Author Archives: Alexandre Herzog

New Security Enhancing HTTP Headers

Posted on by
Reply
In the past few years, several new HTTP Headers have been proposed to increase the security of web applications. This is being done by providing additional instructions and information about the served application to the browser. Those can mitigate and avert various common web attacks, even if the underlying application contains vulnerabilities, therefore adding another layer of defense.
As time passes, more and more people do use a browser which support those measures. Compass Security has long been testing for these security enhancing features, and is actively advocate their implementation. Therefore we release an presentation which we used to educate employees and customers alike about this topic.

 

The presentation “New HTTP headers – and living in a POST-XSS world” aims to give quick overview, and answers to all of the questions below:
  • What are the new HTTP headers you can use to protect your web application?
  • Why should I force mode=block for the X-XSS-Protection header?
  • How tightly can I configure a X-Content-Security-Policy?
  • What is the purpose of the Strict-Transport-Security header?
  • How does Stefano Di Paola’s Firefox SeecurityHeaders extension look like?
  • Let’s dream of a world where browsers are smart enough to prevent execution of arbitrary JavaScript code via XSS – what options would be left?

Retrospective about cache snooping

Posted on by
Reply

As it is known since at least 2006, a website is able to identify the domains a user previously visited, with some simple CSS hacks. This had great privacy implications, and browsers took steps to eliminate this problem. But in December 2011, lcamtuf presented a new proof of concept based on cache timings, which basically does the same thing. This new technique uses JavaScript and the caching behavior of previously loaded resources to identify visited domains.

This vulnerability is not something a penetration test will identify, as it is purely a client side problem. Nevertheless it is a interesting topic as it exposes fundamental flaws in browser technology concerning privacy and which can’t be patched easily. It is similar to side-channel attacks in crypto systems, and the fix inherently reduces performance.

The attached presentation “CSS -visited – or now Browser Cache Timing” gives an overview of the history around this issue and how the proof of concept of 2006, respectively December 2011 work.