Ray "Vanhalen" Kelly has written a post describing the security mechanisms used by Google+, as well as compares them to facebook. In particular he reviews each HTTP protection header and provides a good explanation of the purpose of each protection. Link: https://www.barracudanetworks.com/blogs/labsblog?bid=1743
Ivan Ristic (of modsecurity fame) has published the results of an evaluation against over 900,000 websites supporting SSL. The goal of this evaluation was to see how people really use/misuse ssl in the wild, as well as report on the usage of browser protections such as the Secure cookie flag, and Strict-Transport-Security....
Rosario Valotta has published an interesting attack against IE that takes advantage of clickjacking. In a nutshell it combines origin flaws within IE with clickjacking to trick a user into copying/pasting their own cookies from any site! Demonstration below The technical details can be found at https://sites.google.com/site/tentacoloviola/cookiejacking and his slides at https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnx0ZW50YWNvbG92aW9sYXxneDoxMWJlZTI5ZjVhYjdiODQx
While thinking about some of the transparent proxy problems I came up with a fairly reliable way to detect caching proxies. Caching proxies can be either explicit or transparent, but are typically used in a transparent mode by an ISP to cut down on upstream bandwidth. A side effect (and benefit :)...
Chris Evans has posted an interesting bug in IE involving using JavaScript's window.onerror to leak cross domain data. From his blog "The bug is pretty simple: IE supports a window.onerror callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com registers its own window.onerror...
Ten years ago today I started cgisecurity.com to fill a void in the application security space. At the time no other dedicated site existed, neither OWASP nor WASC had been created, and the www-mobile list was effectively the only place to discuss web related vulns and attacks . When I first started...
Artur Janc and Lukasz Olejnik have published a whitepaper outlining CSS history techniques along with results of what they found from real world users. From the whitepaper"Browser history detection through the Cascading Style Sheets visited pseudoclass has long been known to the academic security community and browser vendors, but has been largely...
Mozilla has released a tool that identifies which browser plugins you have installed, identifies if it is vulnerable, and provides you with links to get the updates. Very handy! Browser Plugin Check: https://www.mozilla.com/en-US/plugincheck/
Sacha Faust has published an IIS http module for the Strict Transport Security protocol. From his blog "I’ve been tackling the problem of users connecting to online services from untrusted network. At work we typically call this the “Startbucks” scenario where a user is connecting to a random wifi and accessing corporate...
About a year ago I discovered this by accident and hadn't seen it published anywhere so thought it was worth mentioning. If you enter the following into the firefox URL bar it will follow them to www.cnn.com. [http://www.cnn.com] [http://]www.cnn.com [http://www].cnn.com Etc... You can also substitute [] for {} or " and it...
From computerworld "Mozilla will add a new lockdown feature to Firefox 3.6 that will prevent developers from sneaking add-ons into the program, the company said. The new feature, which Mozilla dubbed "component directory lockdown," will bar access to Firefox's "components" directory, where most of the browser's own code is stored. The company...
Fellow coworker Jeff Hodges has announced the formal specification draft for Strict Transport Security. STS is a new proposed protocol for allowing a website to instruct returning visitors to never visit the site on http, and to only visit the site over https and is entirely opt in. This can prevent MITM...
"The 4.0.207.0 release uses a reflective XSS filter that checks each script before it executes to check if the script appears in the request that generated the page. Should it find a match, the script will be blocked. According to Chromium developer Adam Barth, the developers plan to post an academic paper...
"The exploit portal Milw0rm has published an exploit for Firefox 3.5. The exploit demonstrates a security vulnerability by starting the Windows calculator. In testing by heise Security, the exploit crashed Firefox under Vista, but security service providers Secunia and VUPEN confirmed that attackers using prepared websites can infect PCs. The cause of...
"Google Chrome 2.0.172.33 has been released to the Stable and Beta channels. This release fixes a critical security issue and two other networking bugs. CVE-2009-2121: Buffer overflow processing HTTP responsesGoogle Chrome is vulnerable to a buffer overflow in handling certain responses from HTTP servers. A specially crafted response from a server could...
An article on security in Google's Chrome browser has been published. "The Web has become one of the primary ways people interact with their computers, connecting people with a diverse landscape of content, services, and applications. Users can find new and interesting content on the Web easily, but this presents a security...
Amit Klein posted the following to the web security mailing list yesterday. "User tracking across domains, processes (in some cases) and windows/tabs is demonstrated by exploiting several vulnerabilities in major browsers (Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, and to a limited extent Google Chrome). Additionally, new cross-domain information leakage, and cross...
Microsoft research has published an excellent paper describing many browser flaws. The use case primary involves an attacker hijacking the explicitly configured proxy used by the user and via HTTP code trickery they can access the content on an HTTPS established connection. It also outlines browser flaws involving caching of SSL certs...
"Apple released an update to its Leopard operating system yesterday that comes loaded with a host of security and bug fixes as well as added hardware support. The Cupertino-based firm said OS X 10.5.7 patches several security loopholes related to PHP, CoreGraphics, Apache Web server and the company’s browser Safari. Three separate...
CVE-2009-1441: Input validation error in the browser process. A failure to properly validate input from a renderer (tab) process could allow an attacker to crash the browser and possibly run arbitrary code with the privileges of the logged on user. To exploit this vulnerability, an attacker would need to be able to...
"During unrelated research, I came across a number of security issues that reside in various parts of Google's web browser - Google Chrome. These issues pose a major threat to any user that browses a maliciously crafted page using Internet Explorer and has Google Chrome installed alongside. Using a vulnerability in the...
Gareth Heyes wrote a nice blog entry on JavaScript hacks: "I love to use JavaScript in unexpected ways, to create code that looks like it shouldn't work but does, or produces some unexpected behavior. This may sound trivial, but the results I've found lead to some very useful techniques. Each of the...
MFSA 2009-22 Firefox allows Refresh header to redirect to javascript: URIs MFSA 2009-21 POST data sent to wrong site when saving web page with embedded frame MFSA 2009-20 Malicious search plugins can inject code into arbitrary sites MFSA 2009-19 Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString MFSA 2009-18 XSS hazard using third-party stylesheets...
"Security researcher Charlie Miller held onto a vulnerability for an entire year, before using it on Wednesday to win $5,000 and an Apple laptop at the Pwn2Own contest here at the CanSecWest conference. Miller — a principal analyst at Independent Security Evaluators — found two flaws in Apple's Safari Web browser more...
"Mozilla Corp. today patched eight security vulnerabilities in Firefox, half of them critical memory corruption flaws in the browser's layout and JavaScript engines. Firefox 3.0.7, the second security update this year to the open-source browser, fixes about the same number of bugs that Mozilla patched a month ago. Of the eight vulnerabilities,...
From Opera's changelog Fixed an issue where specially crafted JPEG images ccould be used to execute arbitrary code, as reported by Tavis Ormandy of the Google Security Team; see our advisory Fixed an issue where plug-ins could be used to allow cross domain scripting, as reported by Adam Barth; details will be...
"Ensuring that the browser is up to date can help minimize security risks, but perhaps the most interesting feature of Firefox from a security perspective is the possibility of enhancing the browser's security with the addition of browser extensions or add-ons. Of course any add-ons risks adding new vulnerabilities, but if they...
"Apple announced on Tuesday the public availability of its next browser, Safari 4, seemingly adding a host of new security features to the program along with speedier Javascript processing and additional eye candy, such as cover flow. The security features are not new, however. The company quietly added anti-malware and phishing protection,...
I was reading slashdot and saw that Microsoft has released a paper outlining a new secure browser architecture. From the abstract "Web browsers originated as applications that people used to view static web sites sequentially. As web sites evolved into dynamic web applications composing content from various web sites, browsers have become...
Fixed in Firefox 3.0.6 MFSA 2009-06 Directives to not cache pages ignored MFSA 2009-05 XMLHttpRequest allows reading HTTPOnly cookies MFSA 2009-04 Chrome privilege escalation via local .desktop files MFSA 2009-03 Local file stealing with SessionStore MFSA 2009-02 XSS using a chrome XBL method and window.eval MFSA 2009-01 Crashes with evidence of memory...
"Microsoft has introduced a release client version of its latest browser, Internet Explorer 8 (IE8), and the new iteration of the application includes several security improvements, including a noteworthy attempt to address the emerging problem of clickjacking attacks. For those who don't recall, clickjacking is a relatively new technique -- first detailed...
In 2006 I gave a talk at blackhat on the risks of RSS vulnerabilities. It appears Safari has a flaw in its RSS reader as outlined by Brian Mastenbrook. "The original version of this page contained a simple workaround for this issue which I believed would protect users against this problem. I...
Google has added a HTTPS browsing feature to chrome. From the changelog "A new HTTPS-only browsing mode. Add --force-https to your Google Chrome shortcut, and it will only load HTTPS sites. Sites with SSL certificate errors will not load. " Release Notes 2.0.156.1 http://dev.chromium.org/getting-involved/dev-channel/release-notes/releasenotes201561 Very cool.
MFSA 2008-60 - Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19) MFSA 2008-61 Information stealing via loadBindingDocument MFSA 2008-64 XMLHttpRequest 302 response disclosure MFSA 2008-65 Cross-domain data theft via script redirect error message| MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters MFSA 2008-67 Escaped null characters ignored by CSS parser...
"Once again confirming the trend of having more legitimate sites serving exploits and malware than purely malicious ones, Chinese hackers have been keeping themselves busy during the last couple of days, launching massive SQL injection attacks affecting over 100,000 web sites. The SQL injection attacks serving the just patched Internet Explorer XML...
"Mozilla has told Firefox users that it will no longer be updating version 2 of the browser and they should upgrade to version 3 right away. The warning came alongside a security update patching ten problems, four of them critical. The critical problems involve cross-site scripting. That’s a serious concern as it...
"Microsoft will push out an emergency security patch for Internet Explorer on Wednesday, addressing a critical security hole currently being exploited in the wild. Redmond issued advanced notice for tomorrow's fix, describing the out-of-cycle patch as protection from "remote code execution." Unscheduled updates are pretty rare for Microsoft, stressing the potentially serious...
"Mozilla has rushed out updates to plug a few critical holes in versions 2 and 3 of its popular open source Firefox browser. Firefox 3.0.5 fixes three critical security flaws in the browser, while 2.0.0.19 stitches four critical vulns. Mozilla said that XSS vulnerabilities in SessionStore, XSS and so-called JavaScript “privilege escalation”...
"Opera pushed out an update to its popular web browser on Tuesday that fixes vulnerabilities it described as "extremely severe". The update fixes seven security bugs, some of which were previously known. Version 9.63 of the browser addresses separate code injection risks stemming from flaws in HTML parsing and text inputing, respectively....
"Google's new web browser may be fast and slim, but the password management features it offers are full of bugs. Chapin Information Services (CIS) reported critical vulnerabilities in this software during its beta period, all of which were unfixed at release time. Among the problems are three in particular that, when combined,...
Rafel Ivgi has published an extensive list of IE8 XSS filter evasions. "Aspect9 has discovered several vulnerabilities in Microsoft Windows Internet Explorer 8.0 Beta 2. This new version of Microsoft's famous browser includes new security improvements such as a Cross Site Scripting(XSS) filter. This version also includes a new object that safely...
Michal Zalewski from google has published an an extremely in depth guide describing the various behavioral differences between the major browsers. "I am happy to announce the availability of our "Browser Security Handbook" - a comprehensive, 60-page document meant to provide web application developers and information security researchers with a one-stop reference...
An article over at macworld discusses the anti phishing features in the new safari. "The release of Safari 3.2 on November 13 displayed Apple’s penchant for cryptic release notes, as the company describes all three versions as featuring “protection from fraudulent phishing Web sites.” Let's decode that for you: Safari 3.2 offers...
A handful of security vulnerabilities have been fixed in the latest version of firefox. Fixed in Firefox 3.0.4 MFSA 2008-58 Parsing error in E4X default namespace MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation MFSA 2008-55 Crash and remote code execution in nsFrameManager MFSA 2008-54...
Firefox 3.0.2 has been released which addresses the following security flaws. MFSA 2008-44 resource: traversal vulnerabilities MFSA 2008-43 BOM characters stripped from JavaScript before execution MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17) MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution MFSA 2008-40 Forced mouse drag Read more at : http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.2
"Mozilla's security chief said Apple should disclose more information about the steps it takes to protect customers from malware and other computer-born threats. At a security conference on Monday, Window Snyder said open communication about recently reported vulnerabilities and ongoing processes for locking down products is a core responsibility of security departments...
"Users should wait to use Google Chrome after its vulnerabilities were exposed. Randy Abrams, director of Technical Education at ESET, claimed that as vulnerable code was used users should only use Chrome when they are not viewing sensitive pages. He claimed that the oversight by Google is indicative of either a lack...
"I happened to install Google Chrome (Alpha) the same day I installed Internet Explorer 8 (Beta). I noticed immediately, as I'm sure many of you have, that both browsers isolate tabs in different processes. Unix folks have known about the flexibility of forking a process forever. In Unix, fork() is just about...
UPDATED: Yet another issue is discovered, this time a DOS. UPDATED: 3 hours later a vulnerability has been published. Google has just released an open sourced browser based on Apple's Webkit. I'm guessing it will be less than 48 hours before the first vulnerability is discovered. Since Safari uses Webkit it will...
Firefox 2.0.0.15 was released addressing the following security issues. MFSA 2008-33 Crash and remote code execution in block reflow MFSA 2008-32 Remote site run as local file via Windows URL shortcut MFSA 2008-31 Peer-trusted certs can use alt names to spoof MFSA 2008-30 File location URL in directory listings not escaped properly...
Microsoft has posted a very extensive article outling the security improvements to IE8. Improvements have been made to the following area's. - Cross-Site-Scripting Defenses - Safer Mashups (HTML and JSON Sanitization) - MIME-Handling Changes (Restrict Upsniff and Sniffing Opt-Out) - Add-on Security - Protected Mode - Application Protocol Prompt - File Upload...
"Mozilla released its latest browser, Firefox 3.0, this week. SecurityFocus contributor Federico Biancuzzi tracked down two key members of Mozilla's security team, Window Snyder and Johnathan Nightingale, to learn more about the security features included in this major release. They discussed the protection against phishing and the new malware protection, the new...
Firefox3 has been released. This release improves memory management, speed, and has introduced a number of new security features. Download Link: http://www.firefox.com
"Most of todays tools for fingerprinting are focusing on server-side services. Well-known and widely-accepted implementations of such utilities are available for http web services, smtp mail server, ftp servers and even telnet daemons. Of course, many attack scenarios are focusing on server-side attacks. Client-based attacks, especially targeting web clients, are becoming more...
"Microsoft unveiled two security features that will debut in the next version of its browser, Internet Explorer 8: the Safety Filter, which warns users of potentially malicious Web activity, and domain highlighting, which uses bold text to highlight the real domain of any Web site. The software giant stressed that the features...
"Mozilla chief evangelist Mike Shaver says the latest Firefox information leakage bug warning is exaggerated. Published reports of an information leakage vulnerability affecting fully patched versions of the open-source Firefox browser have been greatly exaggerated, according to Mozilla chief evangelist Mike Shaver. Shaver's sharp retort follows the release of an advisory by...
It is with great sadness that I post news stating that Netscape will receive no more updates after February 1, 2008. I've been a long netscape user (since 1995). "AOL has a long history on the internet, being one of the first companies to really get people online. Throughout its lifetime, it...
Romain Gaucher writes "The Web Application Security Consortium is pleased to announce the first results of the Script Mapping project! At this stage in the project we were able to cover most of the test cases for Internet Explorer 7, Firefox 2 and Safari 3. The results can be found on the...
"The Mozilla Foundation released on Monday a beta version of the group's latest open-source Firefox browser, rewriting parts of the code and enhancing security. Firefox 3 Beta 1 adds anti-malware features to the browser, using a similar mechanism as the anti-phishing feature in Firefox 2, harnessing a Google-generated blacklist of sites that...
UPDATE Before reading on any further I want to prefix that the purpose of this post is to begin a discussion on the ways a website can communicate to a browser to instruct it of what its behavior should be on that site. The example below is a "sample implementation" and isn't...
"I wrote about three of my favorite Firefox extensions that help me stay safe when I'm browsing the darker areas of the Web and incoming email. Today, let's look at three other extensions: Those that can turn Firefox into a feature-filled, Web-hacking weapon. These extensions aren't required to use Firefox for hacking...
An interesting presentation was posted on the future of firefox, javascript, and the web worth checking out (click through the slides). "I just finished giving a presentation at the Future of Web Apps conference, here in London. Thanks to everyone who attended - I hope I didn’t sound too sleep deprived! In...
"Couple of days ago one of our readers, Daniel Kluge, pointed us to a web page with some heavily obfuscated JavaScript code. The operation was typical and consisted of a compromised site that had an obfuscated iframe which pointed to the final web site serving various exploits. The obfuscation of the iframe...
"Mozilla has been using an open-source application security testing tool, known as a fuzzer, for JavaScript to detect and fix dozens of security bugs in Firefox, Mozilla director of ecosystem development Window Snyder said Thursday at the Black Hat USA 2007 conference in Las Vegas. The JavaScript fuzzer found 280 bugs in...
Larholm writes "First they came for Safari, but no one complained because it was beta. Then they came for Internet Explorer, but no one cared because that was to be expected. Finally they came for Mozilla, but there was no one left to speak out." Article Link: http://larholm.com/2007/07/25/mozilla-protocol-abuse/
"The Mozilla Foundation acknowledged over the weekend that its own Firefox browser allows links that can send malicious code to external programs, a security issue that the group had previously argued should be fixed by the browser maker. In early July, three researchers found a way to execute code in Firefox -...
"Security problems with Microsoft's dominant Internet Explorer browser helped pave the way for Mozilla Firefox to emerge as an alternative for Web surfers. However, Firefox users should be aware that hackers can exploit software flaws and design features to launch attacks. The following configuration changes, recommended by CERT/CC, can disable various features...
"Markellos Diorinos from the IE team at Microsoft introduces the new security features in IE 7 and speaks about extended validation SSL certificates. He also covers the Certification Authority Browser Forum whose members apart from Microsoft include also the Mozilla Foundation, Opera Software and KDE." Article Link: http://www.net-security.org/article.php?id=1003
"The last few years have seen a constant rise in vulnerabilities like cross-site scripting (XSS), HTTP response splitting, and cross-site request forgery (XSRF or CSRF). While the vectors and exploit of each of these vulnerability classes vary, they all have one common thread. Each of these vulnerabilities exploits trust shared between a...
"AJAX and interactive web services form the backbone of “web 2.0” applications. This technological transformation brings about new challenges for security professionals. This article looks at some of the methods, tools and tricks to dissect web 2.0 applications (including Ajax) and discover security holes using Firefox and its plugins. The key learning...
IE7 has finally been released but according to Secunia a vulnerability has already been published. They also provide a test that can be performed to see if you're vulnerable. Article Link: http://www.theregister.co.uk/2006/10/19/ie7_release/ Advisory Link: http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/ Download IE7: http://www.microsoft.com/windows/ie/default.mspx
"A public claim by hackers that Mozilla's Firefox browser is vulnerable to multiple code execution vulnerabilities may be an overblown hoax. On the heels of a ToorCon presentation where two security researchers—Mischa Spiegelmock and Andrew Wbeelsoi—warned that Firefox's implementation of JavaScript was badly flawed and could allow PC takeover attacks, Mozilla's engineers...
A great article at ZDNet explaining how Vista + IE7 stopped the latest IE 0day from exploiting the machine. "The initial security warnings are hardly perfect. I've seen similar ActiveX opt-in dialog boxes for other built-in ActiveX components. How is an unsuspecting user supposed to know which one is safe and which...
"This blog will serve as a dumping ground for browser-based security research and vulnerability disclosure. To kick off this blog, we are announcing the Month of Browser Bugs (MoBB), where we will publish a new browser hack, every day, for the entire month of July. The hacks we publish are carefully chosen...
"Of the eight most serious fixes, two affect Internet Explorer, one for JScript within Internet Explorer, one in Windows Media Player, two in Windows, one in Word, and another in PowerPoint. The patch for Word fixes a highly-publicized zero-day exploit that has already been used in several cyber attacks. The vulnerability can...
"But protecting the naïve user from the malicious attacker can mean the blameless developer loses a feature they were relying on. Vista Beta 2 secures what's just been renamed Internet Explorer 7+ by running it in a new protected mode, which restricts the changes IE can make to the registry and the...
Georgi Guninski has found that the opera browser is vulnerable to multiple Javascript holes. These holes could allow an attacker to gain further privileges. Opera Browser problems
