Sunday, October 9, 2011

Integrity for sessionStorage

There are many different ways to think about security.  I prefer the following approach:
  1. Define a set of threat models that describe the attacker's capabilities.  For example, the "man-in-the-middle" is a classic threat model in network security that represents an attacker who has complete control over the network but who has no control over network endpoints.
  2. Identify a set of security properties that we wish our system to achieve.  Defining good security properties is a tricky business, and we're mostly going to wave our hands in this blog.  If you'd like an example, you should imagine something like "the attacker doesn't learn the contents of the user's email."
  3. Determine whether an attacker with the capabilities described in the threat model could possibly defeat any of the security properties of our system.  We usually assume that the attacker knows exactly how our system works (e.g., because attackers can read W3C specifications).
This approach tends to be somewhat conservative in the sense that we underestimate whether our system is secure.  That's helpful when thinking defensively because being conservative pushes us to design systems that are secure robustly rather than systems that are secure by some happy accident.

So far, this post has been very abstract, but let's get concrete.  Recently, I've been corresponding with a number of Firefox developers about Firefox Bug 495337.  There are a number of technical details, but the issue boils down to the three factors above:
  1. Threat model.  We're concerned with an active network attacker.  (I need to write a "foundations" post introducing the important threat models in web security, but I didn't want to write too many foundations posts in a row.)  Essentially, an active network attacker has full control over the network (e.g., they can intercept and spoof HTTP requests and responses), but have very little power over secure network connections (e.g., they can't mess with TLS connections).
  2. Security property.  Here's where things get interesting.  What are appropriate security properties for sessionStorage (an API for semi-persistently storing data in the browser)?  I claim that the data an origin stores in sessionStorage should have confidentiality and integrity (i.e., other origins should not be able to learn or to alter data stored in sessionStorage).
  3. Could possibly defeat.  That leaves us with the question of whether an active network attacker could possibly defeat the confidentiality or integrity of data in sessionStorage.  I claim that such a thing is possible in Firefox (via a somewhat elaborate sequence of steps) because Firefox's behavior deviates slightly from the specification.  Specifically, in some circumstances that an attacker can provoke, Firefox considers only the host portion of the origin, ignoring the scheme and the port.  By ignoring the scheme, Firefox lets a network attacker leverage his or her ability to control HTTP to disrupt the integrity of HTTPS data in sessionStorage.
Does this represent a "real" security problem?  Well, that's a hard question to answer.  Certainly this issue makes it harder to understand the security of systems that use sessionStorage.  Instead of being able to use clean abstractions like confidentially, integrity, and origin, we need to understand more details of how exactly an attacker can subtly manipulate sessionStorage.

Ultimately, complexity is the enemy of security.  Applied judiciously, threat models and security properties can help you understand the security of your system in simpler terms.

369 comments:

  1. We talked about how a network attacker could inject XSS in our W2SP paper earlier. http://www.cs.berkeley.edu/~devdatta/papers/w2sp10-primitives.pdf

    Maybe you can use this as a concrete example? Maybe adding the word "XSS" in the bug report will result in more impetus for a fix? :D

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. How to login gmail account? Gmail register. gmail sign in

      Delete
    2. I am glad to read this helpful post.
      Thanks for sharing and keep sharing

      i will suggest you this article kindly read and rate it :)


      Happy Independence Day images, SMS, Messages, Quotes in Hindi English/

      Delete
  3. This is a great post ! it was very informative. I look forward in reading more of your work. Also, I made sure to bookmark your website so I can come back later. I enjoyed every moment of reading it.
    baju batik modern baju batik baju batik wanita batik pekalongan batik couple batik online batik modern gamis batik

    ReplyDelete
  4. Great post! I am actually getting ready to across this information, is very helpful my friend.
    Vashikaran mantra for love

    ReplyDelete
  5. I like this a lot. Thank you for sharing. I'm always looking for upcycles like this. In the end, you don't know it was a shipping pallet to begin with!
    T20 cricket world cup 2016 Groups List
    ICC World Cup 2016 WC Live

    ReplyDelete
  6. I love it. I hope that more and more Blogger will use this feature in the future, because it just makes the internet better I think!

    watch got fun episodes online free
    watch game of thrones season 6 stream online
    Game of thrones Brasil

    ReplyDelete
  7. really like you blog . Thanks for writing this
    IPL 2016 Schedule | IPL 2017 Schedule

    ReplyDelete
  8. Thank you for sharing! I hope to see more update from you in the future :)
    gmail email login

    ReplyDelete
  9. Very useful post. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. Really its great article. Keep it up!
    agario unblocked
    atari breakout
    2048
    five nights at freddy's
    geometry dash
    happy wheels
    tank trouble

    ReplyDelete
  10. Religion is an Integral Part of Human Life. It tells us how to worship & Moral Values.
    Role Of Religion

    ReplyDelete
  11. Religion is not an Extra Activity but it is an Integral Part of Human Lives.
    What Is Jihad

    ReplyDelete
  12. Really impressive post. I read it whole and going to share it with my social circules. I enjoyed your article and planning to rewrite it on my own blog.
    list of emoticons | excel | www google search | gta 5

    ReplyDelete
  13. Hotmail is an email account of Microsoft Corporation. Like Google's Gmail, it is full of features usually xuyen.Neu of an email you want to register an account please follow these basic steps:
    Hotmail login

    Hotmail review

    Sign in to hotmail

    Login to hotmail

    Recover hotmail password

    Tank Trouble is a very interesting flash game about tanks, about war and about destruction
    TANK TROUBLE | TANK TROUBLE 2

    One Penguin Takes it personally when he is surfing the web and stumbles upon a web site telling him that he cant fly, after that he sets his mind to research and practice flying until he can prove the world that he can..
    Slitherio | LEARN TO FLY | LEARN TO FLY 2

    Strike Force Heroes is a new game action-packed shooter from the creators of Raze; with 3 game modes, 15 campaign missions and over 65 weapons.
    Strike Force Heroes 4

    Strike Force Heroes

    ReplyDelete
  14. http://friendshipday2016.xyz/

    ReplyDelete
  15. Nice website need to be appreciated for this hard work
    yopmail sign up
    www.hotmail.com sign up
    facebook login

    ReplyDelete
  16. i think your articles are the best for us. i always read your latest articles. Your website is really awesome. Thanks for providing these posts. I will wait for your next post..
    Friendship Day BFF Status
    Friendship Day 2016 Dp
    Friendship Day 2016 Quotes
    Friendship Day 2016 Profile Pics
    Friendship Day Animated Images

    ReplyDelete
  17. I really appreciate your work. I will share your post on social site… Facebook, Twitter, or Google plus. Thanks for this article.
    Raksha Bandhan Wishes
    Raksha Bandhan Short Status
    Raksha Bandhan Rakhi Images
    Raksha Bandhan Gift Ideas For Sister
    Raksha Bandhan 2016 Quotes

    ReplyDelete
  18. Get free gmail sign up account from the official site to send an email to other person by sign in google account.

    ReplyDelete
  19. With a Hotmail account, you can send and receive emails quickly and easily as well as login and use all Microsoft services.
    hotmail sign in | create hotmail account
    hotmail login | change hotmail password
    recover hotmail password

    ReplyDelete
  20. Is there anyone but me concerned about the fact, that the auth tokens (i.e. jwt tokens) are stored in javascript-accessible storage (localStorage/sessionStorage), making them susceptible to XSS (Cross Site Scripting) attacks?

    More info:
    1. stormpath.com/blog
    2. owasp
    3. recommended solution on stackoverflow.com

    Is there a way to prevent satellizer from storing the returned jwt in localStorage (because I would be setting it in a cookie from my backend)? R Programming Training | DataStage Training | SQL Training | SAS Training | Android Training | SharePoint Training

    ReplyDelete
  21. This is nice and amazing information. Thanks for sharing keep it up.
    Examway
    resultstimetable

    ReplyDelete
  22. Thanks for all your information, Website is very nice and informative content
    defend your nuts 2 | happy wheels 3 | cat mario | bloons td

    ReplyDelete
  23. If you are being guaranteed round-the-clock Customer Support and life long replacement then never think twice when you Buy facebook reviews from a vendor. buy facebook reviews ratings

    ReplyDelete
  24. Gurgaon Escorts the top of Indian escorts to the great cities of India as nicely as some other city. Our customers comeback time and afterwards forasmuch they know they can depends on us for confidentiality agreement and imitable service. Escorts Service in Gurgaon

    ReplyDelete
  25. NICE POST! KUDOS TO THE ADMIN OF THIS BLOG...YOU CAN ALSO CHECKOUT THESE LINKS ...
    http://mikiguru.com/how-to-find-out-who-unfollowed-me-on-instagram/

    http://mikiguru.com/whats-app-free-video-calling-download-latest-whatsapp-for-video-call/

    http://mikiguru.com/how-to-delete-instagram-account-tutorial/

    ReplyDelete
  26. This article sounds great and worthy of commenting on. I think I should ask for your permission to share this content. Thanks once again.

    ReplyDelete
  27. Get some understanding from sensual motion pictures if you are bashful and on the off chance that you don't have an identity to handle outsiders then this may be the profession for you. For being an escort in Gurgaon you should be intense and frank. You should be the one to step up and converse with the outsiders
    gurgaon call girls
    Gurgaon Escorts
    Gurgaon Escort Services
    Gurgaon Independent Escorts
    Independent Escorts in Gurgaon
    Female Escorts in Gurgaon
    Escorts services Gurgaon
    Call girls in Gurgaon

    ReplyDelete
  28. The tips are shared to us is really useful and interesting.
    KicksUSA Coupon Codes

    ReplyDelete
  29. He could feel the heat developing exactly where the cum collected.
    Escort in Noida
    Call girls in gurgaon

    ReplyDelete
  30. The cold water hit him having a force as he lastly came back towards the surface.
    Call Girl in Gurgaon
    Escort in Dehradun

    ReplyDelete
  31. It is possible to get good sky view from Indian on Instagram so that you would see the city in the best light.
    Escort in Bhiwadi

    ReplyDelete
  32. This comment has been removed by the author.

    ReplyDelete
  33. JEE Main 2017 Syllabus is going to declare soon. Check our official site for more updates.

    ReplyDelete



  34. The APOSS SSC Result 2017 will be declared on the month of May 2017 At 10 AM APOSS SSC Result 2017

    The Rajasthan Board 10th Result 2017 will be declared on the month of May 2017 At 10 AM Rajasthan Board 10th Result 2017

    The Bihar board 10 result 2017 will be declared on the month of May 2017. Bihar board 10 result 2017

    Check Valentines Day Messages 2017 at Valentines Day Messages 2017

    Check Chocolate Day Images 2017

    Check Valentines Day Status

    ReplyDelete
  35. gseb ssb result
    gujarat board ssc result
    gseb ssc result 2017
    gseb.org
    gseb results 2017
    gujarat 10th class results 2017
    gseb ssc result by name wise
    Gujarat SSC Results
    gseb ssb result

    gujarat board ssc result

    ReplyDelete
  36. It is up to the students choice to select their stream. This question will be arose in the minds of each and every student. The students should carefully select their stream, because the entire future will be depended on this single step. So the students need to be careful while selecting the stream.
    gujarat 12th class result


    GSEB HSC Result 2017

    gseb hsc result

    ReplyDelete
  37. This comment has been removed by the author.

    ReplyDelete
  38. Post is nice, i really like your blog and your secuirty and now i am waiting for Your next post, I am Geeta grewal, a twenty years sensual model from Delhi, i am hot Deva with the sensual curves and of sexy figure. for more info visit our website
    http://www.geetagrewal.com

    ReplyDelete
  39. I love this Post. It is very informative.I am from Delhi Escorts.
    Delhi Escorts
    Delhi call girls club
    Yalghis

    ReplyDelete
  40. Hi Hardeep kaur her who belong from Chandigarh.One of the finest chandigarh model. I read your post and really its very nice.I am waiting for another one.
    Independent Chandigarh Escorts
    Escorts Chandigarh
    Escorts in Chandigarh

    ReplyDelete
  41. You post is nice, i really like your blog post and now i am waiting for Your next post. for more info visit our website
    http://www.geetagrewal.com

    ReplyDelete
  42. Quite immpresive blog most ! myself Shilpi Chawla Model from Delhi, i am 21 with excellent figure. For more info visit our website http://www.shilpichawla.com/

    Delhi Escorts
    Escorts Delhi
    Escorts in Delhi
    Independent Delhi Escorts
    Escorts Agency Delhi
    Female Escorts Delhi
    Escorts Service Delhi

    ReplyDelete
  43. Hello, i am Shipli Chawla beautiful model from Delhi, i read this blog it is informative and knowledgeable. for more info visit our website http://www.shiplichawla.com/.

    ReplyDelete
  44. Post is nice, i really like your blog post and now i am waiting for Your next post, I am Royal Angels, a twenty years from Delhi, i am hot Deva with the sensual curves and of sexy figure. for more info visit our website
    http://www.royalangels
    Delhi Escorts
    Chandigarh Escorts
    Delhi Call Girls
    Delhi Escorts Service
    Hyderabad Escorts
    Delhi Éscórtš, Delhi Çáll Gírlš

    ReplyDelete
  45. Your posts is remarkable and I am glad to read it and share it. Thanks for sharing and keep writing that kind of article. All board exam date sheet will published 12th Time table 2017
    10th Time table 2017
    10th board model papers
    soon on official site.

    ReplyDelete
  46. I really enjoy simply reading all of your weblogs. Simply wanted to inform you that you have people like me who appreciate your work. Definitely a great post.
    KSEEB Board 12th result publish in puc result 2017 - http://www.pucresult.co.in/ , www.pue.kar.nic.in - http://www.pue-kar-nic.in/

    KSEEB announce Karnataka 10th result 2017 on sslc result 2017 - http://karnatakasslcresults.in/
    CBSE Board relese 10th and 12th cbse results on cbse 10th result - http://cbseresult-nic.co.in/

    ReplyDelete
  47. Kerala, Karnataka and Tamilnadu 10th result named as sslc result, that here you can find it. - https://sslc-result-nic.in/
    Kerala Board 10th examination result notifications here at sslc result 2017 - http://keralasslcresult2017.in/

    TN Board release 10th result here on sslc result 2017 - http://tn-sslcresult.in/
    Maharashtra Board publishing 10th result and 12th here ssc result 2017 maharashtra - http://mahsscresult.in/

    ReplyDelete
  48. Quite impressive blog post ! myself Shilpi Chawla Model from Delhi, i am 21 with excellent figure. For more info visit our website http://www.shilpichawla.com/.

    Other Useful Links

    Delhi Escorts
    Escorts Delhi
    Escorts in Delhi
    Independent Delhi Escorts
    Escorts Agency Delhi
    Female Escorts Delhi
    Escorts Service Delhi

    ReplyDelete
  49. Quite impressive blog post ! myself Shilpi Chawla Model from Delhi, i am 21 with excellent figure. For more info visit our website http://www.shilpichawla.com/.

    Other Useful Links

    Delhi Escorts
    Escorts Delhi
    Escorts in Delhi
    Independent Delhi Escorts
    Escorts Agency Delhi
    Female Escorts Delhi
    Escorts Service Delhi

    ReplyDelete
  50. Hello, i am Shipli Chawla beautiful model from Delhi, i read this blog it is informative and knowledgeable. for more info visit our website http://www.geetagrewal.com/.

    Other Useful Links

    Delhi Escorts
    Escorts Delhi
    Escorts in Delhi
    Independent Delhi Escorts
    Escorts Agency Delhi
    Female Escorts Delhi
    Escorts Service Delhi

    ReplyDelete
  51. Hello, i am Geeta Grewal beautiful model from Delhi, i read this blog integrity for session Storage, its quite informative. for more info visit our website http://www.geetagrewal.com/.

    ReplyDelete
  52. create your own playlists, saavn pro apk
    enjoy sets from our expert curators, or play custom radio stations from any song or artist – Saavn delivers the perfect music, every time.

    ReplyDelete
  53. this is nice one to look juno email information has been posted here to sacewebmail junoemail from gmail

    ReplyDelete
  54. Thank you for the useful information. You might be interested in JKPSC Jobs So

    Nice Article. Good to see this. JPSC Jobs So

    Nice Article. Good to see this. KPSC Jobs So

    Thank you for the useful information. You might be interested in Kerala PSC Jobs So

    Thank you for the useful information. Check MPPSC Jobs So

    Thank you for the useful information. Check MPSC Jobs So

    Good information. Keep sharing this kind of useful info. Manipur PSC Jobs

    Thank you for the useful information. Check Meghalaya PSC Jobs So

    Good information. Keep sharing this kind of useful info. Mizoram PSC Jobs

    Thank you for the useful information. Check NPSC Jobs So

    ReplyDelete

  55. http://www.realgolfcampaign.org/bulletin/what-you-think-about-time-for-golf/newsitem_view

    ReplyDelete
  56. Security always comes first. This article is an informative article related to security!
    Create Gmail Account

    ReplyDelete
  57. Gujarat Secondary and Higher Secondary Education Board is probably going to Announce ojasGSEB SSC Result 2017 on its official Website at http://www.gseb.org. Gujarat Board has led GSEB SSC Exam 2017 from 15th March to 25th March 2017. The understudies of 10th Class have showed up in SSC Annual Exam in March 2017. Presently the eyes of understudies are on GSEB SSC Result 2017
    as the Exam is over.

    ReplyDelete