Hallelujah! It’s been a great past few days, and I couldn’t even tell you all until now. I’ve been exchanging emails from David Ross from Microsoft for a few days regarding some anti-XSS stuff he’s working on. That MS is reading and listening gives me a great deal of hope! Further, David forwarded me an excerpt from an internal paper he had written (the snippet comes from a paper that expresses David’s own individual views as a security researcher and not necessarily the overall views of Microsoft). Take a look at the snippets:
RSnake’s “XSS Cheat Sheet” provides a long list of techniques such as the STYLE/expression trick described above. This is a great resource that can be leveraged by web application penetration testers looking for ways to circumvent potential fixes. But the cheat sheet effectively also provides a great reference of obscure techniques that enable XSS where it might not otherwise be possible.
As a side note, that jives with what other Microsoft higher ups have told me about the reason for that change (although it was pretty unofficial and at first they told me it might be a bug, so it’s nice to get some clarity on that change). I’m glad to see it recognized as to how that change came to be. It’s nice to see that internally it is realized how it impacted the number of vectors that affected Microsoft Internet Explorer from version 6.0 to 7.0.
Incidentally, RSnake took note. In an October 14 posting to his blog,
Until a few days ago I had had very little hopes for the browser companies stepping up to the plate and coming up with the solutions for the problem. It appears that we are developing new security issues at a rate much faster than the browser companies are fixing them. They have the most to gain by fixing these issues too It’s really nice to be talking to people who can make a difference and are committed to it. David and I are now working on some concepts for more browser security. Obviously all of this would be a ways away or may never happen, but at least I now have some hope. What a great story - browser company teams up with independent security researchers to come up with cutting edge solutions. “Teams” might be a strong word, but it’s as close as I’ve seen the browser companies come to walking hand in hand with the security community and I’m glad to be a part of it. I just can’t wait to get started.
Don’t worry, I’m still going to be as dispassionate about browser religion as I’ve ever been (as you may or may not remember, I’m the one who came up with the concept of content-restrictions in Firefox). I like to stay objective. I’m just eager to get the percentage of effective browser exploitation down to where it can be mitigated through whatever means are available, and right now Microsoft is really listening.
And no, telneting to port 80 just isn’t an option.