Browsers and JavaScript use something called the 'same origin policy' to sandbox which elements are accessible to which sites. This prevents JavaScript on one site from accessing JavaScript from another. This is done by combining three elements into a unique key:
- Protocol (e.g. http)
- Domain (e.g. singe.za.net)
- Port (e.g. 80)
Some more detail on this is available here. Anyone familiar with AJAX hacking would be quite familiar with this, but for those who aren't, imagine if JS in one of your tabs could mess with the JS in another. Porn sites would take the opportunity to redirect all of your tabs to something obscene, and AJAX keyloggers could be attached to your internet banking window.
After bumping into Haroon, I thought I would try and reconcile all the reading I had done on bypassing SoP into one place. As far as I am aware, there are a fair number of ways to get around SoP, usually in a limited fashion however. These are:
- On demand/dynamic JavaScript
- IFRAMEs
- Proxies
- Flash/Java/Plugins
- Anti-DNS Pinning
Here is an overview of some good reads on the subject:
- TAOSA - Overview
- GNUCITIZEN - Using Proxies and IFRAMEs
- Abe Fettig - Using IFRAMEs for subdomain XmlHttpRequest
- AjaxPatters (Google Cache) - Dynamic JavaScript
- Amit Klein - Forging HTTP headers with Flash
- Jeremiah Grossman - Anti-DNS Pinning