4

I understand SOP, 'Same origin policy' is supposed to prevent script code with origin x from accessing data with origin y. Origin is said to be a tuple of protocol, domain and port.

This explains what SOP is and why it is important, but not so much how it helps in preventing XSS.

An attacker could craft a malicios link http://www.store.com/sale/products?id=<script>script stuff..</script> and making the user click on it. Vulnerable site would reflect the code back to clients browser. If I'm understanding this right, SOP would prevent the js code from accessing data in the clients browser that belongs to another origin (say, facebook.com) and stealing a session cookie.

Now, If the malicios code was coming from facebook.com, as it would in a stored xss attack, the SOP would apply?

TL;DR : I guess my question is how does the 'Same origin policy' prevent XSS attacks, and if there are types of xss it doesn't prevent. Also how does SOP translate to cookie security, specifically, the case when an attacker steals users session cookies and uses it to perform actions on users behalf.

monolith
  • 143
  • 1
  • 5

1 Answers1

6

how does the 'Same origin policy' prevent XSS attacks

It doesn't.

The SOP works when there is no XSS vulnerability.

It ensures that evil.com cannot read data with your authentication from eg facebook.com. This holds true as long as facebook.com doesn't introduce it's own vulnerability which allows bypassing of the SOP.

And that is where XSS comes into play. It essentially allows bypassing of the SOP, because now an attacker can execute their script from the same origin as the application (eg facebook.com).

tim
  • 29,122
  • 7
  • 96
  • 120
  • is the last point only in the case of stored xss, where the site is already compromised? or are there other ways of xss-ing around sop? – monolith Feb 02 '20 at 17:49
  • 1
    @wedran It doesn't really matter how the XSS payload is delivered (stored, reflected, etc), in either case the issue is that an attacker can execute JavaScript in the target origin and thus access info in the name of other users. – tim Feb 02 '20 at 19:14