Review: OWASP DC Meeting on HTML5 Cross-Origin Resource Inclusion

The DC Chapter of the Open Web Application Security Project, OWASP DC, held their August 24th meeting on HTML5 Cross-Origin Resource Inclusion at the offices of LivingSocial.  The presentation (slidedeck here) was given by Julian Cohen, Security Researcher, and organizer of CSAW NYU Poly Cybersecurity Competition

The vulnerability that Julian targeted was a result of the Same Origin Policy (SOP) changes proposed by the HTML5 spec. The SOP is a mandate over the browser’s scripting language, JavaScript, to prevent an open exchange of methods, properties, and cookies between websites. The separation is intended to protect a website’s session and other sensitive data within the client browser, from any other website, safe or malicious. The SOP previously defined same origin for domains and documents. The HTML5 spec removes the requirement for same domain origin. Documents of different origins and owners can be changed to matching owners by using the innerHTML JavaScript method. In so doing, one website, malicious or safe, can access another website’s cookies and sensitive data.

This is an overly simplified recap on the presentation.  For further information, and details on how Facebook and Twitter used to be exposed to this vulnerability, check out Julian’s blog post on this topic.