Cure53 Browser Security White Paper
Home Page: https://cure53.de/#browser-security-whitepaper
Welcome to the code repository for the Cure53 Browser Security White Paper!
This is the right place to leave comments and file bugs in case we got something wrong.
The latest version of the PDF will be available here as well. Expect frequent updates for smaller fixes and adjustments.
The summary table on page 297 contains the following:
Feature Chrome Edge MSIE Web Extension Security Tests (Pass/Fail tests were conducted) 5/10 2/10 0
Nowhere does the paper exactly state what the numbers are intended to mean, but presumeably they are the number of passed tests in each browser. However, if that's the case, the numbers should actually be 5/10 for Chrome and 8/10 for Edge.
Hi,
Congrats on your whitepaper! Reading it with interest.
However, would you be so kind and replace "This was demonstrated by Olejnik et al." with "Olejnik and Janc", since it's two authors only (e.g. as per Chicago style or different references on references)? Thanks!
hey
this reference 85 https://crbug.com/538562 from page 62 is not public, are you aware of that ?
From the whitepaper, page 182:
However, the test uncovered that the applied restriction can be bypassed and lead to
external web resources being loaded. The HTML file provided via the sandbox key can
use meta redirects for this purpose:<head> <meta http-equiv="refresh" content="0; url=http://example.com/redirect.html" /> </head>
The purpose of the feature (of not allowing external content in the sandbox) is to prevent untrusted content from being loaded into the extension process. The redirection causes the file to be loaded in a new process, which is correct behavior. This can be easily verified using the task manager. There is no risk here.
All,
Congratulations on the report!
Following up on an out-of-band conversation with Mario: Reference 326 regarding Hostile Pinning is ultimately a pointer--several degrees of separation away--to a conference talk delivered by myself and @buu700 (Ryan Lester), so we're seeking an amendment of Reference 326 to cite the original talk directly ("Bryant Zadegan, Ryan Lester, Abusing Bleeding Edge Web Standards for AppSec Glory, DEF CON 24, 2016-08-06").
Cheers,
-Bryant
The WebExtensions "Content Scripts Context Isolation" testcase is marked as failed on Edge. We were not able to reproduce this result in our paper (https://www.researchgate.net/publication/324797493_Tietoturvan_toteutuminen_WebExtensions-rajapinnoissa, in Finnish). Has the issue been fixed in Edge, is there an error in one of the papers?
From the whitepaper, page 186:
It is not possible to open any file,
as Chrome immediately triggers a download for the file instead of showing its contents,
therefore prohibiting an extension access.
This is incorrect. Downloads are only triggered for file types that cannot be displayed in the browser. For other types, e.g. plain text or HTML, accessing content is completely possible.
Great read so far, thanks for all the work you put into this!
I noticed that some of the references are broken, because they contain ... instead of the actual missing part of the url. As I understand for presentational purposes part of long urls in the footnotes is automatically replaced by ... - it seems like in some cases the url the reader is redirected to when clicking on the link contains those ... as well, which breaks the url.
Some broken links so you can pinpoint the issue (there's more):
30 https://www.blackhat.com/docs/asia-17/materia...-Using-Data-Only-Exploitation-Technique.pdf
380 http://windowsitpro.com/windows-81/managing-account-cred...eb-credential-manager
388 https://www.wired.com/2016/08/hackers-trick-facial-recognition-logins-p...ok-thanks-zuck/
In this comment a similar issue was fixed.
Hi all,
Again, great work, thanks! Too bad because no Firefox though :-)
Anyway, while going through the paper I noticed the link in reference #23, page 30, is broken.
I believe a similar issue was reported earlier so the fix should be straightforward.
Maybe it would make sense to have a quick go (preferably scripted?) through all links and see if they work? Just saying.
Regards!
The whitepaper does not include enough information to accurately reproduce the WebExtensions test cases. Please describe the test executions in more detail and include code where possible.
See also issue #11.
The section entitled Same Site Cookies (p.130) conflates the concepts of origin and site:
The browser will only send SameSite cookies in the scope of a given origin A if the document that formulated the request is also in the scope of the origin A. If a document in the scope of origin B or C formulates a request to the origin A, the browser will not send SameSite cookies as part of the request.
See this blogpost for more details.
From the whitepaper, page 186:
Context Isolation in Developer Extension
A developer extension has access to a website's DOM and can execute JavaScript in its
context. Google Chrome's documentation clarifies that this feature does not use isolated
worlds, so the extension must be really careful when it comes to evaluating the returned
content.
This is the full description of the test case. The result from the test is marked as passed for both Chrome and Edge.
So, essentially, the test case is testing for a feature that does not exist in any browser, then ignoring the fact that it doesn't exist and that on Chrome it causes a significant risk.
This test case makes zero sense.
From the whitepaper, page 187:
The extension settings page of Chrome is hosted on chrome://extensions
and the aforementioned APIs can be employed by the extension to enumerate all tabs.
This can occur every second and detect if the extension page is opened. Once detected,
it can immediately close the tab, therefore denying user an option of disabling extensions
at their will.
This does not prevent the user from disabling the extension. "Background" extensions can be terminated from the taskbar, then disabled. All extensions can be disabled using the "browser action" icon (which exists even if there's no action defined). And finally, extensions can always be terminated using the Chrome task manager (Shift+Esc).
the described way for changing Content Type "Content Type Forcing" page 73, in IE is not working?
i get " do you want to open or save "response" .
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
