[WEB SECURITY] countermeasure against attacks through HTML shared files

Bil Corry bil at corry.biz
Fri Nov 7 11:49:55 EST 2008


fcorella at pomcor.com wrote on 11/6/2008 11:01 PM: 
> I have not been able to find much prior work.
> What I've found is discussed in Section 2 of the
> paper.  If I've missed something, please let me
> know.

Thank you for the paper!  Some related thoughts:

(1) Google offers advice on how to serve untrusted files for downloading:

	http://code.google.com/p/doctype/wiki/ArticleUntrustedDownloads

Granted, it doesn't seem to be working for them:

	http://www.securityfocus.com/archive/1/496734/30/0/threaded


(2) IE8 offers a new header to prevent this type of attack by forcing the user to download the file to disk, thus preventing the file from running in the context of your site:

	X-Download-Options: noopen
	http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx


(3) Internet Explorer (and other browsers to some extent) do content-sniffing, so a file doesn't have to be explicitly HTML in order for Internet Explorer to display the file as HTML (for example, the file can be a GIF, but still by shown as HTML by IE).

More info:

	http://xs-sniper.com/blog/2008/04/14/google-xss/
	http://www.gnucitizen.org/blog/backdooring-images/
	http://www.leviathansecurity.com/pdf/Flirting%20with%20MIME%20Types.pdf

IE8 now offers a header to turn this behavior off (doesn't help for IE6 or IE7):

	X-Content-Type-Options: nosniff
	http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx


(4) GIFAR - Looks like an GIF, but runs as a Java Applet:

	http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111298
	http://radar.oreilly.com/2008/06/partial-same-origin-bypass-wit.html


- Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list