WebSpec, a formal framework for browser security analysis, reveals new cookie attack

Folks at Technische Universität Wien in Austria have devised a formal security framework called WebSpec to analyze browser security.

And they’ve used it to identify multiple logical flaws affecting web browsers, revealing a new cookie-based attack and an unresolved Content Security Policy contradiction.

These logical flaws are not necessarily security vulnerabilities, but they can be. They’re inconsistencies between Web platform specifications and the way these specs actually get implemented within web browsers.

WebSpec was developed by Lorenzo Veronese, Benjamin Farinier, Mauro Tempesta, Marco Squarcina, Matteo Maffei in an effort to bring rigor to web security through automated, verifiable rule checking rather than manual evaluation.

Browsers, as they explain in an academic paper, “WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms,” have become tremendously complex and continue to become more so as additional components get added to the web platform.

New web platform components undergo compliance testing, the researchers say, but their specifications get reviewed manually by technical experts to understand how new technologies interact with legacy APIs and individual browser implementations.

“Unfortunately, manual reviews tend to overlook logical flaws, eventually leading to critical security vulnerabilities,” the computer scientists explain, pointing to how eight years after the introduction of the HttpOnly flag in Internet Explorer 6 – as a way to keep cookies confidential from client-side scripts – researchers discovered the flag could be bypassed by scripts accessing the response headers of an AJAX request using the getResponseHeader function.

WebSpec uses the Coq theorem proving language to subject the interplay of browsers and their specified behavior to formal testing. It makes browser security a matter of machine-checkable Satisfiability Modulo Theories (SMT) proofs .

To test for inconsistencies between web specs and browsers, the researchers defined ten “invariants,” each of which describes “a property of the Web platform that is expected to hold across its updates and independently on how its components can possibly interact with each other.”

These invariants or rules represent testable conditions that should hold true, such as “Cookies with the Secure attribute can only be set (using the Set-Cookie header) over secure channels,” as defined in RFC 6265, Section 4.1.2.5.

Of the ten invariants evaluated, three failed.

“In particular, we show how WebSpec is able to discover a new attack on the __Host- prefix for cookies as well as a new inconsistency between the inheritance rules for the Content Security Policy and a planned change in the HTML standard,” the paper explains.

HTTP cookies prefixed with “__Host-” are supposed to only be set by the host domain or scripts included on pages on that domain. WebSpec, however, found an attack to break the related invariant test.

“A script running on a page can modify at runtime the effective domain used for SOP [Same-Origin Policy] checks through the document.domain API,” the paper explains, noting that the mismatch between access control policies in the Document Object Model and the cookie jar lets a script running in an iframe access the document.cookie property on a parent page if both pages set document.domain to the same value.

The researchers note that while the current web platform remains vulnerable to this attack, eventually it won’t be: The document.domain property has been deprecated, meaning future browser updates will omit support, some day.

The authors also used WebSpec to discover an inconsistency with the way Blob objects – objects containing data that can be read as text, binary, or streams using built-in object methods – inherit their Content Security Policy.

Lorenzo Veronese, a doctoral student at TU Wien, raised the issue last July to the working group of the HTML standard, but the different behaviors described in the CSP spec and the policy container explainer have yet to be reconciled.

Antonio Sartori, a Google software engineer, has developed a fix but it has yet to be integrated into the HTML standard.

In any event, the availability of WebSpec as a tool to formally evaluate browser behavior should make life a bit easier for those struggling to maintain sprawling browser codebases. ®

Note: This article have been indexed to our site. We do not claim legitimacy, ownership or copyright of any of the content above. To see the article at original source Click Here

Related Posts
‘Nobody has more touch points for creators’: A Q&A with Scotty Tidwell, Enthusiast Gaming’s new svp of talent thumbnail

‘Nobody has more touch points for creators’: A Q&A with Scotty Tidwell, Enthusiast Gaming’s new svp of talent

On Wednesday (Jan. 26), leading Canadian esports organization Enthusiast Gaming announced the hiring of Scotty Tidwell as its new svp of talent. As the former Chief Community Officer at popular energy drink company G FUEL, Tidwell comes to the role equipped with over a decade of experience in generating engagement around endemic gaming brands.Tidwell joined…
Read More
机构称Wi-Fi 6今年将成主流:Wi-Fi 5正被市场加速淘汰 -Fi thumbnail

机构称Wi-Fi 6今年将成主流:Wi-Fi 5正被市场加速淘汰 -Fi

对于普通用户来说,对Wi-Fi 6/6E感知最强的应该就是无线路由、手机、笔记本等设备了,实际上,大部分新出的产品都已经支持Wi-Fi 6甚至Wi-Fi 6E了,不过需要发射和接受设备都满足条件才能享受Wi-Fi 6/6E的速度。按照设计规范,Wi-Fi 6的理论峰值速度在9.6Gbps,这意味着除了接入带宽、网口等都不能拉跨。最近报道了不少Wi-Fi 7的消息,不过考虑到标准还在制定,正式推出要到2024年,显然对于相当一部分用户来说,Wi-Fi 6还是更实用的选择。Wi-Fi 7(802.11be)的峰值速度有望逼近48Gbps,但TrendForce的观点是实际应用最快也得2023年底。
Read More
Index Of News
Total
0
Share