trietptm / browsersec Goto Github PK

Do you have any study how browsers behave if the receive raw or entities 
withing unused sets ?

    * 0 to 31, except 9, 10, and 13 (C0 control characters)
    * 127 (DEL character)
    * 128 to 159 (C1 control characters)
    * 55296 to 57343 (xD800-xDFFF, the UTF-16 surrogate halves)

It would be useful to include device / operating system information to 
Browserscope. Currently Android Chrome and Desktop chrome both record results 
in the same place (Chrome 26). But the results can be different enough that it 
is worth knowing.

Bloodhound.Exploit.6 is found.

http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2004-03
1218-0648-99

If this is intentional... it should probably be mentioned.

In the section about clickjacking 
(Part2#Arbitrary_page_mashups_%28UI_redressing%29), Internet Explorer has 
NO under "Is CSS opacity supported ('decoy underneath')?". However, IE 
supports other ways to do opacity (such as using CSS filter: property) 
that could also work on an iframe, and have the same effect for security.

Part3. HTTP authentication

[CURRENT]
Because of these limitations and the relative inflexibility of this scheme
to begin with, HTTP authentication has been almost completely extinct on
the Internet, and replaced with custom solutions built around HTTP cookies
(it is still sometimes used for intranet applications or for simple access
control for personal resources).
[END CURRENT]

[PROPOSAL]
A)New work on HTTP strong authenticaton mechanisms in form of DRAFT
http://tools.ietf.org/html/draft-hartman-webauth-phishing-09
http://www.ietf.org/internet-drafts/draft-ietf-httpbis-security-properties-02.tx
t

B)NTLM and basic auth tt's still used too for proxy access and many web
APIs use this mechanism (Not widely used for interactive human usage)

C)Many sites moved away from HTTP authentication mostly because there
wasn't good UI in the browser (not because technical aspects of digest
and basic)

D)There is a need for a robust framework where new schemes can be plugged
more easily and making the HTTP authentication more visually and attractive
in the browser world

E)Some humour with HTTP authentication implementations
http://bitworking.org/news/Problems_with_HTTP_Authentication_Interop 

Many of the security considerations for the <embed>, <iframe>, <img>, 
<applet> and <script> elements are also relevant to the <object> element, 
which is not discussed in this document.

lol

Google Code service is closing. Do you have plans to move this project to 
GitHub or similar hosting service?

As I’m reading this handbook, I think it would be comfortable to have
references to files containing particular tests or links to subpages
containing quoted content of these files in tables with results. Thus, in
the course of reading, it would be possible to see how does the tests look
like and this should help in understanding the text.

Several times the word "scraped" is used, but the word "scrapped" is intended.

According to HTTP spec (RFC 2616 section 3.8), this request header:

User-Agent: Bunny Browser 1.7

must be parsed as three product names: "Bunny", "Browser", and "1.7"; 
none having a version number. A more correct example would be:

User-Agent: Bunny-Browser/1.7

which is a "Bunny-Browser" product with a "1.7" version number.

Problem found in page 
http://code.google.com/p/browsersec/wiki/Part1#Hypertext_Transfer_Protocol. 
The same problem exists with the Server header in the HTTP response.

Opera is described ("Other built-in document formats") as supporting no 
image formats beyond JPG, PNG, and GIF, but it does in fact support BMP.  
It does not support TIF.  I did not test other formats.

In http://code.google.com/p/browsersec/wiki/Part1 section "True URL schemes" 
in table "Gopher (RFC 4266)" links to wrong URL
http://www.ietf.org/rfc/rfc14266.txt. Remove 1 from URL for correct URL
http://www.ietf.org/rfc/rfc4266.txt.

Enter description of the problem here

I think I have a fake  version of gmail and chrome on my iPad.  I am listed as 
a supervised user on my account.  Advanced setting is grayed out on my settings 
in Chrome.  I am trying to get help but cannot find a space to go to.  There is 
a kggould.com site I cannot log into either.  I know you are not security 
people but maybe you can help, or send this to someone who can.

Thank you,
 Karen Gould
[email protected] (my other gmail account)

The table shows that FF3 does not have X-Frame-Options support, but Mozilla's 
site claims it does as of FF 3.6.9 (I have not tested it).

Affected Page:
http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_(UI_redres
sing)

Source:
http://blog.mozilla.com/security/2010/09/08/x-frame-options/

In the section: http://code.google.com/p/browsersec/wiki/Part1
the link Cross-site scripting pointing to:
http://code.google.com/p/doctype/wiki/ArticlesXSS
is broken.

Currently the valid destination is:
http://code.google.com/p/doctype-mirror/wiki/ArticleXSS

Enter description of the problem here
Presently, the notion of "Same Origin Policy" is not in and of itself
appropriately defined anywhere. 

Recently, this wiki page has been established as a (the) place to tease out
such a definition..

  http://www.w3.org/Security/wiki/Same_Origin_Policy

We suggest that the BSH reference that page, e.g. in the "Part 2"
subsection entitled "Same-origin policy". 

thanks, 

=JeffH

What steps will reproduce the problem?
1. gzip -d the tar.gz file
2. run clamscan on browser_tests-1.00.tar

Exploit.HTML.MHTRedir-8 FOUND

Is this expolit used for educational purposes or ...?

In the table of section "Unicode in URLs" (part 1), it is said that Firefox
3 uses UTF-8 for "Request URL query string encoding for manually entered
URLs". This is actually not completely true.

It looks like Firefox 3 does the following:
  - if all the characters in the query string can be encoded in the
machine's default encoding, this encoding is used.
  - otherwise, UTF-8 is used.

Let me explain. I'm using a French machine with a default encoding is
CP-1252 (similar to ISO-8859-1).

The URL http://www.google.com/search?q=é procudes
http://www.google.com/search?q=%E9, whereas
http://www.google.com/search?q=ąé produces
http://www.google.com/search?q=%C4%85%C3%A9.

In the first case, the "é" character was converted to %E9 which is
ISO-8859-1. In the second case, it was converted to %C3%A9, which is UTF-8.

hi,

Thanks for a great document. Because the content is huge it will help to be
able to take a print and read (instead of on screen). Hope this can be done.

regards

Sesh

I'm referring to
http://code.google.com/p/browsersec/wiki/Part2#Port_access_restrictions

Last year I renewed my research and in the process published a list of
blocked ports per browser. Please refer to:

http://resources.enablesecurity.com/resources/the%20extended%20html%20form%20att
ack%20revisited.pdf

As you may notice from the Appendixes, Firefox and Safari differ from Opera
when it comes to the ports blocked. Not sure if the behavior changed since
these tests were last performed (1 year ago)

There is an enhancement to Flash that supports access to files on the local
host system.  The page that discusses cross-domain policy should have this
information added.

http://www.macromedia.com/support/documentation/en/flashplayer/help/help02.html

see..

how browsers transform URLs
http://lists.w3.org/Archives/Public/public-iri/2009Nov/0045.html

and: http://code.google.com/p/curlies/

It doesn't appear that the BSH as yet references/leverages CURLIES -- which
might be a useful thing to do, especially in BSH part 1.

=JeffH

HTTPS (RFC 2818) link address is mistake

Link address should be http://www.ietf.org/rfc/rfc2818.txt no 
http://www.ietf.org/rfc/rfc2616.txt 

In Part1: "non-XML mode tend are generally" should be "non-XML mode tend to
be generally"

In Part2: "local files or input devices devices, although" should be "local
files or input devices, although"

I think you should mention IE7's integration with Vista's process 
integrity mechanism in the "Open browser engineering issues", "security 
compartmentalization" section of part 3. Running IE7 as a low integrity 
process does reduce the impact of any code running inside the process.

[deleted issue]

http://code.google.com/p/browsersec/wiki/Part1

Characters permitted in entity names]] (excluding A-Z a-z 0-9) 

the ]]'s seem extraneous

Please include the different parsing rules that are applied in parsing URLs
inside <a> tags.
Eg, how are these parsed in different browsers:

<a href='/foo">
<a href="/foo&amp;">
<a href="/foo&quot;">
<a href='/foo&apos;'>
<a href='/foo%30'>

the text of the "Note:" (in Part 2: Same-origin policy for cookies) reads: 

  "Note: there is an ongoing work to document, clarify, and clean up cookie
behavior to improve the usability of httponly and related mechanisms."

..and it contains an embedded link to the http-state@ list archives.


Given that the IETF HTTP-State working group was recently chartered, I
suggest revising the "Note:" text to be..

  "Note: an IETF effort is underway to clearly specify currently deployed
cookie behavior across major browsers."

..and have some appropriate chunk of the text link to..

  http://www.ietf.org/dyn/wg/charter/httpstate-charter.html


Also, I suggest moving the "Note:" itself to be either below the last
bullet item, or place it between the para above and the first bullet item. 

thanks.

Is it possible to see diffs of the changes being made to the wiki pages?
(Similar to how Trac's wiki revision history works)