cure53 / browser-sec-whitepaper Goto Github PK
View Code? Open in Web Editor NEWCure53 Browser Security White Paper
Home Page: https://cure53.de/#browser-security-whitepaper
Cure53 Browser Security White Paper
Home Page: https://cure53.de/#browser-security-whitepaper
From the whitepaper, page 187:
The extension settings page of Chrome is hosted on chrome://extensions
and the aforementioned APIs can be employed by the extension to enumerate all tabs.
This can occur every second and detect if the extension page is opened. Once detected,
it can immediately close the tab, therefore denying user an option of disabling extensions
at their will.
This does not prevent the user from disabling the extension. "Background" extensions can be terminated from the taskbar, then disabled. All extensions can be disabled using the "browser action" icon (which exists even if there's no action defined). And finally, extensions can always be terminated using the Chrome task manager (Shift+Esc).
The WebExtensions "Content Scripts Context Isolation" testcase is marked as failed on Edge. We were not able to reproduce this result in our paper (https://www.researchgate.net/publication/324797493_Tietoturvan_toteutuminen_WebExtensions-rajapinnoissa, in Finnish). Has the issue been fixed in Edge, is there an error in one of the papers?
The summary table on page 297 contains the following:
Feature Chrome Edge MSIE Web Extension Security Tests (Pass/Fail tests were conducted) 5/10 2/10 0
Nowhere does the paper exactly state what the numbers are intended to mean, but presumeably they are the number of passed tests in each browser. However, if that's the case, the numbers should actually be 5/10 for Chrome and 8/10 for Edge.
the described way for changing Content Type "Content Type Forcing" page 73, in IE is not working?
i get " do you want to open or save "response" .
From the whitepaper, page 186:
It is not possible to open any file,
as Chrome immediately triggers a download for the file instead of showing its contents,
therefore prohibiting an extension access.
This is incorrect. Downloads are only triggered for file types that cannot be displayed in the browser. For other types, e.g. plain text or HTML, accessing content is completely possible.
hey
this reference 85 https://crbug.com/538562 from page 62 is not public, are you aware of that ?
From the whitepaper, page 186:
Context Isolation in Developer Extension
A developer extension has access to a website's DOM and can execute JavaScript in its
context. Google Chrome's documentation clarifies that this feature does not use isolated
worlds, so the extension must be really careful when it comes to evaluating the returned
content.
This is the full description of the test case. The result from the test is marked as passed for both Chrome and Edge.
So, essentially, the test case is testing for a feature that does not exist in any browser, then ignoring the fact that it doesn't exist and that on Chrome it causes a significant risk.
This test case makes zero sense.
From the whitepaper, page 182:
However, the test uncovered that the applied restriction can be bypassed and lead to
external web resources being loaded. The HTML file provided via the sandbox key can
use meta redirects for this purpose:<head> <meta http-equiv="refresh" content="0; url=http://example.com/redirect.html" /> </head>
The purpose of the feature (of not allowing external content in the sandbox) is to prevent untrusted content from being loaded into the extension process. The redirection causes the file to be loaded in a new process, which is correct behavior. This can be easily verified using the task manager. There is no risk here.
Hi,
Congrats on your whitepaper! Reading it with interest.
However, would you be so kind and replace "This was demonstrated by Olejnik et al." with "Olejnik and Janc", since it's two authors only (e.g. as per Chicago style or different references on references)? Thanks!
The section entitled Same Site Cookies (p.130) conflates the concepts of origin and site:
The browser will only send SameSite cookies in the scope of a given origin A if the document that formulated the request is also in the scope of the origin A. If a document in the scope of origin B or C formulates a request to the origin A, the browser will not send SameSite cookies as part of the request.
See this blogpost for more details.
Hi all,
Again, great work, thanks! Too bad because no Firefox though :-)
Anyway, while going through the paper I noticed the link in reference #23, page 30, is broken.
I believe a similar issue was reported earlier so the fix should be straightforward.
Maybe it would make sense to have a quick go (preferably scripted?) through all links and see if they work? Just saying.
Regards!
Great read so far, thanks for all the work you put into this!
I noticed that some of the references are broken, because they contain ...
instead of the actual missing part of the url. As I understand for presentational purposes part of long urls in the footnotes is automatically replaced by ...
- it seems like in some cases the url the reader is redirected to when clicking on the link contains those ...
as well, which breaks the url.
Some broken links so you can pinpoint the issue (there's more):
30 https://www.blackhat.com/docs/asia-17/materia...-Using-Data-Only-Exploitation-Technique.pdf
380 http://windowsitpro.com/windows-81/managing-account-cred...eb-credential-manager
388 https://www.wired.com/2016/08/hackers-trick-facial-recognition-logins-p...ok-thanks-zuck/
In this comment a similar issue was fixed.
All,
Congratulations on the report!
Following up on an out-of-band conversation with Mario: Reference 326 regarding Hostile Pinning is ultimately a pointer--several degrees of separation away--to a conference talk delivered by myself and @buu700 (Ryan Lester), so we're seeking an amendment of Reference 326 to cite the original talk directly ("Bryant Zadegan, Ryan Lester, Abusing Bleeding Edge Web Standards for AppSec Glory, DEF CON 24, 2016-08-06").
Cheers,
-Bryant
The whitepaper does not include enough information to accurately reproduce the WebExtensions test cases. Please describe the test executions in more detail and include code where possible.
See also issue #11.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.