Feeds
13620 items (0 unread) in 75 feeds
-
Watchfire Application Security Insider
-
BlogSecurity
-
sirdarckcat
-
Google Online Security Blog
-
CGISecurity.com: Your Web Site and Application Security Resource
-
Switch/Twitch
-
mybeNi websecurity
-
cat slave diary
-
SecuriTeam Blogs
-
Curiouser and Curiouser
-
Alex's Corner
-
Billy (BK) Rios
-
Chris Shiflett
-
christian's weblog
-
funkatron.com
-
GNUCITIZEN
-
The Spanner
-
hackademix.net
-
Ruby on Rails Security Project
-
It's a shampoo world anyway
-
Web Security Blog
-
ha.ckers.org web application security lab
-
Yet Another Infosec Blog
-
PHP Security Blog
-
Security Thoughts
-
Sunnet Beskerming Security Advisories
-
Disenchant's Blog
-
Sylvan von Stuppe
-
Larholm.com
-
The Turkey Curse
-
Jeremiah Grossman
-
Anurag Agarwal - Application Security Evangelist
-
Ivan Ristic
-
deep inside | security & tools
-
omg.wtf.bbq.
-
BlueHat Security Briefings
-
Tactical Web Application Security
-
.:Computer Defense:.
-
tssci security
-
Plynt Penetration Testing Blog
-
Michael Howard's Web Log
-
Security Retentive
-
BindShell.Net
-
Dominic White's .tHE pRODUCT
-
SecurityFocus News
-
Justice League
-
Schneier on Security
-
Rational Survivability
-
terminal23
-
1 Raindrop
-
hiredhacker.com
-
Matasano Chargen
-
-
Michael on Security - Musings on Information Security
-
Fortify blog
-
The Art of Software Security Assessment
-
GDS Security Blog
-
Vodun.org
-
Robert Penz Blog
-
Mark Curphey - SecurityBuddha.com
-
Liminal states
-
Security Ripcord
-
ModSecurity Blog
-
IBM Internet Security Systems Frequency X Blog
-
Suspekt...
-
extern blog SensePost;
-
Zero in a bit
39 items tagged "Browsers"
CGISecurity.com: Your Web Site and Application Security Resource
-
Summary of Google+ browser security protections
Posted: July 27th, 2011, 12:03pm CDT by Robert A.
Tags: Browsers [edit]
Ray "Vanhalen" Kelly has written a post describing the security mechanisms used by Google+, as well as compares them to facebook. In particular he reviews each HTTP protection header and provides a good explanation of the purpose of each protection. Link: http://www.barracudalabs.com/wordpress/index.php/2011/07/21/google-gets-a-1-for-browser-security-3/ -
Results of internet SSL usage published by SSL Labs
Posted: May 25th, 2011, 11:53am CDT by Robert A.
Tags: Browsers [edit]
Ivan Ristic (of modsecurity fame) has published the results of an evaluation against over 900,000 websites supporting SSL. The goal of this evaluation was to see how people really use/misuse ssl in the wild, as well as report on the usage of browser protections such as the Secure cookie flag, and Strict-Transport-Security.... -
Another use of Clickjacking, Cookiejacking!
Posted: May 25th, 2011, 11:37am CDT by Robert A.
Tags: Browsers [edit]
Rosario Valotta has published an interesting attack against IE that takes advantage of clickjacking. In a nutshell it combines origin flaws within IE with clickjacking to trick a user into copying/pasting their own cookies from any site! Demonstration below The technical details can be found at https://sites.google.com/site/tentacoloviola/cookiejacking and his slides at https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnx0ZW50YWNvbG92aW9sYXxneDoxMWJlZTI5ZjVhYjdiODQx -
Easy Method For Detecting Caching Proxies
Posted: February 8th, 2011, 2:56pm CST by Robert A.
Tags: Browsers [edit]
While thinking about some of the transparent proxy problems I came up with a fairly reliable way to detect caching proxies. Caching proxies can be either explicit or transparent, but are typically used in a transparent mode by an ISP to cut down on upstream bandwidth. A side effect (and benefit :)... -
Interesting IE leak via window.onerror
Posted: November 12th, 2010, 11:54am CST by Robert A.
Tags: Browsers [edit]
Chris Evans has posted an interesting bug in IE involving using JavaScript's window.onerror to leak cross domain data. From his blog "The bug is pretty simple: IE supports a window.onerror callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com registers its own window.onerror... -
Random FireFox URL handling Behavior
Posted: March 11th, 2010, 3:29pm CST by Robert A.
Tags: Browsers [edit]
About a year ago I discovered this by accident and hadn't seen it published anywhere so thought it was worth mentioning. If you enter the following into the firefox URL bar it will follow them to www.cnn.com. [http://www.cnn.com] [http://]www.cnn.com [http://www].cnn.com Etc... You can also substitute [] for {} or " and it... -
Firefox 3.6 locks out rogue add-ons
Posted: November 18th, 2009, 11:16am CST by Robert A.
Tags: Browsers [edit]
From computerworld "Mozilla will add a new lockdown feature to Firefox 3.6 that will prevent developers from sneaking add-ons into the program, the company said. The new feature, which Mozilla dubbed "component directory lockdown," will bar access to Firefox's "components" directory, where most of the browser's own code is stored. The company... -
Strict Transport Security (STS) draft specification is public
Posted: September 23rd, 2009, 1:10pm CDT by Robert A.
Tags: Browsers [edit]
Fellow coworker Jeff Hodges has announced the formal specification draft for Strict Transport Security. STS is a new proposed protocol for allowing a website to instruct returning visitors to never visit the site on http, and to only visit the site over https and is entirely opt in. This can prevent MITM... -
Chrome adds defence for cross-site scripting attacks, already busted
Posted: September 15th, 2009, 12:06pm CDT by Robert A.
Tags: Browsers [edit]
"The 4.0.207.0 release uses a reflective XSS filter that checks each script before it executes to check if the script appears in the request that generated the page. Should it find a match, the script will be blocked. According to Chromium developer Adam Barth, the developers plan to post an academic paper... -
Firefox 3.5 0Day published
Posted: July 14th, 2009, 1:07pm CDT by Robert A.
Tags: Browsers [edit]
"The exploit portal Milw0rm has published an exploit for Firefox 3.5. The exploit demonstrates a security vulnerability by starting the Windows calculator. In testing by heise Security, the exploit crashed Firefox under Vista, but security service providers Secunia and VUPEN confirmed that attackers using prepared websites can infect PCs. The cause... -
Google Chrome Fixes Buffer Overflow Vulnerability
Posted: June 23rd, 2009, 12:27pm CDT by Robert A.
Tags: Browsers [edit]
"Google Chrome 2.0.172.33 has been released to the Stable and Beta channels. This release fixes a critical security issue and two other networking bugs. CVE-2009-2121: Buffer overflow processing HTTP responsesGoogle Chrome is vulnerable to a buffer overflow in handling certain responses from HTTP servers. A specially crafted response from a server... -
Browser Security: Lessons from Google Chrome
Posted: June 22nd, 2009, 11:07am CDT by Robert A.
Tags: Browsers [edit]
An article on security in Google's Chrome browser has been published. "The Web has become one of the primary ways people interact with their computers, connecting people with a diverse landscape of content, services, and applications. Users can find new and interesting content on the Web easily, but this presents a... -
Compromising web content served over SSL via malicious proxies
Posted: May 22nd, 2009, 12:43pm CDT by Robert A.
Tags: Browsers [edit]
Microsoft research has published an excellent paper describing many browser flaws. The use case primary involves an attacker hijacking the explicitly configured proxy used by the user and via HTTP code trickery they can access the content on an HTTPS established connection. It also outlines browser flaws involving caching of SSL... -
Apple releases OS X 10.5.7 security updates
Posted: May 13th, 2009, 9:44am CDT by Robert A.
Tags: Browsers [edit]
"Apple released an update to its Leopard operating system yesterday that comes loaded with a host of security and bug fixes as well as added hardware support. The Cupertino-based firm said OS X 10.5.7 patches several security loopholes related to PHP, CoreGraphics, Apache Web server and the company’s browser Safari. Three... -
Google Chrome Universal XSS Vulnerability
Posted: April 27th, 2009, 11:28am CDT by Robert A.
Tags: Browsers [edit]
"During unrelated research, I came across a number of security issues that reside in various parts of Google's web browser - Google Chrome. These issues pose a major threat to any user that browses a maliciously crafted page using Internet Explorer and has Google Chrome installed alongside. Using a vulnerability in... -
Opera JavaScript for hackers
Posted: April 22nd, 2009, 5:42pm CDT by Romain Gaucher
Tags: Browsers [edit]
Gareth Heyes wrote a nice blog entry on JavaScript hacks: "I love to use JavaScript in unexpected ways, to create code that looks like it shouldn't work but does, or produces some unexpected behavior. This may sound trivial, but the results I've found lead to some very useful techniques. Each of... -
Browsers hacked in seconds in Pwn2Own contest
Posted: March 19th, 2009, 12:40pm CDT by Robert A.
Tags: Browsers [edit]
"Security researcher Charlie Miller held onto a vulnerability for an entire year, before using it on Wednesday to win $5,000 and an Apple laptop at the Pwn2Own contest here at the CanSecWest conference. Miller — a principal analyst at Independent Security Evaluators — found two flaws in Apple's Safari Web browser... -
Firefox 3.0.7 fixes multiple security flaws
Posted: March 4th, 2009, 9:54pm CST by Robert A.
Tags: Browsers [edit]
"Mozilla Corp. today patched eight security vulnerabilities in Firefox, half of them critical memory corruption flaws in the browser's layout and JavaScript engines. Firefox 3.0.7, the second security update this year to the open-source browser, fixes about the same number of bugs that Mozilla patched a month ago. Of the eight... -
Opera 9.64 Security Updates and Enhancements
Posted: March 3rd, 2009, 4:20pm CST by Robert A.
Tags: Browsers [edit]
From Opera's changelog Fixed an issue where specially crafted JPEG images ccould be used to execute arbitrary code, as reported by Tavis Ormandy of the Google Security Team; see our advisory Fixed an issue where plug-ins could be used to allow cross domain scripting, as reported by Adam Barth; details will... -
Seven Must-Have Firefox Security Add-Ons
Posted: February 26th, 2009, 2:24pm CST by Robert A.
Tags: Browsers [edit]
"Ensuring that the browser is up to date can help minimize security risks, but perhaps the most interesting feature of Firefox from a security perspective is the possibility of enhancing the browser's security with the addition of browser extensions or add-ons. Of course any add-ons risks adding new vulnerabilities, but if... -
The Multi-Principal OS Construction of the Gazelle Web Browser
Posted: February 23rd, 2009, 1:13am CST by Robert A.
Tags: Browsers [edit]
I was reading slashdot and saw that Microsoft has released a paper outlining a new secure browser architecture. From the abstract"Web browsers originated as applications that people used to view static web sites sequentially. Asweb sites evolved into dynamic web applications composing content from various web sites, browsershave become multi-principal operating... -
Microsoft Fixes Clickjacking in IE8
Posted: January 27th, 2009, 8:13pm CST by Robert A.
Tags: Browsers [edit]
"Microsoft has introduced a release client version of its latest browser, Internet Explorer 8 (IE8), and the new iteration of the application includes several security improvements, including a noteworthy attempt to address the emerging problem of clickjacking attacks. For those who don't recall, clickjacking is a relatively new technique -- first... -
Microsoft Fixes Clickjacking in IE8?
Posted: January 27th, 2009, 8:13pm CST by Robert A.
Tags: Browsers [edit]
"Microsoft has introduced a release client version of its latest browser, Internet Explorer 8 (IE8), and the new iteration of the application includes several security improvements, including a noteworthy attempt to address the emerging problem of clickjacking attacks. For those who don't recall, clickjacking is a relatively new technique -- first... -
Safari RSS Reader Vulnerability
Posted: January 14th, 2009, 12:02pm CST by Robert
Tags: Browsers [edit]
In 2006 I gave a talk at blackhat on the risks of RSS vulnerabilities. It appears Safari has a flaw in its RSS reader as outlined by Brian Mastenbrook."The original version of this page contained a simple workaround for this issue which I believed would protect users against this problem. I... -
Safari RSS Reader Vulnerability
Posted: January 14th, 2009, 12:02pm CST by Robert A.
Tags: Browsers [edit]
In 2006 I gave a talk at blackhat on the risks of RSS vulnerabilities. It appears Safari has a flaw in its RSS reader as outlined by Brian Mastenbrook."The original version of this page contained a simple workaround for this issue which I believed would protect users against this problem. I... -
HTTPS-only mode added to Chrome Browser
Posted: January 12th, 2009, 5:47pm CST by Robert
Tags: Browsers [edit]
Google has added a HTTPS browsing feature to chrome.From the changelog"A new HTTPS-only browsing mode. Add --force-https to your Google Chrome shortcut, and it will only load HTTPS sites. Sites with SSL certificate errors will not load. " Release Notes 2.0.156.1 http://dev.chromium.org/getting-involved/dev-channel/release-notes/releasenotes201561Very cool. -
HTTPS-only mode added to Chrome Browser
Posted: January 12th, 2009, 5:47pm CST by Robert A.
Tags: Browsers [edit]
Google has added a HTTPS browsing feature to chrome.From the changelog"A new HTTPS-only browsing mode. Add --force-https to your Google Chrome shortcut, and it will only load HTTPS sites. Sites with SSL certificate errors will not load. " Release Notes 2.0.156.1 http://dev.chromium.org/getting-involved/dev-channel/release-notes/releasenotes201561Very cool. -
Thunderbird 2.0.0.19 Released With Security Fixes
Posted: December 31st, 2008, 12:17pm CST by Robert
Tags: Browsers [edit]
MFSA 2008-60 - Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19) MFSA 2008-61 Information stealing via loadBindingDocument MFSA 2008-64 XMLHttpRequest 302 response disclosure MFSA 2008-65 Cross-domain data theft via script redirect error message| MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters MFSA 2008-67 Escaped null characters ignored by CSS... -
Thousands of legitimate sites SQL injected to serve IE exploit
Posted: December 18th, 2008, 11:29am CST by Robert
Tags: Browsers [edit]
"Once again confirming the trend of having more legitimate sites serving exploits and malware than purely malicious ones, Chinese hackers have been keeping themselves busy during the last couple of days, launching massive SQL injection attacks affecting over 100,000 web sites. The SQL injection attacks serving the just patched Internet Explorer... -
Microsoft issues emergency patch for IE
Posted: December 17th, 2008, 1:11pm CST by Robert
Tags: Browsers [edit]
"Microsoft will push out an emergency security patch for Internet Explorer on Wednesday, addressing a critical security hole currently being exploited in the wild. Redmond issued advanced notice for tomorrow's fix, describing the out-of-cycle patch as protection from "remote code execution." Unscheduled updates are pretty rare for Microsoft, stressing the potentially... -
FireFox 3.0.5 fixes three critical security flaws
Posted: December 17th, 2008, 12:30pm CST by Robert
Tags: Browsers [edit]
"Mozilla has rushed out updates to plug a few critical holes in versions 2 and 3 of its popular open source Firefox browser. Firefox 3.0.5 fixes three critical security flaws in the browser, while 2.0.0.19 stitches four critical vulns. Mozilla said that XSS vulnerabilities in SessionStore, XSS and so-called JavaScript “privilege... -
Opera releases update for 'extremely severe' vulns
Posted: December 16th, 2008, 1:39pm CST by Robert
Tags: Browsers [edit]
"Opera pushed out an update to its popular web browser on Tuesday that fixes vulnerabilities it described as "extremely severe". The update fixes seven security bugs, some of which were previously known. Version 9.63 of the browser addresses separate code injection risks stemming from flaws in HTML parsing and text inputing,... -
Google Chrome Receives Lowest Password Security Score
Posted: December 15th, 2008, 12:45pm CST by Robert
Tags: Browsers [edit]
"Google's new web browser may be fast and slim, but the password management features it offers are full of bugs. Chapin Information Services (CIS) reported critical vulnerabilities in this software during its beta period, all of which were unfixed at release time. Among the problems are three in particular that, when... -
Internet Explorer 8.0 Beta 2 Anti-XSS Filter Vulnerabilities
Posted: December 11th, 2008, 12:17pm CST by Robert
Tags: Browsers [edit]
Rafel Ivgi has published an extensive list of IE8 XSS filter evasions. "Aspect9 has discovered several vulnerabilities in Microsoft Windows Internet Explorer 8.0 Beta 2. This new version of Microsoft's famous browser includes new security improvements such as a Cross Site Scripting(XSS) filter. This version also includes a new object that... -
Google publishes Browser Security Handbook
Posted: December 10th, 2008, 6:15pm CST by Robert
Tags: Browsers [edit]
Michal Zalewski from google has published an an extremely in depth guide describing the various behavioral differences between the major browsers. "I am happy to announce the availability of our "Browser Security Handbook" - a comprehensive, 60-page document meant to provide web application developers and information security researchers with a one-stop... -
Inside Safari 3.2’s anti-phishing features
Posted: November 25th, 2008, 12:43pm CST by Robert
Tags: Browsers [edit]
An article over at macworld discusses the anti phishing features in the new safari."The release of Safari 3.2 on November 13 displayed Apple’s penchant for cryptic release notes, as the company describes all three versions as featuring “protection from fraudulent phishing Web sites.” Let's decode that for you: Safari 3.2 offers... -
Firefox 3.0.4 Released to address multiple security flaws
Posted: November 13th, 2008, 12:11pm CST by Robert
Tags: Browsers [edit]
A handful of security vulnerabilities have been fixed in the latest version of firefox. Fixed in Firefox 3.0.4 MFSA 2008-58 Parsing error in E4X default namespaceMFSA 2008-57 -moz-binding property bypasses security checks on codebase principalsMFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violationMFSA 2008-55 Crash and remote code execution in nsFrameManagerMFSA 2008-54 Buffer overflow in... -
Firefox 3.0.2 released to address multiple security flaws
Posted: September 24th, 2008, 11:04am CDT by Robert
Tags: Browsers [edit]
Firefox 3.0.2 has been released which addresses the following security flaws. MFSA 2008-44 resource: traversal vulnerabilitiesMFSA 2008-43 BOM characters stripped from JavaScript before execution MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17) MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution MFSA 2008-40 Forced mouse drag Read more at : http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.2 -
Mozilla security chief: Apple should open up
Posted: September 15th, 2008, 7:47pm CDT by Robert
Tags: Browsers [edit]
"Mozilla's security chief said Apple should disclose more information about the steps it takes to protect customers from malware and other computer-born threats. At a security conference on Monday, Window Snyder said open communication about recently reported vulnerabilities and ongoing processes for locking down products is a core responsibility of security...