SOP(Same Origin Policy): Security Protocol

SOP or Same Origin Policy is restrictive policy that prevent loading of document and malicious script from one origin to obtain access to sensitive data on another web page through that page's Data Object Model.

(Data Object Model is Application Programming Interface for valid HTML and XML documents and defines the logical structure of documents)

Lets take an example to get better understanding of SOP , You open your FACEBOOK account in a tab and then you open another web page in different tab which has some JavaScript code that attempts to access information from your FACEBOOK page, that the point where Same Origin Policy kicks in, as soon attempt is made to get access from some other domain then this policy prevent interaction.

Origin of a webpage is based on hostname, protocol and port number . The path of the page doesn't matter as long as these three things are satisfied. Data stored in localstorage is also governed by SOP.

Let take an example exhibiting different SOP result based on above mentioned things when compared with origin :

http://xyz/abc/cc.html

 URL
 RESULT
 EXPLANATION
 http://xyz/pqr/cc.html
 PASS
 Path not matter
 http://www.xyz/abc/cc.html
 FAIL
 Different Domain
 http://xyz:8081/pqr/cc.htm
 FAIL
 Different Port
 ftp://xyz/pqr/cc.html
 FAIL
 Different Protocol


Comments

Post a Comment

Popular posts from this blog

SQL injection

SQL injection  is technique of inserting nefarious SQL statement into the input field by attacker to a web application for execution  (e.g. to dump the database contents to the attacker) .  SQL injection attacks allow attackers to spoof identity, tampering of data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrator of database server. It is considered as one the top 10 web application vulnerabilities by 2007 and 2010 by the OWASP and rated the number one attack on the OWASP top ten in 2013. The sub-classes of SQL injections are: 1. In-band or Classic SQL Injection 2. Inferentital or Blind SQL Injection 3. Outband SQL Injection (I). Classic SQL Injection:  It is most common and easy to exploit Injection attacks. This occur when an attacker is able to use the same communication channel to both launch the attack and gather result. There are two types of classic SQL injection technique
Read more