[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] several IE8 features controversial at best "Onward to Beta-2 in August!"

From: kuza55 <kuza55@xxxxxxxxx>
Subject: Re: [WEB SECURITY] several IE8 features controversial at best "Onward to Beta-2 in August!"
Date: Thu, 3 Jul 2008 09:50:05 +1000

2008/7/3 Mat Caughron <mat@xxxxxxxxxxxxxxxxx>:
> Surely I'm not the only webappsec engineer here thinking that client-side
> cross site scripting mitigation is more than a little irrelevant.

Even if others agree with you, it doesn't mean your right.

As much as I hate having things that stop vulnerabilities being
exploitable, the chance people get pwned is going to decrease whether
you like it or not. It's not going fix things, but I don't believe
that this measure will be like .NET RequestValidation which will lead
to developers ignoring vulns, because IE8 will be the only browser
protecting users by default (insert obligatory NoScript comment here),
and many developers these days are aware at least of the existence and
market share of other browsers.

> Maybe "helps to mitigate"  should read "helps to obfuscate the real issues".

Just like stack/heap cookies, ASLR, NX, etc help mitigate overflows,
measure like these may help mitigate some xss attacks.

> "And of course in addition to all of this we need to effectively counter all
> the XSS attack vectors not already addressed by other XSS-Focused Attack
> Surface Reduction measures." *
>
> So now these experts are advocating blacklisting javascript malware on the
> client side?  Between this and Google's safe web browsing API, maybe we
> should just purchase a monthly subscription for someone else to do all our
> web browsing for us.

Did you even click on the link? While I don't think "XSS-Focused
Attack Surface Reduction" is much of a selling point since it's really
just "removing a lot of the IE-specific XSS vectors", it's got nothing
to do with "blacklisting javascript malware on the client side"

> Another jewel:
> We've also introduced the XDomainRequest object to permit secure network
> retrieval of "public" data across domains.
>
>
> Note the word public is in quotes.  Their quotes, people, not mine.

So you're railing against the use of quotes when you can actually just
go and read what it is? Yes, "public", rather than public because the
info could be private, it's up to the web server to decide, though the
lack of cookies being sent is meant to stop people sending private
data, though I'm sure it won't.

 - kuza55, NotACISSP

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] Microsoft Blog Outlines IE8 Security Changes
  - From: robert
- [WEB SECURITY] several IE8 features controversial at best "Onward to Beta-2 in August!"
  - From: Mat Caughron

Prev by Date: [WEB SECURITY] several IE8 features controversial at best "Onward to Beta-2 in August!"
Next by Date: [WEB SECURITY] Comparisons of Web Application Firewalls
Previous by thread: [WEB SECURITY] several IE8 features controversial at best "Onward to Beta-2 in August!"
Next by thread: RE: [WEB SECURITY] several IE8 features controversial at best "Onward to Beta-2 in August!"
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site