Security

Chrome reflective XSS protection

Cross-site scripting (XSS) is one of the biggest problems on the web today. There are daily reports of XSS problems in various web sites and web applications (including LWN, see below). So, it is not surprising that browser makers are looking at ways to combat the problem. Previously, we looked at Mozilla's Content Security Policy (CSP), which is one approach, but the Chrome browser team has come up with something different: reflective XSS protection.

There are two basic types of XSS, persistent and reflected (or non-persistent). Persistent XSS is an attack that gets stored at the site, in a comment or some other user-generated content, that can then attack any user viewing that content. Reflected attacks, instead, have the payload stored in the HTTP request itself (as GET parameters or FORM submission values). These attacks are generally disguised and the victim is tricked into submitting them. Reflected XSS flaws well outnumber persistent flaws, so it makes some sense to concentrate on those.

The basic idea behind Chrome's reflective protection is to examine each script before it is run to see if it also exists in the request that was sent. If the page contents contain scripts that were sent in the request, it is likely that it is a reflected XSS attack. For example, if a link or form submission contains a parameter foo with the value:

    <script>alert("XSS!")</script>

then the browser can recognize it in the response and refuse to run the script.

It isn't quite as simple as a direct string comparison, of course, as there are any number of tricks used by XSS attacks to obfuscate their intent. By using HTML entity encodings, XSS attacks can often slip by naïve tests. Things like:

    javascript

may elude simple tests that are meant to prevent XSS, so the browser must convert the request into a canonical form before doing the comparison.

In fact, a thread on sla.ckers.org shows various types of obfuscation that eludes the Chrome XSS filter. The participants, eventually including Chrome developer Adam Barth, keep attempting—mostly succeeding—to find ways around the filter. Those were then added to a WebKit bugzilla entry and many were fixed. Some of the more complicated cases are not yet handled.

Several comparisons to the Internet Explorer 8 XSS filter were made in the thread, generally unfavorably to Chrome's, but the Chrome filter is still relatively new. Certainly, the Chrome developers can learn from IE8's filter. Barth looked at the IE8 algorithm (by extracting it from the binary) and compared the two:

The whole thread is worth a read for anyone interested in XSS and the various tricks used by those attacks.

While the Chrome reflective protection is fairly recent, with bugs to squash and features to add, it will provide some added protection for users against XSS. It is a much simpler solutions than CSP—and doesn't require web developers to change the way they use Javascript—but it also only handles a subset of the full XSS problem. Both techniques likely have their place, but filtering reflected attacks is something that can be done more quickly than fundamentally changing the Javascript landscape as CSP requires. It seems likely that Mozilla could pick up this technique to add to its XSS protection, while still pushing CSP in the longer term. Given the "popularity" of XSS attacks, it is great to see the browser makers looking at multiple ways to reduce the risk.

Comments (1 posted)

Cross-site scripting here at LWN

We would like to thank Marti Raudsepp for letting us know about a security hole in the comment submission code for the site. We believe it is now fixed and, in general, that we have tightened up our HTML handling for comments. As part of that, we removed support for many attributes on HTML tags by whitelisting a small set of attributes. We might very well have been over-zealous and removed support for legitimate attributes. Please let us know at lwn@lwn.net if that is the case.

We would also like to remind folks that we encourage anyone who finds a security problem with the site to contact us (lwn@lwn.net works for that too). We give prompt attention to such things and thank anyone reporting them—rather than, say, turning them over to law enforcement.

Comments (3 posted)

Brief items

Strandboge: AppArmor sVirt security driver for libvirt

Jamie Strandboge writes about work he has done to add AppArmor support to sVirt on his blog. "Since virtualization is becoming more and more prevalent, improving the security stance for libvirt users is of primary concern. It was very natural to look at adding an AppArmor security driver to libvirt, and as of libvirt 0.7.2 and Ubuntu 9.10, users have just that. In terms of supported features, the AppArmor driver should be on par with the SELinux driver, where the vast majority of libvirt functionality is supported by both drivers out of the box."

Comments (2 posted)

Wheeler: Fully Countering Trusting Trust through Diverse Double-Compiling

David Wheeler announces the defense of his PhD dissertation on countering the classic "Reflections on Trusting Trust" attack, which Ken Thompson spoke about in 1984. That attack subverts compilers to continuously re-infect binaries produced by that compiler (including the compiler binary itself) with some kind of malicious payload (a login back door was Thompson's example). The attack is impossible to detect, except by using Wheeler's technique, which was originally described in a 2005 Annual Computer Security Applications Conference (ACSAC) paper [PDF]. His dissertation expands on that work, and the defense of it is open to the public on November 23 at George Mason University in Fairfax, Virginia. "This 2009 dissertation significantly extends my previous 2005 ACSAC paper. For example, I now have a formal proof that DDC is effective (the ACSAC paper only had an informal justification). I also have additional demonstrations, including one with GCC (to show that it scales up) and one with a maliciously corrupted compiler (to show that it really does detect them in the real world). The dissertation is also more general; the ACSAC paper only considered the special case of a 'self-parenting' compiler, while the dissertation eliminates that assumption."

Comments (16 posted)

New vulnerabilities

expat: buffer overflow

Package(s):	expat PyXML	CVE #(s):	CVE-2009-3720
Created:	November 4, 2009	Updated:	May 6, 2011
Description:	Incorrect UTF-8 sequences can cause expat (and tools using it, like PyXML) to read beyond its input buffer, leading to a crash.
Alerts:	CentOS CESA-2011:0491 2011-05-05 CentOS CESA-2011:0492 2011-05-05 Red Hat RHSA-2011:0491-01 2011-05-05 Fedora FEDORA-2011-5744 2011-04-21 Fedora FEDORA-2011-5727 2011-04-21 Fedora FEDORA-2011-2801 2011-03-07 Fedora FEDORA-2011-2794 2011-03-07 Red Hat RHSA-2011:0492-01 2011-05-05 Slackware SSA:2011-041-03 2011-02-11 Slackware SSA:2011-041-02 2011-02-11 Fedora FEDORA-2010-17819 2010-11-16 Fedora FEDORA-2010-17807 2010-11-16 Fedora FEDORA-2010-17720 2010-11-15 Fedora FEDORA-2010-17762 2010-11-15 SUSE SUSE-SR:2010:015 2010-08-17 SUSE SUSE-SR:2010:014 2010-08-02 SuSE SUSE-SR:2010:012 2010-05-25 SuSE SUSE-SR:2010:011 2010-05-10 SuSE SUSE-SR:2010:013 2010-06-14 Ubuntu USN-890-6 2010-04-15 Ubuntu USN-890-4 2010-01-26 Debian DSA-1977-1 2010-01-25 Ubuntu USN-890-3 2010-01-22 Ubuntu USN-890-2 2010-01-21 Ubuntu USN-890-1 2010-01-20 SuSE SUSE-SR:2009:020 2010-01-12 Mandriva MDVSA-2009:316-1 2010-01-08 Mandriva MDVSA-2009:220-1 2010-01-05 CentOS CESA-2010:0002 2010-01-05 Red Hat RHSA-2010:0002-01 2010-01-04 CentOS CESA-2009:1625 2009-12-08 CentOS CESA-2009:1625 2009-12-08 Red Hat RHSA-2009:1625-01 2009-12-07 Mandriva MDVSA-2009:219-1 2009-12-06 Mandriva MDVSA-2009:215-1 2009-12-06 Mandriva MDVSA-2009:212-1 2009-12-04 Mandriva MDVSA-2009:213-1 2009-12-04 Mandriva MDVSA-2009:211-1 2009-12-04 Mandriva MDVSA-2009:218-1 2009-12-04 Mandriva MDVSA-2009:217-3 2009-12-03 Ubuntu USN-890-5 2010-02-18 SuSE SUSE-SR:2009:018 2009-11-10 Fedora FEDORA-2009-11030 2009-11-04 Fedora FEDORA-2009-11029 2009-11-04 Fedora FEDORA-2009-10987 2009-11-04 Fedora FEDORA-2009-10972 2009-11-04 Fedora FEDORA-2009-10956 2009-11-04 CentOS CESA-2009:1572 2009-11-10 CentOS CESA-2009:1572 2009-11-10 Red Hat RHSA-2009:1572-02 2009-11-10 Fedora FEDORA-2009-10949 2009-11-04

Comments (none posted)

firefox, xulrunner: multiple vulnerabilities

Package(s):	firefox-3.0, firefox-3.5, xulrunner-1.9, xulrunner-1.9.1	CVE #(s):	CVE-2009-3371 CVE-2009-3377 CVE-2009-3381 CVE-2009-3383
Created:	November 2, 2009	Updated:	June 11, 2010
Description:	From the Ubuntu advisory: Orlando Berrera discovered that Firefox did not properly free memory when using web-workers. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. This issue only affected Ubuntu 9.10. (CVE-2009-3371) Several flaws were discovered in third party media libraries. If a user were tricked into opening a crafted media file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. This issue only affected Ubuntu 9.10. (CVE-2009-3377) Vladimir Vukicevic, Jesse Ruderman, Martijn Wargers, Daniel Banchero, David Keeler, Boris Zbarsky, Thomas Frederiksen, Marcia Knous, Carsten Book, Kevin Brosnan, David Anderson and Jeff Walden discovered various flaws in the browser and JavaScript engines of Firefox. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-3380, CVE-2009-3381, CVE-2009-3382, CVE-2009-3383)
Alerts:	Fedora FEDORA-2010-9774 2010-06-10 Fedora FEDORA-2010-9774 2010-06-10 Fedora FEDORA-2010-9253 2010-05-31 Fedora FEDORA-2010-9774 2010-06-10 Fedora FEDORA-2010-9774 2010-06-10 Fedora FEDORA-2010-9774 2010-06-10 Slackware SSA:2009-306-01 2009-11-03 SuSE SUSE-SA:2009:052 2009-11-04 Ubuntu USN-853-2 2009-11-11 Mandriva MDVSA-2009:294 2009-11-05 Ubuntu USN-853-1 2009-10-31

Comments (none posted)

kernel: null pointer dereference

Package(s):	kernel	CVE #(s):	CVE-2009-3547
Created:	November 4, 2009	Updated:	February 15, 2010
Description:	The kernel contains a null pointer dereference vulnerability in the pipe code; see this article for details. Kernels from 2.6.21 (possibly even older) through 2.6.31 are affected.
Alerts:	SuSE SUSE-SA:2010:012 2010-02-15 SuSE SUSE-SA:2010:001 2010-01-07 Red Hat RHSA-2009:1672-01 2009-12-15 Mandriva MDVSA-2009:329 2009-12-09 Ubuntu USN-864-1 2009-12-05 SuSE SUSE-SA:2009:060 2009-12-02 SuSE SUSE-SA:2009:056 2009-11-16 SuSE SUSE-SA:2009:055 2009-11-12 Fedora FEDORA-2009-11038 2009-11-05 Debian DSA-1928-1 2009-11-05 Red Hat RHSA-2009:1540-01 2009-11-03 Red Hat RHSA-2009:1548-01 2009-11-03 Red Hat RHSA-2009:1541-01 2009-11-03 Fedora FEDORA-2009-11032 2009-11-05 CentOS CESA-2009:1548 2009-11-04 Mandriva MDVSA-2009:301 2009-11-20 SuSE SUSE-SA:2009:054 2009-11-11 CentOS CESA-2009:1541 2009-11-04 Debian DSA-1929-1 2009-11-05 Debian DSA-1927-1 2009-11-05 Red Hat RHSA-2009:1588-02 2009-11-17 CentOS CESA-2009:1550 2009-11-04 Red Hat RHSA-2009:1550-01 2009-11-03 Red Hat RHSA-2009:1587-01 2009-11-17

Comments (none posted)

kernel: null pointer dereference

Package(s):	kernel-rt	CVE #(s):	CVE-2009-3620
Created:	November 4, 2009	Updated:	November 12, 2010
Description:	The r128 driver in the kernel contains a null pointer dereference vulnerability.
Alerts:	Red Hat RHSA-2010:0882-01 2010-11-12 Mandriva MDVSA-2010:188 2010-09-23 Mandriva MDVSA-2010:198 2010-10-07 Mandriva MDVSA-2010:088 2010-04-30 SuSE SUSE-SA:2010:013 2010-02-18 SuSE SUSE-SA:2010:012 2010-02-15 SuSE SUSE-SA:2009:064 2009-12-22 CentOS CESA-2009:1671 2009-12-18 CentOS CESA-2009:1670 2009-12-17 Red Hat RHSA-2009:1671-01 2009-12-15 Red Hat RHSA-2009:1670-01 2009-12-15 SuSE SUSE-SA:2009:061 2009-12-14 Ubuntu USN-864-1 2009-12-05 SuSE SUSE-SA:2009:060 2009-12-02 Fedora FEDORA-2009-11038 2009-11-05 Debian DSA-1927-1 2009-11-05 Debian DSA-1928-1 2009-11-05 Red Hat RHSA-2009:1540-01 2009-11-03

Comments (none posted)

kernel: denial of service

Package(s):	kernel	CVE #(s):	CVE-2009-3621
Created:	November 4, 2009	Updated:	February 19, 2010
Description:	There is a possible denial of service (via deadlock) vulnerability in the kernel Unix-domain socket code.
Alerts:	SuSE SUSE-SA:2010:013 2010-02-18 SuSE SUSE-SA:2010:012 2010-02-15 SuSE SUSE-SA:2010:001 2010-01-07 SuSE SUSE-SA:2009:064 2009-12-22 CentOS CESA-2009:1671 2009-12-18 CentOS CESA-2009:1670 2009-12-17 Red Hat RHSA-2009:1671-01 2009-12-15 Red Hat RHSA-2009:1670-01 2009-12-15 SuSE SUSE-SA:2009:061 2009-12-14 Mandriva MDVSA-2009:329 2009-12-09 Ubuntu USN-864-1 2009-12-05 SuSE SUSE-SA:2009:060 2009-12-02 Mandriva MDVSA-2009:301 2009-11-20 Fedora FEDORA-2009-11038 2009-11-05 Debian DSA-1927-1 2009-11-05 Debian DSA-1929-1 2009-11-05 Red Hat RHSA-2009:1540-01 2009-11-03 Fedora FEDORA-2009-11032 2009-11-05 Debian DSA-1928-1 2009-11-05

Comments (none posted)

libhtml-parser-perl: denial of service

Package(s):	libhtml-parser-perl	CVE #(s):	CVE-2009-3627
Created:	October 30, 2009	Updated:	January 12, 2010
Description:	From the Debian advisory: Mark Martinec discovered that the decode_entities() function will get stuck in an infinite loop when parsing certain HTML entities with invalid UTF-8 characters. An attacker can use this to perform denial of service attacks by submitting crafted HTML to an application using this functionality.
Alerts:	SuSE SUSE-SR:2009:020 2010-01-12 Ubuntu USN-855-1 2009-11-05 Debian DSA-1923-1 2009-10-27

Comments (none posted)

mahara: multiple vulnerabilities

Package(s):	mahara	CVE #(s):	CVE-2009-3298 CVE-2009-3299
Created:	November 2, 2009	Updated:	November 4, 2009
Description:	From the Debian advisory: CVE-2009-3298: Ruslan Kabalin discovered a issue with resetting passwords, which could lead to a privilege escalation of an institutional administrator account. CVE-2009-3299: Sven Vetsch discovered a cross-site scripting vulnerability via the resume fields.
Alerts:	Debian DSA-1924-1 2009-10-31

Comments (none posted)

proftpd-dfsg: certificate spoofing

Package(s):	proftpd-dfsg	CVE #(s):	CVE-2009-3639
Created:	November 2, 2009	Updated:	December 28, 2009
Description:	From the Debian advisory: It has been discovered that proftpd-dfsg, a virtual-hosting FTP daemon, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate, when the dNSNameRequired TLS option is enabled.
Alerts:	Fedora FEDORA-2009-11649 2009-11-18 Debian DSA-1925-1 2009-10-31 Fedora FEDORA-2009-11666 2009-11-18

Comments (none posted)

rt3: JavaScript injection

Package(s):	rt3	CVE #(s):
Created:	November 4, 2009	Updated:	November 4, 2009
Description:	From the rt 3.8.5 release announcement: During a routine internal audit, it was determined that all versions of RT from 3.4.6 to 3.8.4 are vulnerable to an escaping bug in the display of Custom Fields that could allow injection of javascript into the RT UI.
Alerts:	Fedora FEDORA-2009-10498 2009-10-14 Fedora FEDORA-2009-10426 2009-10-14

Comments (none posted)

squidGuard: buffer overflows

Package(s):	squidGuard	CVE #(s):	CVE-2009-3700 CVE-2009-3826
Created:	November 4, 2009	Updated:	August 17, 2010
Description:	Several buffer overflows have been found in versions 1.3 and 1.4 of squidGuard. These vulnerabilities can be exploited to cause a denial of service situation or to bypass URL blocking.
Alerts:	SUSE SUSE-SR:2010:015 2010-08-17 openSUSE openSUSE-SU-2010:0460-1 2010-08-02 SUSE SUSE-SR:2010:014 2010-08-02 Debian DSA-2040-1 2010-05-02 Mandriva MDVSA-2009:293-1 2010-01-11 Mandriva MDVSA-2009:293 2009-11-03 Fedora FEDORA-2009-10743 2009-10-27 Fedora FEDORA-2009-10780 2009-10-27

Comments (none posted)

wireshark: multiple vulnerabilities

Package(s):	wireshark	CVE #(s):	CVE-2009-3550 CVE-2009-3829
Created:	November 3, 2009	Updated:	May 28, 2010
Description:	From the Mandriva alert: Vulnerabilities have been discovered and corrected in wireshark, affecting DCERPC/NT dissector, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a file that records a malformed packet trace (CVE-2009-3550); and in wiretap/erf.c which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted erf file (CVE-2009-3829).
Alerts:	CentOS CESA-2010:0360 2010-05-28 CentOS CESA-2010:0360 2010-04-20 CentOS CESA-2010:0360 2010-04-20 Red Hat RHSA-2010:0360-01 2010-04-20 SuSE SUSE-SR:2009:020 2010-01-12 Mandriva MDVSA-2009:292-1 2009-12-03 Mandriva MDVSA-2009:292 2009-11-03 Debian DSA-1942-1 2009-11-29 Gentoo 200911-05 2009-11-25

Comments (none posted)

wireshark: denial of service

Package(s):	wireshark	CVE #(s):	CVE-2009-3242
Created:	November 4, 2009	Updated:	November 25, 2009
Description:	Wireshark's GSM layer 3 radio resource protocol dissector can be made to crash with the wrong input, leading to (at least) a denial of service problem.
Alerts:	Fedora FEDORA-2009-9837 2009-09-24 Gentoo 200911-05 2009-11-25

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>