Hyperlink Spoofing and the Modern Web

Over the past six months or so I’ve been looking at hyperlink spoofing threats as a bit of a part-time project.  I’ve primarily been interested in how the design of social networking platforms impacts the ability of their users to make good trust decisions regarding hyperlinks.  The interaction between social networking services and short-link services…


Creating XSS

I’ve seen MS10-002 pop up a few times in discussion recently.  This is a reference to the legendary issue that David Lindsay and Eduardo Vela Nava discovered, where neutering for a given heuristic actually enabled XSS, assuming attacker control of data inside a properly quoted HTML attribute.  I’d like to share some detail about the tools the XSS Filter has…


XSS Filter Tech: Later is Better?

Arcane design decisions can have subtle but important effects on the characteristics of a security mitigation.  Consider how client-side XSS filtering might examine a given HTTP response for evidence of a reflected attack.  Is it more sensible to examine the response before or after that response is processed in the browser? An easy answer might…


Enforcing Standards Mode with X-FRAME-OPTIONS

Reduced attack surface in Standards Mode is a good step forward for XSS-Focused Attack Surface Reduction in the browser.  But it’s necessary to prevent framing as a prerequisite to enforced Standards Mode. Putting this into practice is pretty simple.  First, you’ll need a Standards Mode DOCTYPE and document compatibility header on your web content, eg: <!DOCTYPE…


Fuzzing for Design Bugs?

Have you ever heard someone ask “Do we need to fuzz this?” This question comes up quite a bit in the context of reactive security work.  There are basically two traditional answers: Yes.When you’re attempting to find variants of something like a memory corruption bug, fuzzing is your best friend.  It’s a no-brainer. No.  Er,…


Happy 10th birthday Cross-Site Scripting!

On the 16th of January, 2000, the following names were suggested and bounced around among a small group of Microsoft security engineers: Unauthorized Site ScriptingUnofficial Site ScriptingURL Parameter Script InsertionCross Site ScriptingSynthesized ScriptingFraudulent Scripting The next day there was consensus – Cross Site Scripting.  In retrospect, I think this was a good choice given the…


Current Thoughts on DNS Rebinding

RSnake and Dan Kaminsky have been talking about session fixation via DNS Rebinding.  As you may recall, an attacker can’t abuse your Foo.com cookies in a rebinding attack, though they can walk your browser around Foo.com content and control the session.  The gist of what these guys are talking about is how the attacker can…


Thoughts on Legacy Character Sets

One of the things I have taken from the IE XSS Filter project is a healthy fear of legacy character sets.  If you’ve followed Chris Weber, Scott Stender, or Yosuke Hasegawa’s work, you know that even Unicode is…  interesting.  But at least in the Unicode world there are standards and evolving best practices dictating how…


Good Bug

Credit goes to Alex “Kuza55” Kouzemtchenko for identifying a weakness in the XSS Filter OBJECT tag heuristic.  The original heuristic failed to properly sanitize OBJECT tags with the DATA attribute set.  Alex found that it is possible to use the DATA attribute to instantiate the PDF handler, then reference content to be loaded using a PARAM element. …


The MSHTML (Trident) Host Security FAQ

I’ve posted a two-part FAQ addressing security considerations for apps that host MSHTML.  Check it out over at the SRD blog! The MSHTML Host Security FAQ: Part I of IIThe MSHTML Host Security FAQ: Part II of II