin Policy

On Cryptographically Strong Bindings of SAML Assertions to Transport Layer Security

2011 ◽  
Vol 3 (4) ◽  
pp. 20-35
Author(s):  
Florian Kohlar ◽  
Jörg Schwenk ◽  
Meiko Jensen ◽  
Sebastian Gajek
Keyword(s):  
Identity Management ◽  
Transport Layer ◽  
The Public ◽  
Web Technologies ◽  
Transport Layer Security ◽  
Man In The Middle ◽  
Federated Identity Management ◽  
Same Origin Policy ◽  
Security Guarantees ◽  
Federated Identity

In recent research, two approaches to protect SAML based Federated Identity Management (FIM) against man-in-the-middle attacks have been proposed. One approach is to bind the SAML assertion and the SAML artifact to the public key contained in a TLS client certificate. Another approach is to strengthen the Same Origin Policy of the browser by taking into account the security guarantees TLS gives. This work presents a third approach which is of further interest beyond IDM protocols, especially for mobile devices relying heavily on the security offered by web technologies. By binding the SAML assertion to cryptographically derived values of the TLS session that has been agreed upon between client and the service provider, this approach provides anonymity of the (mobile) browser while allowing Relying Party and Identity Provider to detect the presence of a man-in-the-middle attack.

On Cryptographically Strong Bindings of SAML Assertions to Transport Layer Security

2012 ◽  
pp. 89-106
Author(s):  
Florian Kohlar ◽  
Jörg Schwenk ◽  
Meiko Jensen ◽  
Sebastian Gajek
Keyword(s):  
Identity Management ◽  
Transport Layer ◽  
The Public ◽  
Web Technologies ◽  
Transport Layer Security ◽  
Man In The Middle ◽  
Same Origin Policy ◽  
Security Guarantees ◽  
Federated Identity ◽  
Identity Provider

In recent research, two approaches to protect SAML based Federated Identity Management (FIM) against man-in-the-middle attacks have been proposed. One approach is to bind the SAML assertion and the SAML artifact to the public key contained in a TLS client certificate. Another approach is to strengthen the Same Origin Policy of the browser by taking into account the security guarantees TLS gives. This work presents a third approach which is of further interest beyond IDM protocols, especially for mobile devices relying heavily on the security offered by web technologies. By binding the SAML assertion to cryptographically derived values of the TLS session that has been agreed upon between client and the service provider, this approach provides anonymity of the (mobile) browser while allowing Relying Party and Identity Provider to detect the presence of a man-in-the-middle attack.

UOFilter: A Whitelist-Based Filter for Unintended Objects in Web Pages

2014 ◽  
Vol 519-520 ◽  
pp. 373-376
Author(s):  
Yi Tang ◽  
Zhao Kai Luo ◽  
Ji Zhang
Keyword(s):  
List Item ◽  
Web Server ◽  
Web Pages ◽  
Proof Of Concept ◽  
Web Page ◽  
Sensitive Data ◽  
Web Browser ◽  
Browser Extension ◽  
Foreign Objects ◽  
Same Origin Policy

A web page often contains objects that the hosted web server intends a browser to render. Rendering those objects can instruct network requests to foreign origins. Although the same origin policy (SOP) limits the access for foreign objects, web attackers could circumvent the SOP controls through injected unintended objects for sensitive data smuggling. In this paper, we propose UOFilter, a whitelist-based method to filter out unintended objects in web pages. We define a list item structure to describe intended objects with optional integrity guarantees. The UOFilter in a web browser interprets the items and blocks the network requests issued by those unintended objects. We implement a proof of concept UOFilter prototype as a chrome browser extension and validate it with experiments.

Sign in / Sign up

Export Citation Format

Share Document