Home



Blog


Burp suite


Burp intruder


Burp proxy


Burp spider


Burp sequencer


Burp repeater


Books


Misc



RSS




Search site


Blog

Showing posts with label browser security. Show all posts
Showing posts with label browser security. Show all posts

Wednesday, 15 August 2007

Browser bugs vs. attacks on same origin policy

A bar-room conversation with a colleague at Black Hat led me to think about this question, and here are my thoughts, for what they're worth.

Today's browsers are full of Oday, particularly in the processing of images and other media, and in plug-ins like ActiveX controls. At the same time, a thriving area of current research is focused on attacks against the browser same origin policy, involving JSON hijacking, DNS rebinding, other workarounds and logic flaws. Which of these areas is more worthy of our attention?

Here are two polarised (and somewhat caricatured) opinions:

  • If I want to compromise a web user, I can just find a browser Oday and completely own them. Attacks against same origin policy are lame and unnecessary.

  • I agree we can't ignore browser bugs if we’re trying to protect web apps. We need to find defences in the application that can stand up to a compromised browser.

Of these two positions, the second is the easiest to shoot down. Aside from a narrow subset of browser bugs, no defences in the application can protect against a compromised browser. If an attacker can execute arbitrary machine-level code within a user's browser, then they completely own that user's interaction with any web application.

Does that mean we must accept the first position? There are several reasons why not:

  • Many would-be attackers are not capable of discovering and exploiting a browser Oday, but can understand and deliver attacks against the same origin policy. Defences that frustrate only some attackers are still worthwhile.

  • Attacks against the same origin policy make interesting research. Most security researchers are interested in class breaks and new genres of attacks, rather than individual bugs. The types of vulnerabilities that exist within browsers, and the ways they can be discovered, are more interesting than the latest bug in an image parser. Similarly, generic ways of circumventing the same origin policy are more interesting than the latest means of inducing network timeouts, to port scan other domains.

  • This area of web security is a weakest link problem, in that an attacker needs to find either a browser bug or a same origin policy bypass to compromise a user. Conventional defence-in-depth does not apply - a robust same origin policy can still be defeated through a bug in the browser, and vice versa. This means that protecting users entails resolving both problem areas. Browser vendors are taking security seriously, and bugs are going to get progressively harder to find and exploit. Meanwhile, research into attacking and defending same origin restrictions needs to continue, so that this is not left as the weak link when browsers become more resilient.

Posted by PortSwigger at 05:06 1 comments
Labels:

Tuesday, 7 August 2007

Mozilla to fix bugs in "ten fucking days"

RSnake posted this great story about how Mike Shaver, Director of "Ecosystem Development" at Mozilla Corporation, pledged to fix any critical vulnerabilities within "ten fucking days", and even provided a specially endorsed business card to prove the point:

He was allegedly sober (although I'd say he must be one of the only people at Black Hat who was) and it was apparently a personal undertaking rather than official company policy. But it shows a worthy commitment to security, and also an admiral refusal to take himself too seriously. I can't imagine someone senior at MS pulling the same stunt.

It motivated me to do something similar, so here is my promise: If someone reports any serious flaws in Burp, I will fix them within ten fucking years. No ifs, no buts, just a fix within ten years or your money back. Can't say fairer than that.

Posted by PortSwigger at 20:49 0 comments
Labels: ,

Tuesday, 10 July 2007

DNS pinning and web proxies

DNS-based attacks against browsers have been known about for years. These attacks have received increased attention recently, following the discovery of defects within browser-based DNS pinning defences.

So far, discussion has focused on browser issues. However, the same attacks can also be performed against web proxies. Browser-based DNS pinning does not apply when a web proxy is being used, because the DNS look-ups occur on the proxy, not the browser. Hence, even if DNS-based attacks are completely addressed within browsers, the problem is not going to go away altogether.

The most significant opportunities for DNS-based attacks are against web users on internal corporate networks, as a means of gaining unauthorised access to sensitive information and web applications on internal intranets. Given that a large proportion of these users access the Internet via a proxy server, attacks against web proxies may represent at least as significant a threat as those against browsers.

I've written a short paper which explains the problem, examines possible software-based solutions, and describes the defences that organisations and individuals can use to prevent attacks against them. In summary:

  • DNS-based attacks affect web proxies as well as browsers.

  • Today's proxies are vulnerable.

  • The problem is not straightforward to fix in software.

  • You can protect your own infrastructure against these attacks.

Posted by PortSwigger at 12:10 4 comments
Labels: , ,
Subscribe to: Posts (Atom)
 

Copyright (c) 2007 PortSwigger. All rights reserved.