Dr. Drew Hwang, CIS, Cal Poly Pomona
Secure Web Development
Same Origin Policy
The web browser is claimed as the most important piece of software so far this century.
It is the "client" of the server-client model, the HTTP protocol, and the general security concepts of the web computing.
It is the software that we use to conduct our daily Internet lifefrom maintaining our social networks to online ticketing, online shopping and banking.
It is also the interface we use to browse sites after sites and gain access the most sensitive data and conduct the most sensitive operations.
It is browser's core function to execute the supplied commands from the server risk failing to render the page properly.
The web browser is almost everywhere in the network, from the user network zones, to your guest zones, to even the internal secure DMZ zones.
The interaction between the web browser and the web server is the rich attack surface. Firewalls have effectively reduced network traffic down to port 80 and 443, which means web browsers and web server.
Based on data collected in the second half of 2012 from a billion Windows computers in more than 100 countries, browser attacks became the greatest threat to enterprise networks, surpassing Conficker, a computer worm that infected more computers than any other since 2003's Welchia. (
Microsoft Security Intelligence Report
Components of Browser in Action
Same Origin Policy (SOP)
: restricts resources from one origin interacting with other origins.
Cross-origin Resource sharing (CORS)
: specification that provides a method (e.e., XMLHttpRequest) for an origin to ignore the SOP.
: requests and responses
: HTML, XML, etc.
Document Object Model (DOM)
: a method for scripting languages to interact with the rendering engine by providing references to
HTML elements in the form of objects.
: Trident in IE, Gecko in Firefox, Blink in Chrome
: provides mobile devices and desktops access to the geographical location of the web browser.
: communication channel between the web browser and the server
: background in HTML5
: manipulated (deleted, forwarded, backwarded) by HTML5
Web Real-Time Communication (WebRTC) API
Browser's Core Security Problems
Increased attack surface
Automatic and silent browser updates would create more attack surface without the defenders knowledge.
Browser extensions and plug-ins would inevitably add a place a hacker can target, thereby increasing the attack surface of the browser.
HTML5 increases in attack surface through providing more methods than the previous HTML4 generation.
HTML5 Security (
HTML5 opens door to broader attacks (
Insecure external scripts
: Cryptography (e.g., SSL and TLSI) used to exchange data can also be used to hide the attacker's payloads securely.
Same Origin Policy
: Inconsistent SOP implementation creates security problems.