Defense in Depth Subscribe to Defense in Depth
May 2, 2008 2:50 PM PDT

Web browsers and other mistakes

Posted by Robert Vamosi

Correction, 3:40 p.m. PDT: This story initially misspelled Dan Kaminsky's last name.

On Friday at Microsoft's Blue Hat conference in Redmond, Wash., Alex "Kuza55" K. of SIFT challenged the software company and others to build a better Internet browser by detailing the many ways browsers fail to parse malicious code.

In the talk, Kuza55 included details on how various attacks use logged out cross-site scripting (XSS), cross-site reference frame-protected cross-site scripting, JavaScript hijacking, session fixation, XSS reference frame token fixation, and CSRF vulnerabilities to compromise desktop Internet browsers. The talk was provided to CNET as a PowerPoint presentation.

Dan Kaminsky, of IOActive, told CNET News.com that Kuza55 talked about the "obscure internal elements of things you can do to Web browsers. Like how to use browsers to attack other protocols. Or how to use text in a browser to attack other particular protocols."

Kuza55 started his talk by showing ways to use browser cookies for XSS attacks. In one method, "by abusing the path attribute (within a cookie) we can effectively overwrite cookies very specifically, or for the whole domain by setting lots of them." Kuza55's noted that in Firefox and in Opera there is a limit to the number of cookies that can be stored within each browser, with the oldest cookie being removed to make room for the new. Thus, it is possible for an attacker to overwrite the existing cookies in these browsers by exhausting the limit. Internet Explorer does not have such a limit.

The talk also addressed potential abuses of the FindMimeFromData function, discussed one directory transversal bug within Flash 9.0.124.0, and how to use 7-bit Unicode Transformation Format (UTF-7) as a means to inject encoded meta tags or encoded cross-site scripting into a browser. For the latter, Kuza55 cited the work of Yosuke Hasegawa.

Kuza55 also mentioned abuses of HTTP protocol, DNS, and subdomains. He faulted the browser makers several times for not providing enough documentation, and said he had to use trial and error to make these findings. Despite that, he's continuing his research.

Recent posts from Defense in Depth
ZoneAlarm virtualizes the desktop Internet browser
Yahoo e-mail accounts compromised for spammers' use
Skeleton key unlocks Microsoft SQL servers in latest Web attack
Web browsers and other mistakes
Goodbye Storm, Hello Srizbi
Add a Comment (Log in or register) 2 comments (Page 1 of 1)
Probably just as vulnerable but,
by Melekai May 2, 2008 4:09 PM PDT
Safari wasn't mentioned.
Reply to this comment
Safari wasn't mentioned...
by owzark127 May 2, 2008 4:47 PM PDT
because it's not widely used in the PC market. Hackers aren't going to take the time to exploit the fledgling browser without the reward of infecting a larger user base. I as a Mac user hope somebody (ahem, Apple) will get their act together and hire some more security testers to keep the exploits that are found within core services like Quicktime in Safari to a lowdown to prevent what happened a month ago at the hacking competition.
Reply to this comment
Powered by Jive Software
advertisement
Click Here

  • About Defense in Depth

  • With over eight years at CNET covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews with the top security researchers making the news as well as offering the hands-on, non-technical advice you'll need to stay safe online.

Add this feed to your online news reader
Google
Yahoo
MSN

Defense in Depth topics

Latest blog posts from News.com

Featured blogs

Beyond Binary by Ina Fried A look at how technology is changing our lives and at the people behind all that life-changing stuff.

Coop's Corner by Charles Cooper Charles Cooper weighs in on Silicon Valley hijinks, and he doesn't suffer fools gladly.

Geek Gestalt by Daniel Terdiman At the tech culture nexus of video games, fire art, and virtual worlds.

Green Tech Fresh green tech news and commentary.

One More Thing by Tom Krazit Tom Krazit takes on the tech phenomenon that is Apple, and keeps a close watch on the chip industry.

Outside the Lines by Dan Farber When business and technology meet, that's when things get interesting.

The Iconoclast by Declan McCullagh Exploring the intersection of politics and technology.

The Social by Caroline McCarthy Exploring all facets of social media and tech culture.

Underexposed by Stephen Shankland Coverage of digital photography, science, and open-source software.

Resource center from News.com sponsors

advertisement
Welcome (log out) |View profile
Log in | Sign up Why join?
On TechRepublic: 10 ways users mess up their computers
Advanced
search
advertisementSave Update & Share Files Online>>
Advanced
search
Visit other CNET Networks sites: