[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] countermeasure against attacks through HTML shared files

From: Bil Corry <bil@xxxxxxxxx>
Subject: Re: [WEB SECURITY] countermeasure against attacks through HTML shared files
Date: Fri, 07 Nov 2008 10:49:55 -0600

fcorella@xxxxxxxxxx wrote on 11/6/2008 11:01 PM: 
> I have not been able to find much prior work.
> What I've found is discussed in Section 2 of the
> paper.  If I've missed something, please let me
> know.

Thank you for the paper!  Some related thoughts:

(1) Google offers advice on how to serve untrusted files for downloading:

	http://code.google.com/p/doctype/wiki/ArticleUntrustedDownloads

Granted, it doesn't seem to be working for them:

	http://www.securityfocus.com/archive/1/496734/30/0/threaded


(2) IE8 offers a new header to prevent this type of attack by forcing the user to download the file to disk, thus preventing the file from running in the context of your site:

	X-Download-Options: noopen
	http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx


(3) Internet Explorer (and other browsers to some extent) do content-sniffing, so a file doesn't have to be explicitly HTML in order for Internet Explorer to display the file as HTML (for example, the file can be a GIF, but still by shown as HTML by IE).

More info:

	http://xs-sniper.com/blog/2008/04/14/google-xss/
	http://www.gnucitizen.org/blog/backdooring-images/
	http://www.leviathansecurity.com/pdf/Flirting%20with%20MIME%20Types.pdf

IE8 now offers a header to turn this behavior off (doesn't help for IE6 or IE7):

	X-Content-Type-Options: nosniff
	http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx


(4) GIFAR - Looks like an GIF, but runs as a Java Applet:

	http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111298
	http://radar.oreilly.com/2008/06/partial-same-origin-bypass-wit.html


- Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] countermeasure against attacks through HTML shared files
  - From: Albert Lunde
- Re: [WEB SECURITY] countermeasure against attacks through HTML shared files
  - From: Bil Corry

References:
- [WEB SECURITY] countermeasure against attacks through HTML shared files
  - From: fcorella

Prev by Date: Re: [WEB SECURITY] countermeasure against attacks through HTML shared files
Next by Date: Re: [WEB SECURITY] countermeasure against attacks through HTML shared files
Previous by thread: Re: [WEB SECURITY] countermeasure against attacks through HTML shared files
Next by thread: Re: [WEB SECURITY] countermeasure against attacks through HTML shared files
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site