Course 38 - Web Security Known Web Attacks | Episode 5: SOP Fundamentals and SOME Attack Exploitation via Flash Callbacks
In this lesson, you’ll learn about: Same Origin Policy (SOP), its controlled exceptions, and how attackers exploit it using SOME via Flash callbacks1. What is the Same Origin Policy (SOP)🔹 Definition:
A core browser security rule that restricts how documents interact
🔹 Enforced in:
Web Browsers
🔹 Rule: Two URLs can interact only if all match:
Protocol (HTTP / HTTPS)
Host (domain)
Port
👉 Key Insight SOP prevents unauthorized access between different websites2. Why SOP Exists🔹 Purpose:
Protect user data (cookies, sessions, DOM)
🔹 Without SOP:
Any site could read or modify another site
👉 Key Insight SOP is the foundation of web security isolation3. Soft Exclusions to SOP🔹 Allowed interactions:
embedding
postMessage API
🔹 Why they exist:
Enable cross-origin communication safely
👉 Key Insight SOP is strict—but not absolute4. Introducing SOME (Same Origin Method Execution)🔹 Definition:
A technique to execute methods across windows using references
🔹 Related concept:
Reverse clickjacking
👉 Key Insight SOME doesn’t break SOP—it works around it5. Role of Flash in SOME Attacks🔹 Technology involved:
Adobe Flash Player
🔹 Bridge:
ActionScript ↔ JavaScript
🔹 Key function:
ExternalInterface.call()
👉 Key Insight Flash acts as a bridge to execute JS indirectly6. How Flash Callbacks Become Vulnerable🔹 Weakness:
Course 38 - Web Security Known Web Attacks | Episode 5: SOP Fundamentals and SOME Attack Exploitation via Flash Callbacks
In this lesson, you’ll learn about: Same Origin Policy (SOP), its controlled exceptions, and how attackers exploit it using SOME via Flash callbacks1. What is the Same Origin Policy (SOP)🔹 Definition:
A core browser security rule that restricts how documents interact
🔹 Enforced in:
Web Browsers
🔹 Rule: Two URLs can interact only if all match:
Protocol (HTTP / HTTPS)
Host (domain)
Port
👉 Key Insight SOP prevents unauthorized access between different websites2. Why SOP Exists🔹 Purpose:
Protect user data (cookies, sessions, DOM)
🔹 Without SOP:
Any site could read or modify another site
👉 Key Insight SOP is the foundation of web security isolation3. Soft Exclusions to SOP🔹 Allowed interactions:
embedding
postMessage API
🔹 Why they exist:
Enable cross-origin communication safely
👉 Key Insight SOP is strict—but not absolute4. Introducing SOME (Same Origin Method Execution)🔹 Definition:
A technique to execute methods across windows using references
🔹 Related concept:
Reverse clickjacking
👉 Key Insight SOME doesn’t break SOP—it works around it5. Role of Flash in SOME Attacks🔹 Technology involved:
Adobe Flash Player
🔹 Bridge:
ActionScript ↔ JavaScript
🔹 Key function:
ExternalInterface.call()
👉 Key Insight Flash acts as a bridge to execute JS indirectly6. How Flash Callbacks Become Vulnerable🔹 Weakness: