[WEB SECURITY] Browser Security Handbook by Google

MustLive mustlive at websecurity.com.ua
Thu Aug 20 13:09:36 EDT 2009


Hello participants of Mailing List.

Here is my comment on Bil Corry's message from 11 December 2008.

When Bil answered on Bryan Hughes message about Google's Browser Security
Handbook, he mentioned about mark-of-the-web (when he quoted from Google's
handbook).

I'll tell you about all security researches of mark-of-the-web functionality
in different browsers which I made in 2007-2008. There is no such
information in Google's Browser Security Handbook (as far as I know from
looking through it), so Michal can also take a look at this aspect of
browsers' security (to write about it in the handbook).

In August 2007 I found XSS vulnerability in IE6 (in mark-of-the-web
functionality):

Cross-Site Scripting vulnerability in Internet Explorer
http://websecurity.com.ua/1241/

Which you can read on English
(http://translate.google.com/translate?hl=en&ie=UTF-8&u=http://websecurity.com.ua/1241/&sl=uk&tl=en).

As I mentioned at my site, in October 2008 I checked this hole in IE7 and
found that it was also vulnerable.

When I found this hole, I created new type of XSS vulnerabilities which I
called Post Persistent XSS (Saved XSS). I put this type as a subtype of
Persistent XSS. As I told RSnake about this hole in IE in 2007, this is not
first hole of such type which I found - first time I found such hole in 2006
(which allows universal XSS attacks on any web sites (almost any) in any
browser and work as both Reflected XSS and Saved XSS) and sometime I'd
release this hole :-).

Post Persistent XSS (Saved XSS) vulnerabilities
http://websecurity.com.ua/2641/

Which you can read on English
(http://translate.google.com/translate?hl=en&ie=UTF-8&u=http://websecurity.com.ua/2641/&sl=uk&tl=en).

In October 2008 I found similar holes in Google Chrome and Opera.

Cross-Site Scripting vulnerability in Google Chrome
http://websecurity.com.ua/2505/

Which you can read on English
(http://translate.google.com/translate?hl=en&ie=UTF-8&u=http://websecurity.com.ua/2505/&sl=uk&tl=en).

Cross-Site Scripting vulnerability in Opera
http://websecurity.com.ua/2555/

Which you can read on English
(http://translate.google.com/translate?hl=en&ie=UTF-8&u=http://websecurity.com.ua/2555/&sl=uk&tl=en).

In result after my informing of the developers, only Google fixed this hole
in their browser, not Microsoft (in their IE6 and IE7, and IE8 can
potentially be vulnerable too), nor Opera did it. Just note, that after my
advisory in August 2007 of such hole in IE6, Google had more than one year
before releasing their browser at the begging of September 2008, so they had
enough time to not make this hole in Chrome 0.x versions (without waiting
for my warning about this hole).

Also I wrote two articles how to make code executions attacks via this XSS
holes (in mark-of-the-web functionality). Here are texts on English:

Code Execution via XSS
http://securityvulns.ru/Udocument911.html

Cross-browser Code Execution via XSS
http://securityvulns.ru/Udocument941.html

So every browser developer need to be careful with mark-of-the-web
functionality in their browser.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

From: Bil Corry <bil at xxxxxxxxx>
Subject: Re: [WEB SECURITY] Browser Security Handbook by Google
Date: Thu, 11 Dec 2008 22:38:09 -0600


> Bryan Hughes wrote on 12/11/2008 8:32 PM:
>> I couldna^t see any references to browser security when loading local
>> content (from a filesystem, attachment or embedded in a document,
>> etc).
>
> It's talked about here:
>
>
> http://code.google.com/p/browsersec/wiki/Part2#Downloads_and_Content-Disposition
>
> For example:
>
> -----
> Recent versions of Microsoft Internet Explorer mitigate the risk by
> storing mark-of-the-web and ADS Zone.Identifier tags on all saved content;
> the same practice is followed by Chrome. These tags are later honored by
> Internet Explorer, Windows Explorer, and a handful of other Microsoft
> applications to either restrict the permissions for downloaded files (so
> that they are treated as if originating from an unspecified Internet site,
> rather than local disk), or display security warnings and request a
> confirmation prior to displaying the data. Any benefit of these mechanisms
> is lost if the data is stored or opened using a third-party browser, or
> sent to any other application that does not carry out additional checks,
> however.
> -----
>
> Write Michal (the author) if you have specific suggestions for improving
> the handbook and/or adding additional tests.  I wrote him earlier today
> with some feedback and he replied promptly to my suggestions.


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list