Re: TTW

[Kristian Erik Hermansen <kristian.hermansen () gmail com>]

On Tue, Nov 15, 2011 at 9:15 AM, Michal Zalewski <lcamtuf () coredump cx> wrote:
> I don't normally spam mailing lists with commercial crap - but I'm
> actually sort of proud of this one, I think it's sort of unique and
> may be of interest to many readers... so let's see if Dave is asleep
> at the moderator wheel.

Since Dave is getting his beauty rest...

> Long story short, I wanted to plug "The Tangled Web" - a book that
> partly inspired by my 2008 Browser Security Handbook
> (http://code.google.com/p/browsersec/). TTW is probably the first-ever
> reasonably detailed examination of the browser security model and its
> evolution through the years, covering everything from frame navigation
> policies and some of the less known quirks of plugin handling and
> content sniffing, to many of the current and upcoming HTML5 features.

Your new book is impressive and should be read by anyone working in
the web space that cares about security -- whether an attacker or
defender. It most definitely captures the current state and how we
arrived at this juncture due to the many browser wars, which btw,
Google Chrome is about to leap out in front of all others (on the way
to 40% usage [1]). The quote from the book that sums it all up is your
statement that "...the status quo reflects several rounds of hastily
implemented improvements and is a complex mix of browser-specific
special cases..."

> Feedback welcome.

I greatly enjoyed reading the book and jotted some notes down that may
be useful to yourself and other readers here. These were the topics
that piqued my interest.

* Microsoft's challenge to JavaScript, VBScript, has the potential for
some exploitation, if no one has been fuzzing it much thus far.

* SVG embedding vulnerabilities potential.

* Is XUL really officially killed by Mozilla?

* Flash cross-domain exploitation examples and crossdomain.xml "loose" policies.

* Great coverage of "GIFAR" type issues.

* Astute observations of trade-offs in plugin attack surface versus
actual benefit to users.

* XBAP security coverage.

* The excellent tables of Same-Origin-Policy violations and other
tests versus different client-side contexts.

* In depth coverage of URI schemes [2] and potentials for abuse.

* How to resolve data sharing via new mechanisms like postMessage() API

* Blind cookie-overwrite attacks (interesting examples)

* Very humorous localhost.cisco.com abuse example.

* Local HTML/other execution issues that break privacy segmentation.

* Interesting about:neterror security weakness example.

* New style HTML frame attacks (as your mentioned already).

* CSS object overlay click-jacking examples and impact on user
experience (eg. Firefox add-on installation).

* Content sniiffing and dangers such as Byte Order Marking / UTF-7;
also interesting note on diff between UTF7 and UTF-7.

* window.createPopup()

* Abusing HSTS for client-side DoS.

* CSP coverage.

As a final note, it was highly predictable to see Microsoft and other
more slowly moving browser vendors being scolded for their inability
to rectify issues (even those that are known), but what struck me as
quite interesting was the case where Microsoft challenged the CORS
standard. It didn't appear that they were doing this for any political
reason and in fact came up with a more technically sound solution,
which the CORS team eventually drew inspiration from. That was nice to
throw in there.

I hope other readers also enjoy your book when they pick it up...

Cheers,

[1] http://www.w3schools.com/browsers/browsers_stats.asp
[2] http://en.wikipedia.org/wiki/URI_scheme#Official_IANA-registered_schemes
-- 
Kristian Erik Hermansen
https://profiles.google.com/kristian.hermansen
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave