[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

From: anurag.agarwal@xxxxxxxxx
Subject: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Date: Sat, 11 Aug 2007 21:59:02 -0700 (PDT)

--0-1621464634-1186894742=:25575
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Ryan -=0A=0AThis is an awesome paper. It covers a lot of areas and explains=
 everything in great details. I hope browser vendors are giving it, its due=
 attention. =0A=0A =0ACheers,=0A =0AAnurag Agarwal=0A =0ASEEC - An applicat=
ion security search engine=0AWeb: www.attacklabs.com , www.myappsecurity.co=
m=0AEmail : anurag.agarwal@yahoo.com=0ABlog : http://myappsecurity.blogspot=
.com=0A =0A=0A=0A=0A----- Original Message ----=0AFrom: Ryan Barnett <rcbar=
nett@gmail.com>=0ATo: Anurag Agarwal <anurag.agarwal@yahoo.com>; WASC Forum=
 <websecurity@webappsec.org>; "Webappsec @securityFocus" <webappsec@securit=
yfocus.com>=0ASent: Friday, August 10, 2007 5:27:48 PM=0ASubject: Re: [WEB =
SECURITY] Seeking feedback on proposed security restriction in the browsers=
=0A=0A=0AIvan Ristic wrote a proposal paper about a year ago called "Secure=
=0ABrowsing Mode" that you might want to look at -=0Ahttp://www.modsecurity=
.org/blog/archives/Secure_Browsing_Mode_Proposal.pdf=0A=0AIt also reference=
s Gervase's paper.=0A=0A=0AOn 8/10/07, Anurag Agarwal <anurag.agarwal@yahoo=
.com> wrote:=0A> I am looking to get views from people on the list about a =
proposed security=0A> restriction in the browsers=0A>=0A> The browser shoul=
d check with the webserver which domains it can interact=0A> with (load fil=
es from or submit post data to, etc) for that website. How the=0A> check is=
 implemented is upto the browser.=0A>=0A> For example: If a page from myban=
k.com is trying to submit data to=0A> attacker.com then before submitting t=
he data, the browser should check with=0A> the mybank.com if it is allowed =
to do so.=0A>=0A> Q1. is it reasonable?=0A> Q2. What are the pros and cons =
of this approach?=0A> Q3. Would it limit some types of browser attacks (lik=
e some xss vectors,=0A> etc)?=0A> Q4. Would it open any new types of attack=
 vectors?=0A>=0A>=0A> I know there are security researchers, browser vendor=
s, corporate security=0A> folks and various other smart webappsec people on=
 this list. I would really=0A> appreciate if they can chip in with their 2 =
cents on this topic.=0A>=0A>=0A> Any feedback is highly appreciated=0A>=0A>=
 Cheers,=0A>=0A> Anurag Agarwal=0A>=0A> SEEC - An application security sear=
ch engine=0A> Web: www.attacklabs.com , www.myappsecurity.com=0A> Email : a=
nurag.agarwal@yahoo.com=0A> Blog : http://myappsecurity.blogspot.com=0A=0A=
=0A-- =0ARyan C. Barnett=0AModSecurity Community Manager=0ABreach Security:=
 Director of Application Security Training=0AWeb Application Security Conso=
rtium (WASC) Member=0ACIS Apache Benchmark Project Lead=0ASANS Instructor, =
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC=0AAuthor: Preventing Web Attacks with Ap=
ache
--0-1621464634-1186894742=:25575
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

<html><head><style type=3D"text/css"><!-- DIV {margin:0px;} --></style></he=
ad><body><div style=3D"font-family:arial, helvetica, sans-serif;font-size:1=
0pt"><DIV>Ryan -</DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>This is an awesome paper.=
 It&nbsp;covers a lot of areas and explains everything in great details. I =
hope&nbsp;browser vendors&nbsp;are giving it, its due attention. </DIV>=0A<=
DIV>&nbsp;</DIV>=0A<DIV>&nbsp;</DIV>=0A<P>Cheers,</P>=0A<P>&nbsp;</P>=0A<P>=
Anurag Agarwal</P>=0A<P>&nbsp;</P>=0A<P><A href=3D"http://www.myappsecurity=
.com/" target=3D_blank rel=3Dnofollow>SEEC - An application security search=
 engine</A></P>=0A<P>Web:&nbsp;<A href=3D"http://www.attacklabs.com/"; targe=
t=3D_blank rel=3Dnofollow>www.attacklabs.com</A>&nbsp;, <A href=3D"http://w=
ww.myappsecurity.com/" target=3D_blank rel=3Dnofollow>www.myappsecurity.com=
</A></P>=0A<P>Email : <A href=3D"mailto:anurag.agarwal@yahoo.com"; target=3D=
_blank rel=3Dnofollow>anurag.agarwal@yahoo.com</A></P>=0A<P>Blog : <A href=
=3D"http://myappsecurity.blogspot.com/"; target=3D_blank rel=3Dnofollow>http=
://myappsecurity.blogspot.com</A></P>=0A<P>&nbsp;</P>=0A<DIV style=3D"FONT-=
SIZE: 10pt; FONT-FAMILY: arial, helvetica, sans-serif"><BR><BR>=0A<DIV styl=
e=3D"FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"=
>----- Original Message ----<BR>From: Ryan Barnett &lt;rcbarnett@gmail.com&=
gt;<BR>To: Anurag Agarwal &lt;anurag.agarwal@yahoo.com&gt;; WASC Forum &lt;=
websecurity@webappsec.org&gt;; "Webappsec @securityFocus" &lt;webappsec@sec=
urityfocus.com&gt;<BR>Sent: Friday, August 10, 2007 5:27:48 PM<BR>Subject: =
Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the=
 browsers<BR><BR>=0A<DIV>Ivan Ristic wrote a proposal paper about a year ag=
o called "Secure<BR>Browsing Mode" that you might want to look at -<BR><A h=
ref=3D"http://www.modsecurity.org/blog/archives/Secure_Browsing_Mode_Propos=
al.pdf" target=3D_blank>http://www.modsecurity.org/blog/archives/Secure_Bro=
wsing_Mode_Proposal.pdf</A><BR><BR>It also references Gervase's paper.<BR><=
BR><BR>On 8/10/07, Anurag Agarwal &lt;anurag.agarwal@yahoo.com&gt; wrote:<B=
R>&gt; I am looking to get views from people on the list about a proposed s=
ecurity<BR>&gt; restriction in the browsers<BR>&gt;<BR>&gt; The browser sho=
uld check with the webserver which domains it can interact<BR>&gt; with (lo=
ad files from or submit post data to, etc) for that website. How the<BR>&gt=
; check is implemented is upto the browser.<BR>&gt;<BR>&gt; For example: If=
 a page from mybank.com is trying to submit data to<BR>&gt; attacker.com th=
en before submitting the data, the browser should check with<BR>&gt; the my=
bank.com if it is
 allowed to do so.<BR>&gt;<BR>&gt; Q1. is it reasonable?<BR>&gt; Q2. What a=
re the pros and cons of this approach?<BR>&gt; Q3. Would it limit some type=
s of browser attacks (like some xss vectors,<BR>&gt; etc)?<BR>&gt; Q4. Woul=
d it open any new types of attack vectors?<BR>&gt;<BR>&gt;<BR>&gt; I know t=
here are security researchers, browser vendors, corporate security<BR>&gt; =
folks and various other smart webappsec people on this list. I would really=
<BR>&gt; appreciate if they can chip in with their 2 cents on this topic.<B=
R>&gt;<BR>&gt;<BR>&gt; Any feedback is highly appreciated<BR>&gt;<BR>&gt; C=
heers,<BR>&gt;<BR>&gt; Anurag Agarwal<BR>&gt;<BR>&gt; SEEC - An application=
 security search engine<BR>&gt; Web: <A href=3D"http://www.attacklabs.com/"=
 target=3D_blank>www.attacklabs.com</A> , <A href=3D"http://www.myappsecuri=
ty.com/" target=3D_blank>www.myappsecurity.com</A><BR>&gt; Email : anurag.a=
garwal@yahoo.com<BR>&gt; Blog : <A href=3D"http://myappsecurity.blogspot.co=
m/"
 target=3D_blank>http://myappsecurity.blogspot.com</A><BR><BR><BR>-- <BR>Ry=
an C. Barnett<BR>ModSecurity Community Manager<BR>Breach Security: Director=
 of Application Security Training<BR>Web Application Security Consortium (W=
ASC) Member<BR>CIS Apache Benchmark Project Lead<BR>SANS Instructor, GCIA, =
GCFA, GCIH, GSNA, GCUX, GSEC<BR>Author: Preventing Web Attacks with Apache<=
/DIV></DIV><BR></DIV></div></body></html>
--0-1621464634-1186894742=:25575--

Prev by Date: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Next by Date: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Previous by thread: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Next by thread: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site