Security Vulnerability Research & Defense blog

My team now has a blog! I’ll be contributing to the team blog in the future.  But don’t worry — my personal blog (this one) isn’t going away!


The standard IFRAME-based isolation technique for web apps is starting to show its age.  We need something better! Microsoft Research has posted a new paper scheduled to appear at SOSP ’07: Protection and Communication Abstractions for Web Browsers in MashupOS RSnake also has an interesting post on this topic.

An innovative new defense against cross-domain vulnerabilities

Cross-domain (or “Universal XSS”) vulnerabilities have long plagued modern script-enabled web browsers.  Shuo Chen of Microsoft Research has developed a new type of defense against these vulnerabilities.  A paper on this new approach has been accepted to the 14th ACM Conference on Computer and Communications Security (CCS).An Analysis of Browser Domain-Isolation Bugs and A Light-Weight Transparent…


Pinning / Rebinding / Quick-Swap DNS Links

A group at Stanford has been researching these issues and recently published Protecting Browsers from DNS Rebinding Attacks. Also, Dan Kaminski has published his slides from Blackhat 2007, Black Ops 2007: Design Reviewing The Web.

Notes on DNS Pinning

Christian Matthies has an excellent writeup on DNS Pinning (with diagrams!)  If you’re tuned into web app security you’ve probably noticed a lot of discussion around Anti DNS Pinning a.k.a. DNS Rebinding a.k.a. Quick-Swap DNS lately.  You’re likely to see a lot more such discussion after this year’s Blackhat/Defcon given that there are a number…


Inspect Your Gadget

Michael Howard and I have written up some guidance on how to develop secure Vista Sidebar Gadgets: Inspect Your Gadget