Last Thursday, Michael Sutton (@michaelawsutton) of Zscaler Labs gave a presentation entitled âYour Browser Wears No Clothes: Why Users With Fully Patched and Secured Web Browsers Remain Vulnerable in a Web 2.0 Worldâ at the ISSA – NoVA Chapter meetup. SuttonâVP of Security Research at Zscalerâhas a background in researching, publishing and presenting on various security issues such as web security, client-side vulnerabilities, and fuzzing, making the âYour Browser Wears No Clothesâ talk a fitting presentation for his expertise.
Sutton touched on several topics during his talk, including the traditional attack evolution where the âbad guysâ have shifted their focus from servers to desktops and desktop applications. While Sutton went on to talk about ânaked browsersâ for much of his talk, he did briefly define the idea of how ânaked applicationsâ lead to a ânaked browser.âÂ
According to Sutton, ânaked applicationsâ mean that attackers are now migrating to attacks that involve third party services such as websites. The flaw that causes the attack is in the website itselfânot the browser. There is no patch that end users or companies can apply to âfixâ this problem because while browsers may be in their control, websites are not.
But why are these applications vulnerable?
According to Sutton, itâs the advances in web application technology and development thatâs to blame. Due to these advances in application development tools, nearly anyone is able to create usable web applications, whether they have a background in web application development or not.
Due to the relative ease of development, you now have all of these web applications created by novice web application developers out there on the web, making it possible for the naked browser to exist. Because in light of these flawed web applications, it doesnât matter if users have fully patched browsers:
They are open to attack when they visit these websites because it is the web applicationsânot the browserâthatâs flawed.
Sutton said that when looking at the past, itâs obvious that this problem has existed all along; we just havenât noticed the trends. Sutton looked at the trends of previous attacks and said that previous technologiesâsuch as XSS, CSRF, HTTP Response Splitting, Content Spoofing, DNS Cache Poisoning, and URL Redirection among othersâhave contributed to naked browser attacks.
For example: The WASC Threat Classification found that most threats focus on broken browsers with only two being ânaked,â while the Whitehat Security Stats found that ânaked attacksâ were involved in over two-thirds of all sites.
Additionally, there have been numerous case studies that have shown examples of ânaked browserâ attacks. The most recent examples are the Twitter attacks that happened last weekend (XSS), as well as the Adobe Flash Clickjacking attack (which occurred through the abuse of web protocols) that happened last year.
According to Sutton, the attacks that cause naked browsers are hard to defend against because oftentimes, they look like legitimate traffic. Sutton compared identifying these attacks to trying to find bad hay that looks like good hay in a haystack: Each attack is unique (meaning that signatures donât work), and each targeted attack is difficult to anticipate and identify.
Sutton said that the existing solutions in place to deal with these attacks are inadequate. Preventative measures such as NoScript isnât good for most end users, and thereâs no commonly definable IDS/IPS signatures on the network. Basically, Sutton tried to convey that there is no silver bullet to fix this problem. If we have any hope of improving this problem, we are going to need to have a multifaceted solution that includes monitoring traffic, managing the content users have access to, merging data from other resources for comparison, and continually educating end users.Â
While most of the background discussion was a repeat for me, the talk really did a great job of pulling out some of the different aspects of web application security and categorizing them as naked browser attacks.
If you werenât able to attend this meetup, you can view the full slides here. You can also view our original post about this meetup for additional details.
###
Do you have your pass to SANSFIRE yet? If not, why not purchase it through NovaInfosecPortal? It doesnât cost you anything extra, and it helps us keep the site going.
No related posts.
