Browser security framework WebSpec reveals new cookie attack

The folks at Technische Universität Wien in Austria have come up with a formal security framework called WebSpec to analyze browser security.

And they have used it to identify multiple logic flaws affecting web browsers, revealing a new cookie-based attack and an unresolved contradiction of the Content Security Policy.

These logical flaws are not necessarily security vulnerabilities, but they can be. They are inconsistencies between the web platform specifications and the way these specifications are actually implemented in web browsers.

WebSpec was developed by Lorenzo Veronese, Benjamin Farinier, Mauro Tempesta, Marco Squarcina, Matteo Maffei in an effort to bring rigor to web security through automated and verifiable rule checking rather than manual evaluation.

Browsers, as explained in an academic job, “WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms”, have become tremendously complex and continue to do so as additional components are added to the web platform.

The new web platform components undergo compliance testing, the researchers say, but their specifications are manually reviewed by technical experts to understand how new technologies interact with legacy APIs and individual browser implementations.

“Unfortunately, manual reviews tend to overlook logic flaws, eventually leading to critical security vulnerabilities,” explain computer scientists, noting how eight years after the introduction of the Http only flag in Internet Explorer 6, as a way to keep cookies confidential from client-side scripts, researchers discovered the flag could be overlooked by scripts that access the response headers of an AJAX request using the getResponseHeader function.

WebSpec uses the Proof language of Coq’s theorem submitting the interaction of browsers and their specific behavior to formal tests. Makes browser security a matter of machine-verifiable Satisfaction Module Theories (SMT) testing [PDF].

To test for inconsistencies between web specifications and browsers, the researchers defined ten “invariants,” each of which describes “a property of the web platform that is expected to persist throughout its updates and regardless of how its components can interact with each other. ” “

These invariants or rules represent testable conditions that should be met, such as “Cookies with the Safe attribute It can only be configured (using the Set-Cookie header) through secure channels “, as defined in RFC 6265, Section 4.1.2.5.

Of the ten invariants evaluated, three failed.

“In particular, we show how WebSpec can discover a new attack on the __Host- prefix for cookies, as well as a new inconsistency between the inheritance rules for the Content Security Policy and a planned change in the HTML standard,” the document explains. .

HTTP cookies with the “__Host-” prefix are supposed to only be place by the host domain or scripts included in the pages of that domain. WebSpec, however, found an attack to break the related invariant test.

“A script that runs on a page can modify the effective domain used for SOP at runtime [Same-Origin Policy] check via API document.domain “, explains the document, noting that the discrepancy between the access control policies in the Document Object Model and the cookie container allows a script running in an iframe to access to the document.cookie property on a parent page if both pages set document.domain to the same value.

The researchers note that while the current web platform remains vulnerable to this attack, it will eventually cease to be: document.domain property has been deprecated, which means future browser updates will skip support, one day.

The authors also used WebSpec to discover an inconsistency with the form blob objects – objects that contain data that can be read as text, binaries, or sequences using built-in object methods – inherit your Content Security Policy.

Lorenzo Veronese, PhD student at TU Wien, raised the problem last July to the HTML standard working group, but the different behaviors described in the CSP specification and the Policy container explanation they have not yet reconciled.

Antonio Sartori, Google software engineer, has developed a fix but it has not yet been integrated into the HTML standard.

In any case, the availability of WebSpec as a tool to formally assess browser behavior should make life a bit easier for those struggling to maintain expanding browser code bases. ®

Leave a Comment