Adblock Plus and (a little) more
AMO getting serious about add-on security · 2009-11-14 15:36 by Wladimir Palant
Good news: AMO is finally getting serious about improving security of add-ons. Several bugs that I filed almost a year ago and didn’t have time to follow up on have suddenly seen some movement, even to the point of setting a two weeks deadline to resolve the security issues (thanks, Jorge). Sure, this approach won’t make you new friends and one add-on author preferred to remove his add-ons rather than fix them. But it is really overdue to start enforcing policies.
Getting rid of Flash cookies · 2009-03-02 12:57 by Wladimir Palant
Pretty much every Flash movie on the web today uses Flash Player’s global storage feature to store data on your disk, similar to regular browser cookies. What makes this feature so problematic is the lack of proper control mechanisms. For example, for browser cookies I selected “Keep until I close Firefox” which makes sure that cookies can be set (no site functionality is broken) but won’t survive too long. But this setting won’t apply to Flash data. Same goes for the Private Browsing mode in Firefox 3.1, it has absolutely no effect on Flash. Note also that Flash data is the same for all browsers and all profiles.
Five wrong reasons to use eval() in an extension · 2009-02-06 13:35 by Wladimir Palant
One of the most overused JavaScript features is the eval()
function. I have seen it used in very many extensions but only a few actually had a good reason to use it. So I want to go through all the wrong reasons one would use eval()
.
Vulnerable extensions survey · 2009-02-05 16:49 by Wladimir Palant
I spent in total something like 10 hours searching 78 of the top 100 extensions for signs of unsafe interactions with the web (yes, I failed downloading the extensions that are hidden behind a EULA, will do better next time). The result: 14 extensions with severe vulnerabilities (typically the kind of vulnerability that lets a web page take over your browser and even the computer if your browser runs with administrator privileges) and several proof of concept exploits. The good news: I don’t think that I missed too many vulnerable extensions, when I searched for more patterns I just kept finding new issues in the extensions that were already known to be vulnerable. More good news: none of the top 10 most popular extensions made the list. The bad news: many of the remaining extensions didn’t make this list simply because they don’t interact with the web or only interact with the web in ways that are relatively unproblematic. Some others were just too messy to get an overview in reasonable time, so it was impossible to understand whether questionable coding practices actually caused security issues.
Displaying web content in an extension - without security issues · 2009-01-28 12:02 by Wladimir Palant
Over the last few years I reported a bunch of security vulnerabilities in various extensions and by far the most common issue was: “Extension Foo allows execution of remote code in privileged context”. Typically, an RSS reader extension would take the content of the RSS feed (HTML code), format it nicely and insert into the extension window. The issue that is overlooked here is that the RSS feed could contain some JavaScript code and it would then execute with the privileges of the extension — meaning for example that it would get full access to the browser (cookies, history etc) and to user’s files. pdp discovered a similar issue in the Firebug extension that uses an HTML-based templating system and forgot to sanitize some input received from the webpage.
Deobfuscating JavaScript · 2009-01-12 17:28 by Wladimir Palant
A few months ago I read a post in the WebSense Security Labs blog: The Ultimate Deobfuscator. Wow, pretty impressive hacking effort and nice tricks to hook JavaScript eval()
function and document.write()
in Internet Explorer. But couldn’t you use JS Debugger hooks in Firefox to do the same thing with only a few lines of code? And then maybe even more generic because eval()
and document.write()
are certainly not the only ways to generate JavaScript code on the fly (out of the top of my head: changing window.location
to a JavaScript URL, event handler attributes or setTimeout()
with a string parameter).
Filterset.G webpage hacked · 2008-12-15 10:02 by Wladimir Palant
Did I already mention that running a web server is dangerous? Well, it was only one part of the picture. Each server gets lots of automated requests trying to find vulnerabilities in the scripts that are installed (SQL injection vulnerabilities got particularly popular lately). But servers also get lots of requests on SSH and FTP ports trying to guess user names and passwords. So you better don’t use passwords that can be easily guessed using a dictionary attack. Even better, you don’t use any passwords at all.
Third-party JavaScript - yes, it is a security risk · 2008-12-02 15:23 by Wladimir Palant
Third-party JavaScript includes are as popular as ever. Almost every web page includes third-party scripts, be it for advertising, for visitor statistics or just for the fun widgets. The awareness of security risks connected to it — it is just not there. All the better to see The Register bring up this issue again, this time because of Google Analytics being used on Barack Obama’s website (and particularly in the admin interface).
Blocking malicious sites with Adblock Plus · 2008-07-03 11:48 by Wladimir Palant
I was reading about yet another wave of attacks exploiting a Flash vulnerability. It turned out that the Flash vulnerability used was already fixed but that doesn’t really matter — Adobe seems incapable of updating users to a secure Flash version in a timely fashion. So Firefox users were at risk here as well, and the continuing waves of SQL Injection attacks inserting malicious iframes into trusted websites didn’t exactly make the situation better.
HTTP Referer header won't help you with CSRF · 2008-05-21 15:44 by Wladimir Palant
It seems to be obvious but apparently this idea still isn’t common knowledge — HTTP Referer header is unreliable, and it is especially unsuited for any security measures. The Referer header isn’t always present because of users going to a page directly (via bookmark and similar), using an “unusual” browser (most commonly download helper applications), using filtering firewalls (privacy protection) etc. The Referer header might be incorrect because of the same filtering firewalls (some prefer to advertise rather than remove the header entirely), special browser extensions to manipulate the Referer header etc.