Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

[Amit Klein <aksecurity () gmail com>]

Anurag Agarwal wrote:
> I am looking to get views from people on the list about a proposed 
> security restriction in the browsers

I hope you're aware of Gervase Markham's 
http://www.gerv.net/security/content-restrictions/
> *The browser should check with the webserver which domains it can 
> interact with (load files from or submit post data to, etc) for that 
> website. How the check is implemented is upto the browser.*
>
> For example: If a page from mybank.com is trying to submit data to 
> attacker.com then before submitting the data, the browser should check 
> with the mybank.com if it is allowed to do so.
>  
> Q1. is it reasonable?
> Q2. What are the pros and cons of this approach?
> Q3. Would it limit some types of browser attacks (like some xss 
> vectors, etc)?
> Q4. Would it open any new types of attack vectors?
>  

For one, it doesn't fully handle situations in which the XSS payload can 
write compromised data to another (publicly accessible, or at least 
attacker accessible) part of the site. For example, an XSS payload may 
take the cookie value and "store" it in another part of the site, such 
as a page to where comments can be submitted. The attacker then only 
needs to frequently poll this section of the site and collect the data.

-Amit

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------