The folks at the Vienna University of Technology in Austria designed a formal security framework called WebSpec to analyze browser security.
They have used it to identify multiple logical flaws affecting web browsers, revealing new cookie-based attacks and unresolved content security policy inconsistencies.
These logic flaws are not necessarily security holes, but they may be. They are inconsistencies between Web platform specifications and how those specifications are actually implemented in Web browsers.
network specification Developed by Lorenzo Veronese, Benjamin Farinier, Mauro Tempesta, Marco Squarcina, Matteo Maffei to improve network security through automated, verifiable rule checking instead of manual evaluation.
browsers, as they an academic paper, “WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms” has become very complex and gets more complex as other components are added network platform.
The new web platform components are tested for compliance, but their specifications are manually reviewed by technical experts to understand how the new technology interacts with legacy APIs and individual browsers, the researchers said.
“Unfortunately, human review often overlooks logical flaws that ultimately lead to serious security breaches,” the computer scientist explained, noting that in the introduction of HttpOnly Flag in Internet Explorer 6 — as a way to keep cookies private from client-side scripts — researchers discovered can be bypassed To access the response headers of an AJAX request via script, use get response headers Features.
WebSpec usage Coq theorem proving language Subject the browser’s interaction and its specified behavior to formal testing.It makes browser security a matter of machine-checkable Satisfiability Modulo Theory (SMT) proofs [PDF].
To test for inconsistencies between web specifications and browsers, the researchers defined ten “invariants”, each of which describes “a property of the web platform that is expected to remain unchanged across its updates. , and independent of how its components may interact with each other.”
These invariants or rules represent testable conditions that should hold, such as “with security properties Can only be set over secure channels (using the Set-Cookie header)”, as defined in RFC 6265 section 4.1.2.5.
Of the ten invariants evaluated, three failed.
“In particular, we show how WebSpec can discover new attacks on the __Host-cookie prefix, as well as new inconsistencies between Content Security Policy’s inheritance rules and planned changes to the HTML standard,” the paper explains.
HTTP cookies prefixed with “__Host-” should just be put By the host domain or by a script on a page contained on that domain. However, WebSpec found an attack that broke the relevant invariant tests.
“A script that runs on a page can modify the valid fields used for SOP at runtime [Same-Origin Policy] Check the document.domain API,” the paper explains, noting that a mismatch between the document object model and the access control policy in the cookie jar allows a script running in an iframe to access the document.cookie property on the parent page if the two pages have document.domain set to the same value.
The researchers noted that while current web platforms are still vulnerable to this attack, ultimately it will not be: document.domain property Deprecated, which means a future browser update will omit support at some point.
The author also found inconsistencies with the way using WebSpec Blob object – Objects containing data that can be read as text, binary, or stream using built-in object methods – Inherit their content security policy.
Lorenzo Veronese, PhD student at TU Wien, raised the question Submitted to the HTML Standards Working Group last July, but in CSP Specification and Policy Container Interpreter Not yet reconciled.
Developed by Google software engineer Antonio Sartori repair But it has not been integrated into the HTML standard.
Regardless, the availability of WebSpec as a tool for formally evaluating browser behavior should make life a little easier for those who struggle to maintain large browser codebases. ®
