Understanding Same Origin Policy (SOP) and Cookies: A Practical Lab Guide
In today’s interconnected web landscape, security measures like Same Origin Policy (SOP) and cookie management play pivotal roles in safeguarding user data and ensuring secure interactions between web applications. This lab guide provides hands-on exercises to explore these concepts effectively.
Lab Environment Setup
Participants access a Kali GUI instance with two distinct web applications:
- Same Origin Policy (SOP) Lab: Accessible via
http://sop.ine.local
- Subdomains include
sitea.sop.ine.local
andsiteb.sop.ine.local
. - Cookies Lab: Accessible via
http://cookies.ine.local
- Subdomains include
sitea.cookies.ine.local
,child.sitea.cookies.ine.local
,siteb.cookies.ine.local
, andchild.siteb.cookies.ine.local
.
Tools Required
- Burp Suite: For intercepting and inspecting HTTP traffic.
- Nmap: For scanning open ports and services.
- Web Browser: To interact with and visualize web applications.
Objective
The lab aims to:
- Explore Same Origin Policy (SOP): Understand how SOP restricts interactions between web pages originating from different domains.
- Examine Cookies Handling: Learn about cookie properties, including domain, path, and security implications.
Same Origin Policy (SOP) Labs
Scenario 1: Change Child Frame Content
- Access
http://sop.ine.local/change_child_frame_content.html
. - Understand how modifying content within iframes is restricted based on origin.
- Demonstrate SOP restrictions between different subdomains (
sitea.sop.ine.local
vs.siteb.sop.ine.local
).
Scenario 2: Get / Set Child Frame Location
- Visit
http://sop.ine.local/get_set_child_frame_location.html
. - Explore iframe location manipulation and the impact of SOP.
- Discuss exceptions where cross-origin location manipulation is permitted.
Scenario 3: Change Parent Content Window
- Navigate to
http://sop.ine.local/change_parent_window_content.html
. - Experiment with modifying parent window content from child iframes.
- Compare results based on same-origin and cross-origin scenarios.
Scenario 4: Cross Origins and SOP
- Explore
http://sop.ine.local/cross_origins_and_sop.html
. - Analyze cross-domain interactions after modifying document domains.
- Discuss implications of relaxing SOP using
document.domain
.
Cookies Labs
Scenario 1: Introduction to Cookies
- Access
http://cookies.ine.local/cookies1.php
. - Log in with provided credentials (
admin
/cookies
). - Use Burp Suite to intercept and examine session cookies.
- Discuss cookie attributes: domain, path, and secure flags.
Scenario 2: Cookie Handling Across Paths
- Navigate to
http://cookies.ine.local/cookies2.php
. - Login to set cookies and explore their behavior across different paths.
- Demonstrate how cookies are limited to their specified paths.
Scenario 3: Cookie Behavior Across Subdomains
- Visit
http://sitea.cookies.ine.local/cookies3.php
. - Examine cookie behavior across subdomains (
sitea.cookies.ine.local
vs.child.sitea.cookies.ine.local
). - Highlight differences in cookie accessibility between domains and subdomains.
Scenario 4: Setting Cookies for Multiple Domains
- Access
http://cookies.ine.local/cookies4.php
. - Investigate setting cookies for multiple domains (
cookies.ine.local
vs.sitea.cookies.ine.local
). - Analyze restrictions on cross-domain cookie sharing.
Scenario 5: Cookie Restrictions by Domain
- Explore
http://cookies.ine.local/cookies5.php
. - Study limitations on setting cookies for specific domains (
sitea.cookies.ine.local
vs.siteb.cookies.ine.local
). - Discuss security implications of domain-specific cookie policies.
Scenario 6: Secure Cookie Transmission
- Visit
http://sitea.cookies.ine.local/cookies6.php
. - Implement and verify secure cookie transmission practices.
- Review HTTP headers and cookie settings to ensure data security.
Conclusion
Through these comprehensive scenarios, participants gain practical insights into SOP and cookie management fundamentals. Understanding these concepts is critical for developing robust web applications and ensuring data integrity and security across domains.
By engaging with these labs, participants equip themselves with essential skills in web application security, laying a solid foundation for further exploration and advanced security practices.
This blog post structure covers the objectives, steps, and insights derived from each scenario in your lab environment. It provides a clear narrative flow and educational value, making it suitable for readers aiming to deepen their understanding of SOP and cookies in web security.
Note: Blog based on publicly available information.