-
Microsoft outlines extensive IE8 security improvements
Microsoft has posted a very extensive article outling the security improvements to IE8. Improvements have been made to the following area's. – Cross-Site-Scripting Defenses – Safer Mashups (HTML and JSON Sanitization) – MIME-Handling Changes (Restrict Upsniff and Sniffing Opt-Out) – Add-on Security – Protected Mode – Application Protocol Prompt – File Upload Control – Social…
-
Securityfocus interview with Mozilla security team
"Mozilla released its latest browser, Firefox 3.0, this week. SecurityFocus contributor Federico Biancuzzi tracked down two key members of Mozilla's security team, Window Snyder and Johnathan Nightingale, to learn more about the security features included in this major release. They discussed the protection against phishing and the new malware protection, the new update mechanism for…
-
Firefox3 Released
Firefox3 has been released. This release improves memory management, speed, and has introduced a number of new security features. Download Link: http://www.firefox.com
-
Tools: The Browserrecon Project
"Most of todays tools for fingerprinting are focusing on server-side services. Well-known and widely-accepted implementations of such utilities are available for http web services, smtp mail server, ftp servers and even telnet daemons. Of course, many attack scenarios are focusing on server-side attacks. Client-based attacks, especially targeting web clients, are becoming more and more popular.…
-
Browser makers focus on reducing malware and phishing
"Microsoft unveiled two security features that will debut in the next version of its browser, Internet Explorer 8: the Safety Filter, which warns users of potentially malicious Web activity, and domain highlighting, which uses bold text to highlight the real domain of any Web site. The software giant stressed that the features were part of…
-
Mozilla Dismisses New Firefox Flaw Warning
"Mozilla chief evangelist Mike Shaver says the latest Firefox information leakage bug warning is exaggerated. Published reports of an information leakage vulnerability affecting fully patched versions of the open-source Firefox browser have been greatly exaggerated, according to Mozilla chief evangelist Mike Shaver. Shaver's sharp retort follows the release of an advisory by hacker Ronald van…
-
Netscape Assinated by AOL
It is with great sadness that I post news stating that Netscape will receive no more updates after February 1, 2008. I've been a long netscape user (since 1995). "AOL has a long history on the internet, being one of the first companies to really get people online. Throughout its lifetime, it has been involved…
-
WASC Script Mapping Project released
Romain Gaucher writes "The Web Application Security Consortium is pleased to announce the first results of the Script Mapping project! At this stage in the project we were able to cover most of the test cases for Internet Explorer 7, Firefox 2 and Safari 3. The results can be found on the project page: http://www.webappsec.org/projects/scriptmapping/…
-
Mozilla beefs up security with Firefox 3
"The Mozilla Foundation released on Monday a beta version of the group's latest open-source Firefox browser, rewriting parts of the code and enhancing security. Firefox 3 Beta 1 adds anti-malware features to the browser, using a similar mechanism as the anti-phishing feature in Firefox 2, harnessing a Google-generated blacklist of sites that are hosting malicious…
-
Browser Security: I Want A Website Active Content Policy File Standard!
UPDATE Before reading on any further I want to prefix that the purpose of this post is to begin a discussion on the ways a website can communicate to a browser to instruct it of what its behavior should be on that site. The example below is a "sample implementation" and isn’t meant to be…
-
How to Turn Your Browser Into a Weapon
"I wrote about three of my favorite Firefox extensions that help me stay safe when I'm browsing the darker areas of the Web and incoming email. Today, let's look at three other extensions: Those that can turn Firefox into a feature-filled, Web-hacking weapon. These extensions aren't required to use Firefox for hacking Web applications, but…
-
Presentation: Future of Firefox and JavaScript
An interesting presentation was posted on the future of firefox, javascript, and the web worth checking out (click through the slides). "I just finished giving a presentation at the Future of Web Apps conference, here in London. Thanks to everyone who attended – I hope I didn’t sound too sleep deprived! In this talk I…
-
Raising the bar: dynamic JavaScript obfuscation
"Couple of days ago one of our readers, Daniel Kluge, pointed us to a web page with some heavily obfuscated JavaScript code. The operation was typical and consisted of a compromised site that had an obfuscated iframe which pointed to the final web site serving various exploits. The obfuscation of the iframe was relatively simple…
-
Mozilla Releases JavaScript Fuzzer at Blackhat
"Mozilla has been using an open-source application security testing tool, known as a fuzzer, for JavaScript to detect and fix dozens of security bugs in Firefox, Mozilla director of ecosystem development Window Snyder said Thursday at the Black Hat USA 2007 conference in Las Vegas. The JavaScript fuzzer found 280 bugs in Firefox, 27 of…
-
Mozilla Protocol Abuse
Larholm writes "First they came for Safari, but no one complained because it was beta. Then they came for Internet Explorer, but no one cared because that was to be expected. Finally they came for Mozilla, but there was no one left to speak out." Article Link: http://larholm.com/2007/07/25/mozilla-protocol-abuse/
-
Mozilla confirms own URL handling bug
"The Mozilla Foundation acknowledged over the weekend that its own Firefox browser allows links that can send malicious code to external programs, a security issue that the group had previously argued should be fixed by the browser maker. In early July, three researchers found a way to execute code in Firefox – and potentially other…
-
Securing Firefox: How to avoid hacker attacks on Mozilla’s browser
"Security problems with Microsoft's dominant Internet Explorer browser helped pave the way for Mozilla Firefox to emerge as an alternative for Web surfers. However, Firefox users should be aware that hackers can exploit software flaws and design features to launch attacks. The following configuration changes, recommended by CERT/CC, can disable various features and set up…
-
New Security Features in Internet Explorer 7
"Markellos Diorinos from the IE team at Microsoft introduces the new security features in IE 7 and speaks about extended validation SSL certificates. He also covers the Certification Authority Browser Forum whose members apart from Microsoft include also the Mozilla Foundation, Opera Software and KDE." Article Link: http://www.net-security.org/article.php?id=1003
-
Same-Origin Policy Part 1: Why we’re stuck with things like XSS and XSRF/CSRF
"The last few years have seen a constant rise in vulnerabilities like cross-site scripting (XSS), HTTP response splitting, and cross-site request forgery (XSRF or CSRF). While the vectors and exploit of each of these vulnerability classes vary, they all have one common thread. Each of these vulnerabilities exploits trust shared between a user and a…
-
Hacking Web 2.0 Applications with Firefox
"AJAX and interactive web services form the backbone of “web 2.0” applications. This technological transformation brings about new challenges for security professionals. This article looks at some of the methods, tools and tricks to dissect web 2.0 applications (including Ajax) and discover security holes using Firefox and its plugins. The key learning objectives of this…
-
IE7 Is out, and vulnerable
IE7 has finally been released but according to Secunia a vulnerability has already been published. They also provide a test that can be performed to see if you're vulnerable. Article Link: http://www.theregister.co.uk/2006/10/19/ie7_release/ Advisory Link: http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/ Download IE7: http://www.microsoft.com/windows/ie/default.mspx
-
Firefox Zero-Day Code Execution Hoax?
"A public claim by hackers that Mozilla's Firefox browser is vulnerable to multiple code execution vulnerabilities may be an overblown hoax. On the heels of a ToorCon presentation where two security researchers—Mischa Spiegelmock and Andrew Wbeelsoi—warned that Firefox's implementation of JavaScript was badly flawed and could allow PC takeover attacks, Mozilla's engineers say the risk…
-
IE 7 plus Vista security measures stop latest IE 0day
A great article at ZDNet explaining how Vista + IE7 stopped the latest IE 0day from exploiting the machine. "The initial security warnings are hardly perfect. I've seen similar ActiveX opt-in dialog boxes for other built-in ActiveX components. How is an unsuspecting user supposed to know which one is safe and which is dangerous? And…
-
Browser Fun Security Blog
"This blog will serve as a dumping ground for browser-based security research and vulnerability disclosure. To kick off this blog, we are announcing the Month of Browser Bugs (MoBB), where we will publish a new browser hack, every day, for the entire month of July. The hacks we publish are carefully chosen to demonstrate a…
-
Microsoft Releases 8 Patches on Security Patch Tuesday
"Of the eight most serious fixes, two affect Internet Explorer, one for JScript within Internet Explorer, one in Windows Media Player, two in Windows, one in Word, and another in PowerPoint. The patch for Word fixes a highly-publicized zero-day exploit that has already been used in several cyber attacks. The vulnerability can be exploited after…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack