Cenzic 232 Patent
Paid Advertising
web application security lab

The Web Application Security Good - oh yah, and Bad and the Ugly

Despite all the damage that Jeremiah and some of the other web application security people and I have done to web security over the last year, there has been some good. Not a lot but some. We’ve already talked about the top 10 worst web application security hacks this year (and it was a huge pain to narrow it down to 10, let me tell you) but it’s hard to come up with even ten good things that have happened this year for web application security. Let me outline what I think are the best things that have happened. But instead of coming up with a contrived list of 10, I’m going to list everything I can think of that actually impressed me about web application security over the last year - which was only 7 things). Don’t fear, I’ll break every one of them along the way.

1) Internet Explorer 7.0 and Firefox 2.0 finally got anti-phishing installed on their browsers by default. This was a huge win for consumers because it finally gave them an out of the box tool. No more would they have to know enough to download some tool to protect themselves. Only problem is it doesn’t work very well. We’ve found many ways around each of these tools. But at least they’re trying! And with upwards of 90% of the market share collectively between the two browsers, that’s a big dent - even with the holes.

2) Internet Explorer 7.0 closed down the JavaScript directive inside of image tag cross site scripting issue. That was one of the most annoying vectors out there. Images should not be a place for JavaScript, they should be a place for images. Nevertheless, Internet Explorer has finally fixed this issue. They also fixed one of the more esoteric things like variable width encoding in US-ASCII and UTF-8, which can lead to people being able to run JavaScript while the application thinks they aren’t even inside of an HTML tag. However, we are a long ways from done patching XSS holes, but hey, huge props to MS for fixing those issues. It brings them to a far more level playing field in terms of XSS with the other browsers. There’s no clear winner in the XSS browser wars at this point.

3) Stanford released their Safehistory Firefox plugin. This was an answer to Jeremiah’s question about do you feel safe allowing anyone to see your history. I know I don’t, so I went ahead and installed it and it worked great. Yah, but it turns out you don’t need to use CSS in this way do steal someone’s history. Not to mention the obvious looking at the referrer and other simple hacks. But whatever, Stanford is trying their best.

4) Another plugin was released to emulate Microsoft’s HTTPOnly inside Firefox. Great idea, Microsoft! I just wish Firefox would make this standard. But never fear, it’s breakable anyway, via XMLHttpRequest - but we knew that years ago when I believe Thor Larholm originally discussed this. Hey, at least it will slow the bad guys down a little.

5) There have been several tools released for developers including Microsoft’s .NET security framework. I took a look at it and wow, it works! I wonder how many people will go back and fix all their applications to use it. And furthermore I wonder how many developers use .NET. Hmm… this one might take a while to take affect.

6) Let’s also not forget HTML Purifier. It’s some of the best code I’ve seen to date to stop XSS. Unfortunately, it can’t protect you against server level hacks, like the Expect vulnerability, or DOM based XSS, or anti-DNS Pinning, the unpatched mhtml issue or other crazy XSS issues. But we have to start somewhere right?

7) Apache closed the Expect vulnerability. Yes, I know I just mentioned it in #6, but that was a big win. Previously all new installs of Apache would be vulnerable to the Expect vulnerability. No more. All future installs should be safe. But that does leave several million old and vulnerable installs out there…

So although I wouldn’t call this year a stunning success in terms of the security community making leaps and bounds over their adversaries, there was some good that came out of this year. Don’t let anyone tell you otherwise. But no, seriously, we did a lot more damage this year than I think has ever been done to internet security (at least within the last 4-5 years). Hopefully there will be some new tools and tactics over the coming year to close down some of the more dangerous emerging security issues out there.

7 Responses to “The Web Application Security Good - oh yah, and Bad and the Ugly”

  1. Mephisto Says:

    If I’m not mistaken don’t IE and Firefox submit data to Microsoft and Mozilla respectively, including internal IP addresses, cookie information which might contain personal information, etc… as part of having their “anti-phising” settings turned on??

  2. RSnake Says:

    I haven’t spent much time looking at that, but I wouldn’t doubt it. If anyone has confirmed information about that it might be interesting to look at from a privacy perspective.

  3. Jungsonn Says:

    FireFox phones home to Google only your browser information every 20 minutes or so, as well as the hashes and a key that’s stored in your browser folder to update/retrieve the phishing list. it could be looked upon a privacy issue I guess. Every ping that’s made is one to many for me, and we don’t have a lot of problems or issues with traffic analysis yet (ore least we think not) the NSA might be analysing traffic real time. To analyse where, when, and why you where at that spot doing this, that and the other and associate you with it. Paranoid? maybe, but a few weeks ago a hacker was convicted by asking Google to give the search results he used as evidence.

  4. kuza55 Says:

    @Jungsonn

    Well, we’re not actually sure if Google did or didn’t disclose the data, its completely possible they got his browser history or the ISP (or whoever was providing the wireless access) kept logs, but Google *did* say that they can associate searches, not only with IPs, but with cookies as well, so we’re back to 1990s web bug paranoia……..

  5. nEUrOO Says:

    @RSnake:
    At least for IE7, there is some information here: http://portal.spidynamics.com/blogs/spilabs/archive/2006/12/19/IE7-_2D00_-Phishing-vs.-Privacy.aspx

  6. Jungsonn Says:

    @Kuza55

    Correct, though it’s highly likely to me that Google cooperated in this case. I know that my provider does not store search queries and has a privacy TOS towards the end user.

    Links about story;
    http://news.com.com/Police+blotter+Google+searches+nab+wireless+hacker/2100-1030_3-6144962.html?tag=cd.top
    http://news.com.com/Verbatim+Search+firms+surveyed+on+privacy/2100-1025_3-6034626.html
    http://news.com.com/FAQ+When+Google+is+not+your+friend/2100-1025_3-6034666.html

  7. dusoft Says:

    Thank you for bringing my attention to HTML purifier. I will certainly use that library in my CMS for both validation and XSS filtering.