random dross

Web security and beyond...

  • random dross

    XSS-Focused Attack Surface Reduction

    • 4 Comments
    All web browsers expose what have been referred to as XSS “attack vectors” – various techniques that XSS attacks can leverage to achieve script execution. The best and most well regarded list of these behaviors is RSnake’s XSS Cheat Sheet . The existence...
  • random dross

    IE8 XSS Filter design philosophy in-depth

    • 3 Comments
    It's great to see some positive reaction to the potential of our XSS Filter. Now we just need to deliver! In this blog post I’ll try to shed some light on our design philosophy. To understand how we have arrived at our current filtering approach...
  • random dross

    Current Thoughts on DNS Rebinding

    • 0 Comments
    RSnake and Dan Kaminsky have been talking about session fixation via DNS Rebinding . As you may recall, an attacker can't abuse your Foo.com cookies in a rebinding attack, though they can walk your browser around Foo.com content and control the session...
  • random dross

    Code length dependent obfuscation

    • 2 Comments
    Wow, it’s been a long time! Hopefully I can find more time to blog over the next couple of months. In any event, my paper from last year really could use some updates. Among other things there are a whole new slew of “Usual Suspect” vulnerabilities to...
  • random dross

    Notes on DNS Pinning

    • 1 Comments
    Christian Matthies has an excellent writeup on DNS Pinning (with diagrams!) If you're tuned into web app security you've probably noticed a lot of discussion around Anti DNS Pinning a.k.a. DNS Rebinding a.k.a. Quick-Swap DNS lately. You're likely to see...
  • random dross

    IE8 Beta 2

    • 0 Comments
    If you haven’t already seen, Internet Explorer 8 Beta 2 is out – go get it ! Now is a good time to thank everyone who helped make the IE8 XSS Filter a reality. This project wouldn’t have been possible without your hard work, support, leadership, guidance...
  • random dross

    Recursive Obfuscation

    • 0 Comments
    Thanks to Jonathan Ness for pointing me to an example of a new obfuscation technique that attempts to thwart the eval() à alert() trick . Take a look at the following obfuscation script: 1 <script> 2 function N(F,D) 3 { 4 if (!D) D = ' "#%()-./012348...
  • random dross

    Analyzing Browser Based Vulnerability Exploitation Incidents

    • 0 Comments
    I've written up a paper that describes some useful tools/techniques for deconstructing web based exploits: Analyzing Browser Based Vulnerability Exploitation Incidents The paper started as a blog entry and it remains a blog entry at its core. But...
  • random dross

    XSS Filter Tech: Later is Better?

    • 0 Comments
    Arcane design decisions can have subtle but important effects on the characteristics of a security mitigation. Consider how client-side XSS filtering might examine a given HTTP response for evidence of a reflected attack. Is it more sensible to examine...
  • random dross

    Happy 10th birthday Cross-Site Scripting!

    • 0 Comments
    On the 16th of January, 2000, the following names were suggested and bounced around among a small group of Microsoft security engineers: Unauthorized Site Scripting Unofficial Site Scripting URL Parameter Script Insertion Cross Site Scripting Synthesized...
  • random dross

    High-bit ASCII obfuscation

    • 1 Comments
    Here’s another new obfuscation technique I’ve seen in use on malicious web sites recently. Check out the following HTML: <html><meta http-equiv=content-type content='text/html; charset=us-ascii'></head><body>¼óãòéðô¾áìåòô¨¢Ôèéó...
  • random dross

    IE 8 XSS Filter Architecture / Implementation revealed + some other news

    • 1 Comments
    I've just posted some detail on the Internet Explorer 8 XSS Filter Architecture / Implementation over on the SWI Blog . It would be great to get some feedback and answer any questions you may have -- just drop me a mail using the Email link to the left...
  • random dross

    IE8 goes on the offensive against XSS!

    • 1 Comments
    IE has announced the new XSS Filter feature which will debut in IE8 Beta 2! Stay tuned to my blog in the coming weeks for more details on how the filter works, its history, its limitations, and some lessons learned during the development process.
  • random dross

    XSSDS

    • 6 Comments
    Björn Engelmann, Joachim Posegga, and LocalRodeo developer Martin Johns have authored an excellent paper on a new Cross-site Scripting detection system called XSSDS . Stay tuned to noxss.org for a new browser extension based on this technology. The XSSDS...
  • random dross

    An innovative new defense against cross-domain vulnerabilities

    • 1 Comments
    Cross-domain (or “Universal XSS”) vulnerabilities have long plagued modern script-enabled web browsers. Shuo Chen of Microsoft Research has developed a new type of defense against these vulnerabilities. A paper on this new approach has been accepted to...
  • random dross

    De-obfuscation using a standalone Javascript interpreter

    • 0 Comments
    Mark Wodrich forwarded me this Websense blog post describing how to use a standalone Javascript interpreter to de-obfuscate some script. Thanks Mark!
  • random dross

    Pinning / Rebinding / Quick-Swap DNS Links

    • 0 Comments
    A group at Stanford has been researching these issues and recently published Protecting Browsers from DNS Rebinding Attacks . Also, Dan Kaminski has published his slides from Blackhat 2007, Black Ops 2007: Design Reviewing The Web .
  • random dross

    Enforcing Standards Mode with X-FRAME-OPTIONS

    • 0 Comments
    Reduced attack surface in Standards Mode is a good step forward for XSS-Focused Attack Surface Reduction in the browser. But it’s necessary to prevent framing as a prerequisite to enforced Standards Mode. Putting this into practice is pretty...
  • random dross

    eval() and document.write(), meet Execute and ExecuteGlobal

    • 0 Comments
    Be on the lookout for these two VBScript statements that can be used to achieve the same effect as eval() and document.write(): Execute and ExecuteGlobal . Jonathan Ness pointed me to an exploit sample that was using Execute, presumably to trip up...
  • random dross

    ABE

    • 2 Comments
    Giorgio Maone's new ABE project looks pretty cool. Exposing the loose and often unnecessary boundaries between web applications shines a different light on some old problems in web application security. Enforcing greater formalization and limiting...
  • random dross

    Good Bug

    • 1 Comments
    Credit goes to Alex "Kuza55" Kouzemtchenko for identifying a weakness in the XSS Filter OBJECT tag heuristic. The original heuristic failed to properly sanitize OBJECT tags with the DATA attribute set. Alex found that it is possible to use the DATA attribute...
  • random dross

    Fuzzing for Design Bugs?

    • 0 Comments
    Have you ever heard someone ask “Do we need to fuzz this?” This question comes up quite a bit in the context of reactive security work. There are basically two traditional answers: Yes. When you’re attempting to find variants...
  • random dross

    Hyperlink Spoofing and the Modern Web

    • 0 Comments
    Over the past six months or so I’ve been looking at hyperlink spoofing threats as a bit of a part-time project. I’ve primarily been interested in how the design of social networking platforms impacts the ability of their users to make good...
  • random dross

    The MSHTML (Trident) Host Security FAQ

    • 0 Comments
    I've posted a two-part FAQ addressing security considerations for apps that host MSHTML. Check it out over at the SRD blog ! The MSHTML Host Security FAQ: Part I of II The MSHTML Host Security FAQ: Part II of II
  • random dross

    Hello!

    • 0 Comments
    Hi! I'm David Ross and this is my work blog. As an engineer on the Microsoft Secure Windows Initiative at Microsoft I specialize in browser and web application security.
Page 1 of 2 (37 items) 12