The folks at Technische Universität Wien in Austria designed a formal security framework called WebSpec to analyze browser security.
And they used it to identify several logical flaws in web browsers, revealing a new cookie-based attack and an unresolved contradiction to content security policy.
These logical vulnerabilities are not necessarily security vulnerabilities, but they can be. These are inconsistencies between the specifications of the web platform and how those specifications are actually implemented in web browsers.
WebSpec was developed by Lorenzo Veronese, Benjamin Farinier, Mauro Tempesta, Marco Squarcina, Matteo Maffei with the aim of bringing rigor to web security through automated and verifiable rule verification rather than manual evaluation.
Browsers, as they explain in an academic article, “WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms,” have become extremely complex and continue to be so as additional components are added to the web platform. .
New components of the web platform go through conformance testing, the researchers say, but their specifications are manually reviewed by technical experts to understand how new technologies interact with existing APIs and individual browser implementations.
“Unfortunately, manual reviews tend to overlook logical flaws, which ultimately leads to critical security vulnerabilities,” IT scientists say, noting that eight years after the introduction of the HttpOnly flag in Internet Explorer 6 – like a way to keep client cookies confidential – side scripts – researchers found that the flag could be bypassed by scripts accessing the response headers of an AJAX request using the getResponseHeader function.
WebSpec uses the Coq theorem proof language to subject the interaction of browsers and their specified behavior to formal tests. This makes browser security a matter of machine verifiable modulo satisfaction theory (SMT) evidence. [PDF].
To test for inconsistencies between web specifications and browsers, the researchers defined ten ‘invariants’, each of which describes’ a property of the web platform that should be retained in its updates and regardless of how its components can possibly interact with each other. “
These invariants or rules represent testable conditions that should be true, such as “Cookies with the Secure attribute can only be set (using the Set-Cookie header) on secure channels”, as defined in RFC 6265, section 22.214.171.124.
Of the ten invariants evaluated, three failed.
“In particular, we show how WebSpec is able to discover a new attack on the __Host- prefix for cookies as well as a new inconsistency between the inheritance rules of the content security policy and a planned change in the HTML standard “, explains the document. .
HTTP cookies prefixed with “__Host-” are meant to be set only by the host domain or scripts included on pages for that domain. WebSpec, however, found an attack to break the associated invariant test.
“A script executed on a page can modify at run time the effective domain used for the SOP [Same-Origin Policy] checks through the document.domain API, ”the document explains, noting that the mismatch between the access control policies in the document object model and the cookie jar allows a script executed in an iframe to Access the document.cookie property on a parent page if both pages set document.domain to the same value.
The researchers note that while the current web platform remains vulnerable to this attack, it ultimately will not be:
The authors also used WebSpec to discover an inconsistency in the way blobs (objects containing data that can be read as text, binary, or stream using built-in object methods) inherit their security policy. content.
Lorenzo Veronese, a doctoral student at TU Wien, raised the issue last July with the HTML standard working group, but the different behaviors described in the CSP specification and the policy container explicator have yet to be reconciled.
Antonio Sartori, a software engineer at Google, has developed a fix but it has not yet been incorporated into the HTML standard.
Either way, the availability of WebSpec as a formal browser behavior assessment tool should make life a little easier for those struggling to maintain sprawling browser code bases. ®