The folks at Technische Universität Wien in Austria have created an official security framework called WebSpec for browser security analysis.
They used it to identify multiple logical flaws affecting web browsers, and exposed a new cookie-based attack and an unresolved contradiction in the content security policy.
These logical flaws are not necessarily security vulnerabilities, but they can be. They are inconsistencies between web platform specifications and the way these specifications are actually implemented within web browsers.
WebSpec was developed by Lorenzo Veronese, Benjamin Farinier, Mauro Tempesta, Marco Squarcina and Matteo Maffei in an effort to achieve accuracy in web security through automated and verifiable rule-checking rather than manual evaluation.
Browsers, as they explain in an academic paper, “WebSpec: Towards an Automated Checked Analysis of Browser Security Mechanisms” have become very complex and continue to become more and more as plugins are added to the web platform.
The researchers say that components of the new web platform undergo compliance testing, but that their specifications are manually reviewed by technical experts to understand how new technologies interact with legacy APIs and individual browser implementations.
“Unfortunately, manual reviews tend to overlook logical flaws, which ultimately leads to serious security vulnerabilities,” computer scientists explain, noting how eight years have passed since the introduction of the HttpOnly flag in Internet Explorer 6 – as a way to keep cookies secret About the Client – Side Scripts – Researchers have discovered that the flag can be overridden by scripts that access the response headers of an AJAX request using the getResponseHeader function.
WebSpec uses the Coq Theorem Proof Language to formally test the interaction and specific behavior of browsers. It makes browser security a matter of proving satisfactory through device-checkable Model Theories (SMT) [PDF].
To test for discrepancies between web specifications and browsers, the researchers identified ten “constants,” each describing a “property of a web platform that is expected to persist across its updates and independently about how its components interact with each other.”
These constants or rules represent testable conditions that must be true, such as “Cookies with a secure attribute can only be set (using the Set-Cookie address) over secure channels,” as defined in RFC 6265, Section 4.1.2.5.
Of the ten constants evaluated, three fail.
In particular, we demonstrate how WebSpec is able to detect a new attack on the __Host-prefix cookie as well as a new inconsistency between the inheritance rules of the Content Security Policy and the planned change to the HTML standard. .
HTTP cookies prefixed with “__Host-” are only supposed to be set by the host domain or scripts embedded in pages on that domain. However, WebSpec found an attack to break the relevant static test.
“The script that runs on the page can modify the effective scope used in the SOP runtime [Same-Origin Policy] Checks through the document.domain API,” the paper explains, noting that a mismatch between the access control policies of the Document Object Model and the cookie jar allows an iframe script to access the document.cookie property on the home page if both Both pages set document.domain to the same value.
The researchers note that while the current web platform remains vulnerable to this attack, it eventually won’t: the document.domain property is deprecated, meaning that future browser updates will remove support, one day.
The authors also used WebSpec to detect inconsistencies with the way Blob objects – objects that contain data that can be read as text, binary, or streams using inline object methods – inherit their content security policy.
Lorenzo Veronese, a doctoral student at TU Wien, raised the issue last July to the working group on the HTML standard, but the different behaviors described in the CSP specification and the container policy explanation have not yet been reconciled.
A fix was developed by Antonio Sartori, a Google software engineer, but it has not yet been incorporated into the HTML standard.
In any case, having WebSpec as an official browser behavior assessment tool should make life a little easier for those who struggle to maintain their sprawling browser code bases. ®
