Sunday, October 9, 2011

Integrity for sessionStorage

There are many different ways to think about security.  I prefer the following approach:
  1. Define a set of threat models that describe the attacker's capabilities.  For example, the "man-in-the-middle" is a classic threat model in network security that represents an attacker who has complete control over the network but who has no control over network endpoints.
  2. Identify a set of security properties that we wish our system to achieve.  Defining good security properties is a tricky business, and we're mostly going to wave our hands in this blog.  If you'd like an example, you should imagine something like "the attacker doesn't learn the contents of the user's email."
  3. Determine whether an attacker with the capabilities described in the threat model could possibly defeat any of the security properties of our system.  We usually assume that the attacker knows exactly how our system works (e.g., because attackers can read W3C specifications).
This approach tends to be somewhat conservative in the sense that we underestimate whether our system is secure.  That's helpful when thinking defensively because being conservative pushes us to design systems that are secure robustly rather than systems that are secure by some happy accident.

So far, this post has been very abstract, but let's get concrete.  Recently, I've been corresponding with a number of Firefox developers about Firefox Bug 495337.  There are a number of technical details, but the issue boils down to the three factors above:
  1. Threat model.  We're concerned with an active network attacker.  (I need to write a "foundations" post introducing the important threat models in web security, but I didn't want to write too many foundations posts in a row.)  Essentially, an active network attacker has full control over the network (e.g., they can intercept and spoof HTTP requests and responses), but have very little power over secure network connections (e.g., they can't mess with TLS connections).
  2. Security property.  Here's where things get interesting.  What are appropriate security properties for sessionStorage (an API for semi-persistently storing data in the browser)?  I claim that the data an origin stores in sessionStorage should have confidentiality and integrity (i.e., other origins should not be able to learn or to alter data stored in sessionStorage).
  3. Could possibly defeat.  That leaves us with the question of whether an active network attacker could possibly defeat the confidentiality or integrity of data in sessionStorage.  I claim that such a thing is possible in Firefox (via a somewhat elaborate sequence of steps) because Firefox's behavior deviates slightly from the specification.  Specifically, in some circumstances that an attacker can provoke, Firefox considers only the host portion of the origin, ignoring the scheme and the port.  By ignoring the scheme, Firefox lets a network attacker leverage his or her ability to control HTTP to disrupt the integrity of HTTPS data in sessionStorage.
Does this represent a "real" security problem?  Well, that's a hard question to answer.  Certainly this issue makes it harder to understand the security of systems that use sessionStorage.  Instead of being able to use clean abstractions like confidentially, integrity, and origin, we need to understand more details of how exactly an attacker can subtly manipulate sessionStorage.

Ultimately, complexity is the enemy of security.  Applied judiciously, threat models and security properties can help you understand the security of your system in simpler terms.


  1. We talked about how a network attacker could inject XSS in our W2SP paper earlier.

    Maybe you can use this as a concrete example? Maybe adding the word "XSS" in the bug report will result in more impetus for a fix? :D

  2. This comment has been removed by the author.

    1. How to login gmail account? Gmail register. gmail sign in

    2. I am glad to read this helpful post.
      Thanks for sharing and keep sharing

      i will suggest you this article kindly read and rate it :)

      Happy Independence Day images, SMS, Messages, Quotes in Hindi English/

  3. This is a great post ! it was very informative. I look forward in reading more of your work. Also, I made sure to bookmark your website so I can come back later. I enjoyed every moment of reading it.
    baju batik modern baju batik baju batik wanita batik pekalongan batik couple batik online batik modern gamis batik

  4. Great post! I am actually getting ready to across this information, is very helpful my friend.
    Vashikaran mantra for love

  5. I like this a lot. Thank you for sharing. I'm always looking for upcycles like this. In the end, you don't know it was a shipping pallet to begin with!
    T20 cricket world cup 2016 Groups List
    ICC World Cup 2016 WC Live

  6. I love it. I hope that more and more Blogger will use this feature in the future, because it just makes the internet better I think!

    watch got fun episodes online free
    watch game of thrones season 6 stream online
    Game of thrones Brasil

  7. really like you blog . Thanks for writing this
    IPL 2016 Schedule | IPL 2017 Schedule

  8. Thank you for sharing! I hope to see more update from you in the future :)
    gmail email login

  9. Very useful post. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. Really its great article. Keep it up!
    agario unblocked
    atari breakout
    five nights at freddy's
    geometry dash
    happy wheels
    tank trouble


  11. Religion is an Integral Part of Human Life. It tells us how to worship & Moral Values.
    Role Of Religion

  12. Religion is not an Extra Activity but it is an Integral Part of Human Lives.
    What Is Jihad

  13. Really impressive post. I read it whole and going to share it with my social circules. I enjoyed your article and planning to rewrite it on my own blog.
    list of emoticons | excel | www google search | gta 5

  14. Well this article that i've been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article. Thanks, great share.
    dark souls 3 emoji

  15. The information, In my opinion a lot of people tend to be helpful. Extremely lucky to debate this article on your. Look ahead to ones up-dates.
    powerpuff | chinese food | zombies tsunami | mutant fighting | fishdom game | usps tracking | postcode finders | postcode finder | pacquiao | stardew valley | slitherio

  16. Hotmail is an email account of Microsoft Corporation. Like Google's Gmail, it is full of features usually xuyen.Neu of an email you want to register an account please follow these basic steps:
    Hotmail login

    Hotmail review

    Sign in to hotmail

    Login to hotmail

    Recover hotmail password

    Tank Trouble is a very interesting flash game about tanks, about war and about destruction

    One Penguin Takes it personally when he is surfing the web and stumbles upon a web site telling him that he cant fly, after that he sets his mind to research and practice flying until he can prove the world that he can..
    Slitherio | LEARN TO FLY | LEARN TO FLY 2

    Strike Force Heroes is a new game action-packed shooter from the creators of Raze; with 3 game modes, 15 campaign missions and over 65 weapons.
    Strike Force Heroes 4

    Strike Force Heroes




  20. You’ve written nice post, I am gonna bookmark this page, thanks for info. I actually appreciate your own position and I will be sure to come back here.
    mortal kombat x, a10, roblox, color switch

  21. Nice website need to be appreciated for this hard work
    yopmail sign up sign up
    facebook login

  22. ما تهتم به شركة كشف تسربات المياه بالرياض هو البحث عن كيفة علاج مشاكل تسريبات المياه التي تطرأ علي المكان فجأة بواسطة اجهزة الكشف الحدية التي تستخدمها شركة كشف تسربات بالرياض والتي تسعي للوصول الي افضل النتائج المثالية القادرة علي حل هذه المشكلة بدون تدمير فالاعتماد علي الاساليب الحديثة يساعدكم في الحصول علي نتيجة مثالية في مصلحة العميل فنحن لا نكتفي بتقديم هذه الاعمال في مدينة الرياض فقط بلا لدينا الفنين المتميزة الذي يقدمون شركة كشف تسربات المياه بالدمام التي تعمل علي حل مشكلة البيت بدون الاعتماد علي ا اساليب تقليدية التي تستخدما بعض مقدمي خدمة شركة كشف تسربات بالدمام فلا تتكايل بشأن هذا العمل بالذات لانه يحل لك الكثير من المشاكل

  23. i think your articles are the best for us. i always read your latest articles. Your website is really awesome. Thanks for providing these posts. I will wait for your next post..
    Friendship Day BFF Status
    Friendship Day 2016 Dp
    Friendship Day 2016 Quotes
    Friendship Day 2016 Profile Pics
    Friendship Day Animated Images

  24. I really appreciate your work. I will share your post on social site… Facebook, Twitter, or Google plus. Thanks for this article.
    Raksha Bandhan Wishes
    Raksha Bandhan Short Status
    Raksha Bandhan Rakhi Images
    Raksha Bandhan Gift Ideas For Sister
    Raksha Bandhan 2016 Quotes

  25. Get free gmail sign up account from the official site to send an email to other person by sign in google account.

  26. Let’s keep the best falsh games for your child! abc | slither io | pokemon go | | happy wheels | happy wheels the game free: are safe place to play the very best free games for kids!

  27. Gmail is an free e-mail service provided to Internet users by the giant Google.
    If you are a new user of this service, you can follow the steps below to log in to your Gmail account.
    gmail login | create gmail account
    gmail sign in | change gmail password
    recover gmail password

  28. With a Hotmail account, you can send and receive emails quickly and easily as well as login and use all Microsoft services.
    hotmail sign in | create hotmail account
    hotmail login | change hotmail password
    recover hotmail password

  29. Is there anyone but me concerned about the fact, that the auth tokens (i.e. jwt tokens) are stored in javascript-accessible storage (localStorage/sessionStorage), making them susceptible to XSS (Cross Site Scripting) attacks?

    More info:
    2. owasp
    3. recommended solution on

    Is there a way to prevent satellizer from storing the returned jwt in localStorage (because I would be setting it in a cookie from my backend)? R Programming Training | DataStage Training | SQL Training | SAS Training | Android Training | SharePoint Training

  30. This is nice and amazing information. Thanks for sharing keep it up.

  31. Thanks for all your information, Website is very nice and informative content
    defend your nuts 2 | happy wheels 3 | cat mario | bloons td

  32. If you are being guaranteed round-the-clock Customer Support and life long replacement then never think twice when you Buy facebook reviews from a vendor. buy facebook reviews ratings

  33. Gurgaon Escorts the top of Indian escorts to the great cities of India as nicely as some other city. Our customers comeback time and afterwards forasmuch they know they can depends on us for confidentiality agreement and imitable service. Escorts Service in Gurgaon


  35. This article sounds great and worthy of commenting on. I think I should ask for your permission to share this content. Thanks once again.

  36. Most Beauty, stunning and food looking Miss Bangalore Escorts Girls Diya Gupta, My Bangalore Escorts Service is 100% satisfaction service for you.

    Bangalore Female Escorts

    Bangalore Female Escorts

    Bangalore Female Escorts

    Bangalore Female Escorts

    Bangalore Female Escorts

  37. Get some understanding from sensual motion pictures if you are bashful and on the off chance that you don't have an identity to handle outsiders then this may be the profession for you. For being an escort in Gurgaon you should be intense and frank. You should be the one to step up and converse with the outsiders
    gurgaon call girls
    Gurgaon Escorts
    Gurgaon Escort Services
    Gurgaon Independent Escorts
    Independent Escorts in Gurgaon
    Female Escorts in Gurgaon
    Escorts services Gurgaon
    Call girls in Gurgaon

  38. The tips are shared to us is really useful and interesting.
    KicksUSA Coupon Codes

  39. He could feel the heat developing exactly where the cum collected.
    Escort in Noida
    Call girls in gurgaon

  40. The cold water hit him having a force as he lastly came back towards the surface.
    Call Girl in Gurgaon
    Escort in Dehradun

  41. It is possible to get good sky view from Indian on Instagram so that you would see the city in the best light.
    Escort in Bhiwadi


  42. Furniture move
    he majority of DIY home movers are really interested in knowing how to properly load their rented moving vehicles so that the entire storage space is utilized in the best possible way. نقل عفش بالرياض The main concern for families who have decided to move on their own still remains the danger of choosing a moving truck with insufficient space for their belongings. شركة شراء اثاث مستعمل بالرياض To complicate things further, even the right choice of a rental moving vehicle can easily turn out to be a serious problem if the loading process is not done the right way. And believe us, leaving prized possessions behind or being forced to make two trips are two moving scenarios you don’t really want to go through for various reasons.
    شركة نقل عفش بالرياض - افضل شركة شراء اثاث مستعمل بالرياض
    Everybody knows that when given at the right time, good moving advice can mean the world to stressed home movers, and will prove to be the difference between a successful house move and a disastrous problem-filled relocation. افضل شركة تخزين اثاث بالرياض This is why, having already described in details the truck loading process and the way to overcome its challenges, it’s only fair that we say a few words about how to unload a moving truck once you have reached your destination.
    افضل شركة نقل اثاث بالرياض
    How to load a rented truck like a pro

  43. Nice article
    CBSE Result 2017

    Very much interesting to read such a nice a posting / article
    CBSE 10th Result 2017

    Nice and informative
    CBSE 12th Result 2017

  44. This comment has been removed by the author.

  45. JEE Main 2017 Syllabus is going to declare soon. Check our official site for more updates.

  46. Karnataka board recently announced that sslc result 2017 will be publish soon.


  47. The APOSS SSC Result 2017 will be declared on the month of May 2017 At 10 AM APOSS SSC Result 2017

    The Rajasthan Board 10th Result 2017 will be declared on the month of May 2017 At 10 AM Rajasthan Board 10th Result 2017

    The Bihar board 10 result 2017 will be declared on the month of May 2017. Bihar board 10 result 2017

    Check Valentines Day Messages 2017 at Valentines Day Messages 2017

    Check Chocolate Day Images 2017

    Check Valentines Day Status

  48. gseb ssb result
    gujarat board ssc result
    gseb ssc result 2017
    gseb results 2017
    gujarat 10th class results 2017
    gseb ssc result by name wise
    Gujarat SSC Results
    gseb ssb result

    gujarat board ssc result


  49. شركة نقل عفش واثاث بالدمام ابيات الشرقيه لخدمات نقل العفش والاثاث بالدمام
    شركة نقل عفش بالدمام
    نقل عفش بالخبر
    شركة نقل اثاث الدمام
    نقل عفش الدمام
    نقل عفش بالدمام
    ان اردت نقل عفش منزلك بالدمام ابيات الشرقية من اهم شركات نقل العفش بالدمام والخبر والجبيل والقطيف والاحساء

  50. It is up to the students choice to select their stream. This question will be arose in the minds of each and every student. The students should carefully select their stream, because the entire future will be depended on this single step. So the students need to be careful while selecting the stream.
    gujarat 12th class result

    GSEB HSC Result 2017

    gseb hsc result

  51. This comment has been removed by the author.

  52. Post is nice, i really like your blog and your secuirty and now i am waiting for Your next post, I am Geeta grewal, a twenty years sensual model from Delhi, i am hot Deva with the sensual curves and of sexy figure. for more info visit our website

  53. I love this Post. It is very informative.I am from Delhi Escorts.
    Delhi Escorts
    Delhi call girls club

  54. Hi Hardeep kaur her who belong from Chandigarh.One of the finest chandigarh model. I read your post and really its very nice.I am waiting for another one.
    Independent Chandigarh Escorts
    Escorts Chandigarh
    Escorts in Chandigarh

  55. You post is nice, i really like your blog post and now i am waiting for Your next post. for more info visit our website

  56. Quite immpresive blog most ! myself Shilpi Chawla Model from Delhi, i am 21 with excellent figure. For more info visit our website

    Delhi Escorts
    Escorts Delhi
    Escorts in Delhi
    Independent Delhi Escorts
    Escorts Agency Delhi
    Female Escorts Delhi
    Escorts Service Delhi

  57. Hello, i am Shipli Chawla beautiful model from Delhi, i read this blog it is informative and knowledgeable. for more info visit our website