1、#BHUSA BlackHatEventsCross-Origin Web Attacks via HTTP/2 Server Push and Signed HTTP Exchange Speaker:Pinji ChenContributors:Jianjun Chen,Qi Wang,Mingming Zhang,Haixin Duan#BHUSA BlackHatEventsTalk Roadmap What is SOP and What has been changed in todays“origin”definition?What novel threats/attacks w
2、ould this change bring to the Web?Are these attacks practical in the real world?Our work:CrossPUSH and CrossSXG attackSome practical attack techniques caused by Web PKI weaknessA real-world case we found#BHUSA BlackHatEvents“URI-based”same-origin policy(SOP)URI-based origintriple of scheme,host,port
3、BrowserWeb Server()SOP IGET http:/ responseWeb Server()SOP is a cornerstone of web security designed to safeguard user data against cross-origin attackse.g.“https”,“”,“443”#BHUSA BlackHatEventsDo you know other definition of origin#BHUSA BlackHatEvents“SAN-based”originHTTP/2 and HTTP/3 consider any
4、hosts listed in the SAN of the certificate are same origin(RFC9110-HTTP Semantics,RFC9113-HTTP/2,SXG draft)Subject Alternative Name(SAN)* TLS certificate is shared with many hosts*,*,admob-,*,* .#BHUSA BlackHatEventsSAN-based origin is more permisssive 96%certificates have multiple domains in SAN li
5、st.Even 3.2%contain domains from different organizations11 Cangialosi F et al.Measurement and analysis of private key sharing in the https ecosystemC/Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.2016:628-640.multi-domain shared certificate is general#BHUSA Bl
6、ackHatEventsSAN-based origin is more permisssive 96%certificates have multiple domains in SAN list.Even 3.2%contain domains from different organizations1URI-based OriginSAN-based Originhttps:/ is more permissive!1 Cangialosi F et al.Measurement and analysis of private key sharing in the https ecosys