Creating XSS

I’ve seen MS10-002 pop up a few times in discussion recently.  This is a reference to the legendary issue that David Lindsay and Eduardo Vela Nava discovered, where neutering for a given heuristic actually enabled XSS, assuming attacker control of data inside a properly quoted HTML attribute.  I’d like to share some detail about the tools the XSS Filter has…


XSS Filter Tech: Later is Better?

Arcane design decisions can have subtle but important effects on the characteristics of a security mitigation.  Consider how client-side XSS filtering might examine a given HTTP response for evidence of a reflected attack.  Is it more sensible to examine the response before or after that response is processed in the browser? An easy answer might…


Enforcing Standards Mode with X-FRAME-OPTIONS

Reduced attack surface in Standards Mode is a good step forward for XSS-Focused Attack Surface Reduction in the browser.  But it’s necessary to prevent framing as a prerequisite to enforced Standards Mode. Putting this into practice is pretty simple.  First, you’ll need a Standards Mode DOCTYPE and document compatibility header on your web content, eg: <!DOCTYPE…


Fuzzing for Design Bugs?

Have you ever heard someone ask “Do we need to fuzz this?” This question comes up quite a bit in the context of reactive security work.  There are basically two traditional answers: Yes.When you’re attempting to find variants of something like a memory corruption bug, fuzzing is your best friend.  It’s a no-brainer. No.  Er,…


Happy 10th birthday Cross-Site Scripting!

On the 16th of January, 2000, the following names were suggested and bounced around among a small group of Microsoft security engineers: Unauthorized Site ScriptingUnofficial Site ScriptingURL Parameter Script InsertionCross Site ScriptingSynthesized ScriptingFraudulent Scripting The next day there was consensus – Cross Site Scripting.  In retrospect, I think this was a good choice given the…


Thoughts on Legacy Character Sets

One of the things I have taken from the IE XSS Filter project is a healthy fear of legacy character sets.  If you’ve followed Chris Weber, Scott Stender, or Yosuke Hasegawa’s work, you know that even Unicode is…  interesting.  But at least in the Unicode world there are standards and evolving best practices dictating how…


Good Bug

Credit goes to Alex “Kuza55” Kouzemtchenko for identifying a weakness in the XSS Filter OBJECT tag heuristic.  The original heuristic failed to properly sanitize OBJECT tags with the DATA attribute set.  Alex found that it is possible to use the DATA attribute to instantiate the PDF handler, then reference content to be loaded using a PARAM element. …


New webappsec tools

Chris Weber’s Watcher: Watcher plugs into the Fidder HTTP proxy and monitors for all sorts of web app vulns, from the common to the obscure. Gareth Heyes’ XSS Rays: XSS Rays runs in the browser as a bookmarklet and scans for XSS on demand.


XSS Filter Improvements in IE8 RC1

I’ve just posted detail up on the SVRD Blog about some improvements and bug fixes to the XSS Filter feature in IE8 RC1.


Video Roundup (Martin Johns and more!)

Recently I got Martin Johns connected with Helen Wang’s group in Microsoft Research.  Check out Martin’s excellent talk @MSR, Secure Code Generation for Web Applications. Here are a few other gems I discovered on Techniques and Tools for Engineering Secure Web ApplicationsGary Wassermann, 3/13/2008 Improving Software Security with Precise Static and Runtime AnalysisBenjamin Livshits, 6/26/2006…