Category security

  • You probably heard about it, web applications are notoriously insecure. By now, most web developers seem to be aware of the security issues, yet vulnerabilities are more common than ever. Some people say, it’s simply because developers tend to make mistakes. Other people say (and I agree) that wrong tools are being used which allow developers to make mistakes.

    Posted , Author

  • TL;DR: jQuery.parseHTML is a security hazard and will be called implicitly in a number of obvious and not so obvious situations.

    Why should you care?

    Hey, jQuery is great! It’s so great that Stack Overflow users will recommend it no matter what your question is. And now they have two problems. Just kidding, they will have the incredible power of jQuery:

    $("#list").append('<li title="' + item.info + '">' + item.name + '</li>');
    

    The above is locating a list in the document, creating a new list item with dynamic content and adding it to the list — all that in a single line that will still stay below the 80 columns limit. And we didn’t even lose readability in the process.

    Life is great until some fool comes along and mumbles “security” (yeah, that’s me). Can you tell whether the code above is safe to be used in a web application? Right, it depends on the context. Passing HTML code to jQuery.append will call jQuery.parseHTML implicitly which is the moral equivalent of the infamous innerHTML property. If you aren’t careful with the HTML code you are parsing there, this line might easily turn into a Cross-Site Scripting (XSS) vulnerability.

    Posted , Author

  • A few days ago I outlined that the Reuters website relies on 40 external parties with its security. What particularly struck me was the use of external code hosting services, e.g. loading the jQuery library directly from the jQuery website and GSAP library from cdnjs. It seems that in this particular case Reuters isn’t the one to blame — they don’t seem to include these scripts directly, it’s rather some of the other scripts they are using that are doing this.

    Posted , Author

  • The Syrian Electronic Army made the news several times lately by hacking popular news websites and making them display their propaganda messages. As with many similar hacks lately, the remarkable part was that the website wasn’t compromised directly. Instead a third-party service provider was hacked that the website used: Codero was used to compromise RSA Conference website, and Taboola to compromise Reuters website.

    Posted , Author

  • Some months ago I was wondering why some Firefox installations appear to not support strong encryption. After analyzing the SSL handshakes on one of the filter download servers used by Adblock Plus, I am now mostly confident that the reason is proxy servers essentially conducting Man-in-the-Middle (MitM) attacks. Normally, a proxy server can only forward SSL data to its destination, it can neither modify nor read the data due to encryption. MitM proxies however pose as the destination server which allows them to manipulate the data in any way they like. For that they have to encrypt the communication with a certificate that is valid for the destination server, usually this happens by installing a new root certificate on the client’s computer.

    Posted , Author

  • TL;DR: I created a new extension called Enforce Encryption. See extension description for a simple explanation of how it works and why using encrypted connections is important.


    I realized that Stack Overflow is one of the few websites that I use with authentication and yet over plain unencrypted HTTP connections. So, what if I just change http:// into https:// in the address bar? Surprisingly, this worked, even though Stack Overflow doesn’t support HTTPS officially (way too many links lead back to HTTP).

    So, if I want to use Stack Overflow over HTTPS now, how do I do it? All my history items lead to unencrypted pages. But even if I clean out my history, I regularly get to Stack Overflow pages via search or links. Switching to HTTPS manually every time is just unrealistic. That’s something where HTTP Strict Transport Security could help, if it were active for that site all links and history entries would be changed into HTTPS automatically.

    Posted , Author

  • My colleague Felix Dahlke wrote up a rather simplistic blog post on malicious extensions. I wanted to write a more extensive blog post on the topic, without any simplifications. In fact, what you can do to avoid installing malicious extensions depends largely on your browser so I will go into the details for all browsers below.

    Posted , Author

  • Google recently launched a redesigned version of its Web Store where one can install extensions and web apps. One particular feature caught my attention: it marks the extensions that you already have with a check mark. How does the web page know which extensions you have installed?

    Posted , Author

  • I received a payment over $2,500 from Google today. Now the conspiracy theorists among you can go off and rant in all forums that Adblock Plus is sponsored by Google and can no longer be trusted. For those of you who are still with me: the money came though Google’s Vulnerability Reward Program. Recently Google extended the scope of the program to web applications. I took up the challenge and sure enough, in a few hours I found four vulnerabilities in various corners of google.com.

    Posted , Author

  • Only two days ago I wrote how browser plugins are the biggest security risk today. And yesterday I experienced first-hand how one would get outdated and insecure plugins installed. I installed Lexware Steuer 2009 (for the German readers: yes, that’s the one you get at Aldi and that always gets good marks in software tests). And then Secunia PSI went berserk warning me about various security threats on my computer. Turned out, this application installed without even telling me: Java Runtime Environment 1.6.0 Update 2 (released July 2007, current version is 1.6.0 Update 18), Flash Player ActiveX 9.0.124.0 (released April 2008, current version is 10.0.42.34), MSXML 4.0 SP2 (released June 2003, current version is 4.0 SP3).

    Posted , Author

← Older Newer →