Archive for the Google Category
Nir Goldhsanger asked me to share with my audience a nice privilege escalation through parameter pollution he found, allowing the attacker to become administrator of any Blogger blog, which he dutifully reported to Google and deserved him the famous $1337 bug bounty.
I'm quite impressed by the first step of the attack, where the application gets fouled by a double "blogID" parameter: the first gets validated (it actually refers to a blog owned by the attacker) but then the second is actually used to perform the "add authors" action. Looking at the URL, it would seem they use Struts or some other Java-based framework. Since I'm quite rusty with them (these days I mainly use PHP and Ruby on the server side), would anyone attempt a reverse engineering and explain which kind of code could get messed by this? Did they maybe parse their parameters twice, with two different parsers?!
30 10 2010Giorgio in CSRF, ABE, Google, Mozilla, Security, NoScript
Nevertheless, X-Content-Type-Options offers a nice opportunity to further hardening, by allowing web sites to opt-in for the strictest checks, on more file types and also same-domain, in a theoretically compatible way.
By comparison, only Google Chrome boasts a higher score of 15/16, because it supports both the HTTP Origin Header and the HTML 5 Sandbox Attribute, which are not implemented yet by Firefox nor by NoScript. For the curious, "vanilla" Firefox 4 nightlies stop at 11/15 (even if you're going to read 12/15 because of a XSS test bug), Firefox 3.6.12 + NoScript is at 13/15, while disabling NoScript makes it fall down to 9/16 (reported as 10/16 because of the aforementioned bug).
However, a fair comparison would need to cover also Content Security Policies, a very powerful and flexible security technology developed by Mozilla (test should be added soon, it seems) and countermeasures for cross-zone CSRF attacks (e.g. against routers), which are currently provided by NoScript and, partially, by Opera (Mozilla is working on something, too)*. If and when these features get tested, Firefox 4 + NoScript will lead at 16/18, followed by Chrome at 15/18.
That said, I'd really love to see Origin and Sandbox implemented natively by Firefox, for a perfect 18/18. Which is, I guess, the real raison d'Ãªtre of Browserscope: getting good stuff implemented everywhere by the power of childish envy ;)
* I won't advocate including tests for other non-blocking security features provided by NoScript, such as ClearClick anti-Clickjacking, because they're not suitable for web-based automation.
I'm quite surprised (albeit happy) to see a capitalist corporation actually contributing to social progress, and with a politically bold move, rather than with the usual hairy tax-deductible alms.
But after all Mozilla itself is a foundation, but a corporation too, isn't it?
Interesting times we're living in...
26 05 2010Giorgio in Google, Mozilla, Security, NoScript
On his blog, Wladimir Palant complains about Google providing browser users with a not effective enough way to opt-out from Google Analytics.
Specifically, he doesn't like how the Google Analytics Opt-out Browser Add-on actually allows Google Analytics scripts to load and run, just setting a global variable (
) in the hosting page which tells the code not to send back data.
This approach is inherently flawed, because the hosting page can easily force Google Analytics to run by simply overwriting the aforementioned
if (!!_gaUserPrefs) alert("You hate Google Analytics, don't you?")
can make a nice test to update the Panopticlick suite with, singling out privacy concerned persons.
However, the original sin is that the Google Analytics' script still being downloaded and executed, and if you find this questionable from a security/privacy perspective, then the Google's Analytics Opt-Out Browser Add-on serves no purpose.
Wladimir's post initially advertised his own extension as a better solution, but later he had to retract:
This is no news (and no problem) at all for NoScript users, though: in fact, almost one year and half ago, this very issue prompted the development of NoScript's Script Surrogates feature, which prevents the breakage by "emulating" the blocked script with dummy replacements. This means that NoScript users have Google Analytics blocked by default, with no site-breaking side effects.
So, until Google can come up with something better I recommend people to use the reliable and easy solution ;)
Bad Behavior has blocked 3729 access attempts in the last 7 days.