Hyperlink Spoofing and the Modern Web

Over the past six months or so I’ve been looking at hyperlink spoofing threats as a bit of a part-time project.  I’ve primarily been interested in how the design of social networking platforms impacts the ability of their users to make good trust decisions regarding hyperlinks.  The interaction between social networking services and short-link services…


Creating XSS

I’ve seen MS10-002 pop up a few times in discussion recently.  This is a reference to the legendary issue that David Lindsay and Eduardo Vela Nava discovered, where neutering for a given heuristic actually enabled XSS, assuming attacker control of data inside a properly quoted HTML attribute.  I’d like to share some detail about the tools the XSS Filter has…


XSS Filter Tech: Later is Better?

Arcane design decisions can have subtle but important effects on the characteristics of a security mitigation.  Consider how client-side XSS filtering might examine a given HTTP response for evidence of a reflected attack.  Is it more sensible to examine the response before or after that response is processed in the browser? An easy answer might…


Enforcing Standards Mode with X-FRAME-OPTIONS

Reduced attack surface in Standards Mode is a good step forward for XSS-Focused Attack Surface Reduction in the browser.  But it’s necessary to prevent framing as a prerequisite to enforced Standards Mode. Putting this into practice is pretty simple.  First, you’ll need a Standards Mode DOCTYPE and document compatibility header on your web content, eg: <!DOCTYPE…


Fuzzing for Design Bugs?

Have you ever heard someone ask “Do we need to fuzz this?” This question comes up quite a bit in the context of reactive security work.  There are basically two traditional answers: Yes.When you’re attempting to find variants of something like a memory corruption bug, fuzzing is your best friend.  It’s a no-brainer. No.  Er,…


Happy 10th birthday Cross-Site Scripting!

On the 16th of January, 2000, the following names were suggested and bounced around among a small group of Microsoft security engineers: Unauthorized Site ScriptingUnofficial Site ScriptingURL Parameter Script InsertionCross Site ScriptingSynthesized ScriptingFraudulent Scripting The next day there was consensus – Cross Site Scripting.  In retrospect, I think this was a good choice given the…


Current Thoughts on DNS Rebinding

RSnake and Dan Kaminsky have been talking about session fixation via DNS Rebinding.  As you may recall, an attacker can’t abuse your Foo.com cookies in a rebinding attack, though they can walk your browser around Foo.com content and control the session.  The gist of what these guys are talking about is how the attacker can…


Thoughts on Legacy Character Sets

One of the things I have taken from the IE XSS Filter project is a healthy fear of legacy character sets.  If you’ve followed Chris Weber, Scott Stender, or Yosuke Hasegawa’s work, you know that even Unicode is…  interesting.  But at least in the Unicode world there are standards and evolving best practices dictating how…


New webappsec tools

Chris Weber’s Watcher: http://www.lookout.net/2009/03/20/watcher-security-tool-a-free-web-app-security-testing-and-compliance-auditing-tool/ Watcher plugs into the Fidder HTTP proxy and monitors for all sorts of web app vulns, from the common to the obscure. Gareth Heyes’ XSS Rays: http://www.thespanner.co.uk/2009/03/25/xss-rays/ XSS Rays runs in the browser as a bookmarklet and scans for XSS on demand.

1

XSS Filter Improvements in IE8 RC1

I’ve just posted detail up on the SVRD Blog about some improvements and bug fixes to the XSS Filter feature in IE8 RC1.

1