random dross

Web security and beyond...

Browse by Tags

Tagged Content List
  • Blog Post: Hyperlink Spoofing and the Modern Web

    Over the past six months or so I’ve been looking at hyperlink spoofing threats as a bit of a part-time project. I’ve primarily been interested in how the design of social networking platforms impacts the ability of their users to make good trust decisions regarding hyperlinks. The interaction...
  • Blog Post: Creating XSS

    I’ve seen MS10-002 pop up a few times in discussion recently. This is a reference to the legendary issue that David Lindsay and Eduardo Vela Nava discovered, where neutering for a given heuristic actually enabled XSS, assuming attacker control of data inside a properly quoted HTML attribute. I...
  • Blog Post: XSS Filter Tech: Later is Better?

    Arcane design decisions can have subtle but important effects on the characteristics of a security mitigation. Consider how client-side XSS filtering might examine a given HTTP response for evidence of a reflected attack. Is it more sensible to examine the response before or after that response is processed...
  • Blog Post: Enforcing Standards Mode with X-FRAME-OPTIONS

    Reduced attack surface in Standards Mode is a good step forward for XSS-Focused Attack Surface Reduction in the browser. But it’s necessary to prevent framing as a prerequisite to enforced Standards Mode. Putting this into practice is pretty simple. First, you’ll need a Standards Mode...
  • Blog Post: Good Bug

    Credit goes to Alex "Kuza55" Kouzemtchenko for identifying a weakness in the XSS Filter OBJECT tag heuristic. The original heuristic failed to properly sanitize OBJECT tags with the DATA attribute set. Alex found that it is possible to use the DATA attribute to instantiate the PDF handler, then reference...
  • Blog Post: The MSHTML (Trident) Host Security FAQ

    I've posted a two-part FAQ addressing security considerations for apps that host MSHTML. Check it out over at the SRD blog ! The MSHTML Host Security FAQ: Part I of II The MSHTML Host Security FAQ: Part II of II
  • Blog Post: New webappsec tools

    Chris Weber's Watcher: http://www.lookout.net/2009/03/20/watcher-security-tool-a-free-web-app-security-testing-and-compliance-auditing-tool/ Watcher plugs into the Fidder HTTP proxy and monitors for all sorts of web app vulns, from the common to the obscure. Gareth Heyes' XSS Rays: http://www.thespanner...
  • Blog Post: IE8 is here!

    http://www.microsoft.com/ie What are you waiting for? Go get it!
  • Blog Post: XSS Filter Improvements in IE8 RC1

    I've just posted detail up on the SVRD Blog about some improvements and bug fixes to the XSS Filter feature in IE8 RC1 .
  • Blog Post: IE8 Beta 2

    If you haven’t already seen, Internet Explorer 8 Beta 2 is out – go get it ! Now is a good time to thank everyone who helped make the IE8 XSS Filter a reality. This project wouldn’t have been possible without your hard work, support, leadership, guidance, brainstorming, pentesting, coding, and testing...
  • Blog Post: IE 8 XSS Filter Architecture / Implementation revealed + some other news

    I've just posted some detail on the Internet Explorer 8 XSS Filter Architecture / Implementation over on the SWI Blog . It would be great to get some feedback and answer any questions you may have -- just drop me a mail using the Email link to the left. In other news, Gareth Heyes has been spending...
  • Blog Post: IE8 XSS Filter design philosophy in-depth

    It's great to see some positive reaction to the potential of our XSS Filter. Now we just need to deliver! In this blog post I’ll try to shed some light on our design philosophy. To understand how we have arrived at our current filtering approach, it is useful to look back to the XSS Filter’s very...
  • Blog Post: IE8 goes on the offensive against XSS!

    IE has announced the new XSS Filter feature which will debut in IE8 Beta 2! Stay tuned to my blog in the coming weeks for more details on how the filter works, its history, its limitations, and some lessons learned during the development process.
  • Blog Post: XSS-Focused Attack Surface Reduction

    All web browsers expose what have been referred to as XSS “attack vectors” – various techniques that XSS attacks can leverage to achieve script execution. The best and most well regarded list of these behaviors is RSnake’s XSS Cheat Sheet . The existence of these attack vectors can at minimum present...
  • Blog Post: The Kill-Bit FAQ - Part 1 of 3 posted to SVRD blog

    Check out my ActiveX Kill-Bit FAQ which is now being posted to the SVRD blog . There are three parts, the first of which is now live. Parts two and three should be up by the end of the week.
  • Blog Post: An innovative new defense against cross-domain vulnerabilities

    Cross-domain (or “Universal XSS”) vulnerabilities have long plagued modern script-enabled web browsers. Shuo Chen of Microsoft Research has developed a new type of defense against these vulnerabilities. A paper on this new approach has been accepted to the 14th ACM Conference on Computer and Communications...
  • Blog Post: Notes on DNS Pinning

    Christian Matthies has an excellent writeup on DNS Pinning (with diagrams!) If you're tuned into web app security you've probably noticed a lot of discussion around Anti DNS Pinning a.k.a. DNS Rebinding a.k.a. Quick-Swap DNS lately. You're likely to see a lot more such discussion after this year's Blackhat...
  • Blog Post: eval() and document.write(), meet Execute and ExecuteGlobal

    Be on the lookout for these two VBScript statements that can be used to achieve the same effect as eval() and document.write(): Execute and ExecuteGlobal . Jonathan Ness pointed me to an exploit sample that was using Execute, presumably to trip up any eval() or document.write() dependent detection...
  • Blog Post: Recursive Obfuscation

    Thanks to Jonathan Ness for pointing me to an example of a new obfuscation technique that attempts to thwart the eval() à alert() trick . Take a look at the following obfuscation script: 1 <script> 2 function N(F,D) 3 { 4 if (!D) D = ' "#%()-./012348:;<=>@ACEGHILMOPRTVWY\\]_abcdefghijlmnopqrstuvwxyz...
  • Blog Post: High-bit ASCII obfuscation

    Here’s another new obfuscation technique I’ve seen in use on malicious web sites recently. Check out the following HTML: <html><meta http-equiv=content-type content='text/html; charset=us-ascii'></head><body>¼óãòéðô¾áìåòô¨¢Ôèéó éó óïíå ïâæõóãáôåä óãòéðô¡¢©»¼¯óãòéðô¾</body><...
  • Blog Post: Code length dependent obfuscation

    Wow, it’s been a long time! Hopefully I can find more time to blog over the next couple of months. In any event, my paper from last year really could use some updates. Among other things there are a whole new slew of “Usual Suspect” vulnerabilities to document. For this post I’ll focus on documenting...
  • Blog Post: Analyzing Browser Based Vulnerability Exploitation Incidents

    I've written up a paper that describes some useful tools/techniques for deconstructing web based exploits: Analyzing Browser Based Vulnerability Exploitation Incidents The paper started as a blog entry and it remains a blog entry at its core. But since really huge blog entries are uncool (so I...
Page 1 of 1 (22 items)