Despite all the damage that Jeremiah and some of the other web application security people and I have done to web security over the last year, there has been some good. Not a lot but some. We’ve already talked about the top 10 worst web application security hacks this year (and it was a huge pain to narrow it down to 10, let me tell you) but it’s hard to come up with even ten good things that have happened this year for web application security. Let me outline what I think are the best things that have happened. But instead of coming up with a contrived list of 10, I’m going to list everything I can think of that actually impressed me about web application security over the last year - which was only 7 things). Don’t fear, I’ll break every one of them along the way.
1) Internet Explorer 7.0 and Firefox 2.0 finally got anti-phishing installed on their browsers by default. This was a huge win for consumers because it finally gave them an out of the box tool. No more would they have to know enough to download some tool to protect themselves. Only problem is it doesn’t work very well. We’ve found many ways around each of these tools. But at least they’re trying! And with upwards of 90% of the market share collectively between the two browsers, that’s a big dent - even with the holes.
3) Stanford released their Safehistory Firefox plugin. This was an answer to Jeremiah’s question about do you feel safe allowing anyone to see your history. I know I don’t, so I went ahead and installed it and it worked great. Yah, but it turns out you don’t need to use CSS in this way do steal someone’s history. Not to mention the obvious looking at the referrer and other simple hacks. But whatever, Stanford is trying their best.
4) Another plugin was released to emulate Microsoft’s HTTPOnly inside Firefox. Great idea, Microsoft! I just wish Firefox would make this standard. But never fear, it’s breakable anyway, via XMLHttpRequest - but we knew that years ago when I believe Thor Larholm originally discussed this. Hey, at least it will slow the bad guys down a little.
5) There have been several tools released for developers including Microsoft’s .NET security framework. I took a look at it and wow, it works! I wonder how many people will go back and fix all their applications to use it. And furthermore I wonder how many developers use .NET. Hmm… this one might take a while to take affect.
6) Let’s also not forget HTML Purifier. It’s some of the best code I’ve seen to date to stop XSS. Unfortunately, it can’t protect you against server level hacks, like the Expect vulnerability, or DOM based XSS, or anti-DNS Pinning, the unpatched mhtml issue or other crazy XSS issues. But we have to start somewhere right?
7) Apache closed the Expect vulnerability. Yes, I know I just mentioned it in #6, but that was a big win. Previously all new installs of Apache would be vulnerable to the Expect vulnerability. No more. All future installs should be safe. But that does leave several million old and vulnerable installs out there…
So although I wouldn’t call this year a stunning success in terms of the security community making leaps and bounds over their adversaries, there was some good that came out of this year. Don’t let anyone tell you otherwise. But no, seriously, we did a lot more damage this year than I think has ever been done to internet security (at least within the last 4-5 years). Hopefully there will be some new tools and tactics over the coming year to close down some of the more dangerous emerging security issues out there.