Web Security Training

Navigating the web security landscape

Navigating the web security landscape


The websec digest #10

The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. This is the tenth edition already, and the headline is a cross-browser fingerprinting technique, which can be used to track you, even if you switch browsers.

Ever since the release of panopticlick, a lot of research went into browser-based fingerprinting techniques. Last week, researchers published a paper describing a cross-browser fingerprinting technique, which depends on OS and hardware-level features. This technique allows a web page to reliably fingerprint your machine, meaning that you can’t even hide when you switch browsers. At the moment, there’s little you can do against this. The technique seems to be less effective in the Tor browser, but mainly because it disables many technologies used to create the fingerprint.

Right after releasing the previous edition, news broke of a UXSS exploit in IE that allows to bypass the Same Origin Policy of the browser. In a nutshell, the exploit comes down to abusing the way an origin is assigned to an ActiveXObject. This enables the attacker to create an object he controls with an origin of his choice, thereby creating a way to bypass the Same Origin Policy.

Another impressive research result is this ASLR-busting JavaScript code. Researchers have found a way to use JavaScript to bypass the decade-old “Address Space Layout Randomization”, a commonly used defense against low-level attacks such as buffer overflows. These findings are absolutely terrifying, especially because we’ve gotten used to running all kinds of untrusted JavaScript in our browsers.

Do you remember the heart bleed vulnerability from a couple of years ago? Now there’s ticket bleed, albeit on a much smaller scale. The vulnerability allows the extraction of uninitialized memory, very much like heart bleed did. It has been discovered in the networking stack of F5 products, which are typically found in large enterprise-scale networks.

But it’s not all bad news. A lot of people are putting in a lot of effort to make the web better and more secure. One of my readers pointed me to this blog post, which outlines a number of best practices for using JSON Web Tokens (JWT). If you’re (considering) using JWT tokens, this is definitely required reading material!

Upcoming Events

There are two upcoming events I wanted to highlight:

  • On February 28th, I will talk at the OWASP Belgium chapter meeting, about how modern web security technologies no longer suffice.
  • On April 24 and 25, you can attend the Web Security Essentials training course, which will show you where your applications are vulnerable, how you can protect them, and which best practices you should be applying today. Attending the course also means you get a free set of YubiKeys. More information and registration.

As usual, you can find the full list of events on my speaking page.

Comments & Discussion