[WEB SECURITY] Browser Security Handbook by Google
mustlive at websecurity.com.ua
Thu Dec 11 16:48:04 EST 2008
Thanks for information about Google's Browser Security Handbook.
It's good, that Google decided to make such book. But, as I see, it's early
for Google to do it. Because for company with many holes in their own
browser, it's better to get more experience and fix all holes (not ignore
them) in their browser first, and only after that make their security book.
In any case I wish good luck Google with its book and hope it will be
interesting and useful for security community.
Here are some things which Google must did first, before making their
security book ;-).
1. Read my Classification of DoS vulnerabilities in browsers
2. Fix all holes in their browser Chrome, including all holes which I found
and informed them (including all DoS holes of all types which I wrote about
in my classification).
3. Fix Saved XSS vulnerability in their browser
(http://websecurity.com.ua/2505/). Google already did it (at least they did
this item of the list, but there are other not fixed holes).
You can read about Post Persistent XSS (Saved XSS) vulnerabilities
(http://websecurity.com.ua/2641/) on English
4. Read my article Automatic File Download vulnerabilities in browsers
(http://websecurity.com.ua/2438/). Which is about holes in Google Chrome
(and I sent the link to this article to them already in September). And
completely fixed these holes in their browser.
5. Fix all holes at their web sites, especially all holes which I found and
informed them. Including DoS vulnerability at www.google.com (and other
domains) which I disclosed recently (http://websecurity.com.ua/2692/). And
informed them and Google Security Team said that they were investigating it.
So every company or individual who is writing book (especially security one)
must always remember - first fix your holes, than write your book.
Best wishes & regards,
Administrator of Websecurity web site
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
More information about the websecurity