「Understanding the Breakdown of Same-origin Policies in Web Services That Rehost Websites」
Understanding the Breakdown of Same-origin Policies in Web Services That Rehost Websites
[Journal of Information Processing Vol.32, pp.801-816]
[Abstract]
Intermediary web services such as web proxies, translators, and archives have become pervasive as a means to enhance the openness of the web. These services aim to remove the intrinsic obstacles to web access; i.e., access blocking, language barriers, and missing websites. In this study, we refer to these services as web rehosting services and make the first exploration of their security flaws. Web rehosting services use a single domain name to rehost several websites that have distinct domain names; this characteristic makes web rehosting services intrinsically vulnerable to violating the same origin policy if not operated carefully. Based on the intrinsic vulnerability of web rehosting services, we demonstrate that an attacker can perform five different types of attacks that target users of web rehosting services: persistent man-in-the-middle attack, abusing privileges to access various resources, stealing credentials, stealing browser history, and session hijacking/injection. Our extensive analysis of 21 web rehosting services, which have more than 200 million accesses per day, revealed that these attacks are feasible. In response to this observation, we provide effective countermeasures against each type of attack. Through our efforts, several major web services have successfully completed improvements to make their architecture more secure.
[Reasons for the award]
This paper described the vulnerabilities of web re-hosting services that obtain content from other websites and re-host it on their single website. The technical discussion showed the possibility of bypassing same-origin policy (SOP) that restricts cross-origin access among different origins if the scheme, port number, and hostname are different, and countermeasures were proposed. Twenty-one famous real services were verified, and the vulnerabilities confirmed were reported to the service providers. The paper was selected the Outstanding Paper Award because of the technically sound discussion and practical contribution to cyberspace safety.
Takuya Watanabe
Takuya Watanabe received B.E. and M.E. degrees in computer science and engineering, and a Ph.D. in engineering from Waseda University in 2014, 2016, and 2020, respectively. Since joining the Nippon Telegraph and Telephone Corporation (NTT) in 2016, he has been engaged in research on system security and privacy from the perspective of an attacker, particularly in web and mobile applications. He is currently with the Deloitte Tohmatsu Advanced Research Laboratory of Cyber Security.
Eitaro Shioji
Eitaro Shioji received his B.E. degree in Computer Science and M.E. degree in Communications and Integrated Systems from Tokyo Institute of Technology in 2008 and 2010, respectively. Since joining Nippon Telegraph and Telephone Corporation (NTT) in 2010, he has been engaged in research and development on cyber security. His research interests include systems and software security.
Mitsuaki Akiyama
Mitsuaki Akiyama received his M.E. and Ph.D. in engineering from Nara Institute of Science and Technology in 2007 and 2013. Since joining Nippon Telegraph and Telephone Corporation (NTT) in 2007, he has been engaged in research and development on cybersecurity. He is currently a Senior Distinguished Researcher at NTT Social Informatics Laboratories. He received the Cybersecurity Encouragement Award of the Minister for Internal Affairs and Communications in 2020 and IPSJ/IEEE Computer Society Young Computer Researcher Award in 2022. He is a senior member of IPSJ and a member of IEEE, SIGCHI, and IEICE.
Tatsuya Mori
Tatsuya Mori is currently a professor at Waseda University, where he has been a faculty member since 2013. He received his B.E. and M.E. degrees in applied physics and his Ph.D. in information science from Waseda University, in 1997, 1999, and 2005, respectively. He joined the NTT lab in 1999, where he has since been engaged in research on the measurement and analysis of networks and cybersecurity. From March 2007 to March 2008, he was a visiting researcher at the University of Wisconsin–Madison. He has received numerous Best Paper Awards, including those at NDSS 2020 and EuroUSEC 2021.