Skip to Main Content
The Browser Hacker's Handbook
book

The Browser Hacker's Handbook

by Wade Alcorn, Christian Frichot, Michele Orru
March 2014
Intermediate to advanced content levelIntermediate to advanced
648 pages
16h 56m
English
Wiley
Content preview from The Browser Hacker's Handbook

CHAPTER 4

Bypassing the Same Origin Policy

The Same Origin Policy (SOP) is possibly the most important security control enforced on the web. Unfortunately, it is also one of the most inconsistently implemented specifications. If the SOP is broken, or bypassed, the central security model of the World Wide Web is also broken.

The intention of the SOP is to restrict interaction between interfaces of unrelated origins. The SOP dictates that if the origin http://browserhacker.com wants to access information from http://browservictim.com, it can't. Of course, depending on which browser is used, or which browser plugin is used, this is not always so simple.

Various SOP bypasses are analyzed in this chapter. Because the SOP is a very critical component in browser security, many of these bypasses will have been patched by the time you read this book. Still, there is a lot to research, and it's not unusual for a new bypass to be constructed by modifying a previous one.

When you employ an SOP bypass, it's often possible to use the hooked browser as an HTTP proxy to access origins different from the one initially hooked. Yes, it sounds weird, but you will see how this is actually possible in this chapter.

Understanding the Same Origin Policy

The SOP deems pages having the same hostname, scheme and port as residing at the same-origin. If any of these three attributes varies, the resource is in a different origin. Hence, if provided resources come from the same hostname, scheme and port, they ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Start your free trial

You might also like

The Mobile Application Hacker's Handbook

The Mobile Application Hacker's Handbook

Ollie Whitehouse, Shaun Colley, Tyrone Erasmus, Dominic Chell
Hands on Hacking

Hands on Hacking

Matthew Hickey, Jennifer Arcuri

Publisher Resources

ISBN: 9781118662090Purchase book