Google released a free tool Tuesday that should help Web developers find and fix cross-site vulnerabilities.
The tool, RatProxy, is described by Google as "a semi-automated, largely passive Web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex Web 2.0 environments."
The tool is versatile, detecting and ranking a broad class of vulnerabilities. Included are script injections, cross-site trust attacks, content-serving vulnerabilities, cross-site request forgeries (XSRF), and cross-site scripting (XSS).
RatProxy runs on Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.
Google RatProxy detects and prioritizes a variety of common cross-site vulnerabilities.
(Credit: Google)
On Wednesday, Microsoft announced new security features within the upcoming release of Internet Explorer 8 Beta 2. The features are designed to combat the rising tide of drive-by downloads and malicious scripts contained within carefully crafted links embedded in e-mail and Web pages. Most of the new features require systems to be running Windows Vista SP1 or Windows XP SP3.
Perhaps the most anticipated addition is Internet Explorer's new antimalware protection. Opera 9.5 and Firefox 3 both recently added antimalware protection. Safari has so far not announced plans for similar protection. Using mostly its own antimalware technology, Microsoft will block emerging threats by masking the entire IE 8 browser screen with a warning to users. The addition of malware protection to the existing antiphishing protection will be re-branded as the Microsoft SmartScreen filter.
IE 8 Beta 2 will have a Cross Site Scripting (XSS) filter, preventing scripts within a link from executing on the browser.
Previously announced features include highlighting domain names from the rest of the URL (so you can visually see that you are on eBay.com, not some other site), and extended verification SSL.
Using Data Execution Protection (DEP) within Windows XP SP3 and Windows Vista SP1, IE 8 will scan downloads and block any that it deems dangerous.
(Credit: Microsoft)IE 8 Beta 1 has already introduced several changes when handling ActiveX components. Components will be installed per user, which eliminates the need for everyone to have administrator privileges. In addition, you must acknowledge or opt-in for the component to run, eliminating drive-by downloads. Components will be per site and will only be available from site of origin. Finally, site developers can request killbits from Microsoft which can be sent via Windows Update to terminate risky or outdated components.
For developers, Microsoft is including improvements for better communication between the client browser and Web server. Cross Domain Requests (CDR) is a more secure way for the browser to pull data from other domains; and Cross Domain Messaging (XDM) is a more secure means for a browser to send a message across a domain. Microsoft says it is working with other browser vendors to standardize these.
The public Beta 2 for Internet Explorer is expected sometime in August 2008.
Security researcher Bill Rios reported Monday that a cross-site scripting (XSS) attack against Google Spreadsheet could have exposed all of Google's services. XSS can occur whenever a legitimate site accepts input from the user but does not filter that input properly and could allow the injection of potentially malicious instructions. In this case, however, once an attacker gained access to any xxxx.google.com site, they would have access to other Google services, such as Gmail, Docs, and Code.
In an e-mail to CNET News.com, a Google representative confirmed that the flaw as described by Rios has been fixed. "Google takes the security of our users' information very seriously," said a Google spokesperson. "We worked quickly to address the vulnerability and rolled out a fix before it was reported publicly. We have not received any reports of this vulnerability being exploited."
According to Rios, he was able to use Internet Explorer to change the content type of the HTTP response being returned to the server while using Google Spreadsheets. At issue here is whether or not the browser will ignore the content-type header in certain circumstances. Rios points out that all browsers have the potential to do this under certain circumstances, thus the problem isn't entirely with Google.
In his blog, Rios created a spreadsheet, placing an alert (document.cookie) script string surrounded by HTML tags in the first cell. When that string content is saved and downloaded as a comma-separated value or CSV, the content type should be text/plain. However, since Rios added HTML to the string, Internet Explorer will see that first and render it as HTML instead.
Whenever a victim is lured to this CSV URL, an Alert dialog box will pop up on the attacker's desktop containing the victim's current Google session information. The session cookie would be valid on other Google services used by the victim such as Gmail, Docs, etc.
Rios offers this XSS flaw as a cautionary tale, and recommends that security-minded readers check out a paper by Blake Frantz of Leviathan Security. In "Flirting with MIME types," Frantz found that, while other browsers were also indiscriminate about rendering file types as HTML, IE did so on 696 file types out of 735 tested. To give perspective, the next closest was Opera at 14, with Firefox at 8, and Safari at 7.
- prev
- 1
- next
