Dailydave mailing list archives
Re: TTW
From: Kristian Erik Hermansen <kristian.hermansen () gmail com>
Date: Wed, 16 Nov 2011 08:42:31 -0800
On Tue, Nov 15, 2011 at 9:15 AM, Michal Zalewski <lcamtuf () coredump cx> wrote:
I don't normally spam mailing lists with commercial crap - but I'm actually sort of proud of this one, I think it's sort of unique and may be of interest to many readers... so let's see if Dave is asleep at the moderator wheel.
Since Dave is getting his beauty rest...
Long story short, I wanted to plug "The Tangled Web" - a book that partly inspired by my 2008 Browser Security Handbook (http://code.google.com/p/browsersec/). TTW is probably the first-ever reasonably detailed examination of the browser security model and its evolution through the years, covering everything from frame navigation policies and some of the less known quirks of plugin handling and content sniffing, to many of the current and upcoming HTML5 features.
Your new book is impressive and should be read by anyone working in the web space that cares about security -- whether an attacker or defender. It most definitely captures the current state and how we arrived at this juncture due to the many browser wars, which btw, Google Chrome is about to leap out in front of all others (on the way to 40% usage [1]). The quote from the book that sums it all up is your statement that "...the status quo reflects several rounds of hastily implemented improvements and is a complex mix of browser-specific special cases..."
Feedback welcome.
I greatly enjoyed reading the book and jotted some notes down that may be useful to yourself and other readers here. These were the topics that piqued my interest. * Microsoft's challenge to JavaScript, VBScript, has the potential for some exploitation, if no one has been fuzzing it much thus far. * SVG embedding vulnerabilities potential. * Is XUL really officially killed by Mozilla? * Flash cross-domain exploitation examples and crossdomain.xml "loose" policies. * Great coverage of "GIFAR" type issues. * Astute observations of trade-offs in plugin attack surface versus actual benefit to users. * XBAP security coverage. * The excellent tables of Same-Origin-Policy violations and other tests versus different client-side contexts. * In depth coverage of URI schemes [2] and potentials for abuse. * How to resolve data sharing via new mechanisms like postMessage() API * Blind cookie-overwrite attacks (interesting examples) * Very humorous localhost.cisco.com abuse example. * Local HTML/other execution issues that break privacy segmentation. * Interesting about:neterror security weakness example. * New style HTML frame attacks (as your mentioned already). * CSS object overlay click-jacking examples and impact on user experience (eg. Firefox add-on installation). * Content sniiffing and dangers such as Byte Order Marking / UTF-7; also interesting note on diff between UTF7 and UTF-7. * window.createPopup() * Abusing HSTS for client-side DoS. * CSP coverage. As a final note, it was highly predictable to see Microsoft and other more slowly moving browser vendors being scolded for their inability to rectify issues (even those that are known), but what struck me as quite interesting was the case where Microsoft challenged the CORS standard. It didn't appear that they were doing this for any political reason and in fact came up with a more technically sound solution, which the CORS team eventually drew inspiration from. That was nice to throw in there. I hope other readers also enjoy your book when they pick it up... Cheers, [1] http://www.w3schools.com/browsers/browsers_stats.asp [2] http://en.wikipedia.org/wiki/URI_scheme#Official_IANA-registered_schemes -- Kristian Erik Hermansen https://profiles.google.com/kristian.hermansen _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave