Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

[Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>]

Prasad,

	In a strict sense, content restrictions would not "prevent" XSS or  
CSRF vulnerabilities from occurring on a website. What it would be  
able to do is significantly restrict where the payloads would be able  
to execute and more importantly what they'd be able to do. Its like  
website permissions for JavaScript defined by a website policy.

Regards,

jeremiah-


On Aug 10, 2007, at 6:35 PM, Prasad Shenoy wrote:

> If I understand what is being discussed here, this proposed  
> solution won't address XSS issue, correct? I can see how it can  
> prevent or curtail CSRF up to some extent. So thinking more about  
> it, a thought that comes to my mind is of a possible DoS on the  
> server.
>
> An attacker can exploit an XSS vulnerability, say, write a looping  
> function provoking the browser to confirm with the web server on  
> ever iteration. How many iterations can cause the server to go down  
> is open to imagination I guess.
>
> Again, I ain't not expert on this "yet" so there is much chance  
> that I might be totally "off" the track here. If I am, please point  
> it out :-)
>
> P
>
>
>
> On 8/10/07, Ryan Barnett <rcbarnett@xxxxxxxxx> wrote: Ivan Ristic  
> wrote a proposal paper about a year ago called "Secure
> Browsing Mode" that you might want to look at -
> http://www.modsecurity.org/blog/archives/ 
> Secure_Browsing_Mode_Proposal.pdf
>
> It also references Gervase's paper.
>
>
> On 8/10/07, Anurag Agarwal <anurag.agarwal@xxxxxxxxx> wrote:
> > I am looking to get views from people on the list about a  
> proposed security
> > restriction in the browsers
> >
> > The browser should check with the webserver which domains it can  
> interact
> > with (load files from or submit post data to, etc) for that  
> website. How the
> > check is implemented is upto the browser.
> >
> > For example: If a page from mybank.com is trying to submit data to
> > attacker.com then before submitting the data, the browser should  
> check with
> > the mybank.com if it is allowed to do so.
> >
> > Q1. is it reasonable?
> > Q2. What are the pros and cons of this approach?
> > Q3. Would it limit some types of browser attacks (like some xss  
> vectors,
> > etc)?
> > Q4. Would it open any new types of attack vectors?
> >
> >
> > I know there are security researchers, browser vendors, corporate  
> security
> > folks and various other smart webappsec people on this list. I  
> would really
> > appreciate if they can chip in with their 2 cents on this topic.
> >
> >
> > Any feedback is highly appreciated
> >
> > Cheers,
> >
> > Anurag Agarwal
> >
> > SEEC - An application security search engine
> > Web: www.attacklabs.com , www.myappsecurity.com
> > Email : anurag.agarwal@xxxxxxxxx
> > Blog : http://myappsecurity.blogspot.com
>
>
> --
> Ryan C. Barnett
> ModSecurity Community Manager
> Breach Security: Director of Application Security Training
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> Author: Preventing Web Attacks with Apache
>
> ---------------------------------------------------------------------- 
> ------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
>
>
> --
> Prasad


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]