Day-2: I started My day with Netflix (Peaky Blinders) and ended it with watching OWASP Stockholm - Mathias Karlsson's Talk on YouTube (How to Differentiate Yourself as a Bug Bounty Hunter) and In between I read and researched about Same-Origin Policy!
So, What the heck is SOP?
- As you can see the cover page of this blog, you can cleary understand what actually Same-Origin Policy means! In simple words, A script from page A can only access data from page B if they are of the same origin.
Who has the Same Origin?
- If Two urls share the same protocol, hostname and port number are said to have Same Origin.
Example 1 is given in the starting of the blog!
Example 2: https://fenilshah.com. [Port 443 by default]
https://fenilshah.com/ (same origin because same protocol(https), hostname(fenilshah) and port number(443) )
http://fenilshah.com/ (different origin, because protocol differs (http insted of https) )
https://fenil.com/ (different origin, because hostname differs (fenil instead of fenilshah) )
https://fenilshah.com:8080/ (different origin, because port number differs (8080 instead of 443) )
What actually the Same-Origin Policy does?
- Modern web applications often base their authentication on HTTP cookies, and servers take action based on the cookies included automatically by the browser. This makes SOP especially important.
Okay, so imagine you are logged in apple.com and at the same time you are visiting fenilshah.com. If SOP doesnβt exist, a script hosted on fenilshah.com is free to access your information on apple.com, since your browser would automatically include your apple.com cookies in every request you send to apple.com (Even if the request is a malicious one generated from a script hosted on fenilshah.com).
This way attacker can steal the csrf tokens, private email addresses, addresses and other information parsed from the page. And this is why Same-Origin Policy is Important, as SOP will prevent the malicious script hosted on fenilshah.com to read the HTML data returned from apple.com.
Relaxing the SOP!
- Large websites would not be able to share information with each other because of the restrictive Same-Origin Policy so for such Issues new ways were Invented such as:
Setting document.domain!
Cross-origin resource sharing (CORS)!
Cross-domain messaging (postMessage)!
JSON with Padding (JSONP)!
Resources: https://medium.com/swlh/hacking-the-same-origin-policy-f9f49ad592fc (You need premium subs to read this blog).
Mozilla web docs: Same-Origin Policy
Tool to Remove SOP issues: Proxrox (This tool removes same-origin policy issues that typically occur during development.)
Mathias Karlsson's Talk: YouTube
Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)
Top comments (0)