Week 29 2013

In our Security Disaster of the Week, H. Marco and Ismael Ripoll found out that all applications statically linked and compiled via glibc since 2006 have their pointers protected by being XORed with zero. Exploit mitigation at its finest.

My favorite type of browser vulnerability remains the good old Same-Origin Policy (SOP) bypass: Usually the SOP enforces a virtual boundary in which web sites are allowed to include content from other domains (scripts, displaying images) but prevented from accessing the actual content. If the SOP is bypassed, your gmail inbox leaks. A good example is Armin Razmdjou's finding: Attackers can abuse a playlist API in the Windows Media Player browser plugin to read contents from arbitrary web pages. Specifying a URL within the same origin that redirects to the interesting site will satisfy WMP's SOP. Reading the playlist's content then reveals the HTML source code. Tada!

Zane Lackey and Omar Ahmed of the Etsy Security Team analysed SSL traffic to see which CAs are actually required in their day to day business. Their data could be used to reduce the set of trusted CAs to a minimum.

Matt Wobensmith of Mozilla's QA started submitting code to the Content Security Policy (CSP) test suite for the W3C Web Application Security Working Group, Thanks!

Please contact me or comment on Mastodon or Twitter. If you find something you wish to change, you may also submit a pull request.

All posts

  1. Origins, Sites and other Terminologies (Sat 14 January 2023)
  2. Finding and Fixing DOM-based XSS with Static Analysis (Mon 02 January 2023)
  3. DOM Clobbering (Mon 12 December 2022)
  4. Neue Methoden für Cross-Origin Isolation: Resource, Opener & Embedding Policies mit COOP, COEP, CORP und CORB (Thu 10 November 2022)
  5. Reference Sheet for Principals in Mozilla Code (Mon 03 August 2020)
  6. Hardening Firefox against Injection Attacks – The Technical Details (Tue 07 July 2020)
  7. Understanding Web Security Checks in Firefox (Part 1) (Wed 10 June 2020)
  8. Help Test Firefox's built-in HTML Sanitizer to protect against UXSS bugs (Fri 06 December 2019)
  9. Remote Code Execution in Firefox beyond memory corruptions (Sun 29 September 2019)
  10. XSS in The Digital #ClimateStrike Widget (Mon 23 September 2019)
  11. Chrome switching the XSSAuditor to filter mode re-enables old attack (Fri 10 May 2019)
  12. Challenge Write-up: Subresource Integrity in Service Workers (Sat 25 March 2017)
  13. Finding the SqueezeBox Radio Default SSH Passwort (Fri 02 September 2016)
  14. New CSP directive to make Subresource Integrity mandatory (`require-sri-for`) (Thu 02 June 2016)
  15. Firefox OS apps and beyond (Tue 12 April 2016)
  16. Teacher's Pinboard Write-up (Wed 02 December 2015)
  17. A CDN that can not XSS you: Using Subresource Integrity (Sun 19 July 2015)
  18. The Twitter Gazebo (Sat 18 July 2015)
  19. German Firefox 1.0 ad (OCR) (Sun 09 November 2014)
  20. My thoughts on Tor appliances (Tue 14 October 2014)
  21. Subresource Integrity (Sun 05 October 2014)
  22. Revoke App Permissions on Firefox OS (Sun 24 August 2014)
  23. (Self) XSS at Mozilla's internal Phonebook (Fri 23 May 2014)
  24. Tales of Python's Encoding (Mon 17 March 2014)
  25. On the X-Frame-Options Security Header (Thu 12 December 2013)
  26. html2dom (Tue 24 September 2013)
  27. Security Review: HTML sanitizer in Thunderbird (Mon 22 July 2013)
  28. Week 29 2013 (Sun 21 July 2013)
  29. The First Post (Tue 16 July 2013)