browser-security-whitepaper.pdf - Dr-Ing Mario Heiderich Cure53 Bielefelder Str 14 D 10709 Berlin cure53.de � [email protected] Cure53 Browser Security

browser-security-whitepaper.pdf - Dr-Ing Mario Heiderich...

This preview shows page 1 out of 330 pages.

You've reached the end of your free preview.

Want to read all 330 pages?

Unformatted text preview: Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] Cure53 Browser Security White Paper Dr.-Ing. Mario Heiderich Alex Inführ, MSc. Fabian Fäßler, BSc. Nikolai Krein, MSc. Masato Kinugawa Tsang-Chi "Filedescriptor" Hong, BSc. Dario Weißer, BSc. Dr. Paula Pustułka Cure53, Berlin · 29.11.17 1/330 Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] List of Tables .............................................................................................................................. 3 List of Figures ............................................................................................................................ 5 Chapter 1. Introducing Cure53 BS White Paper ......................................................................... 7 Browser Security Landscape: An Overview ............................................................................ 9 The Authors .......................................................................................................................13 The Sponsor ......................................................................................................................15 Earlier Projects & Related Work .........................................................................................15 Research Scope ................................................................................................................16 Version Details ...................................................................................................................19 Research Methodology, Project Schedule & Teams ...........................................................19 Security Features ...............................................................................................................24 Chapter 2. Memory Safety Features .........................................................................................28 Process Level Sandboxing .................................................................................................45 Chapter 3. CSP, XFO, SRI & Other Security Features ..............................................................53 Chapter 4. DOM Security Features ......................................................................................... 115 Chapter 5. Security Features of Browser Extensions & Plugins .............................................168 Chapter 6. UI Security Features ..............................................................................................216 Other Features, Security Response & Observations ........................................................268 Chapter 7. Conclusions & Final Verdict ...................................................................................281 Microsoft MSIE11 .............................................................................................................281 Microsoft Edge .................................................................................................................284 Google Chrome................................................................................................................287 Scoring Tables .....................................................................................................................290 Memory Safety Features Meta-Table ...................................................................................291 CSP, XFO, SRI & other Security Features Meta-Table .........................................................292 DOM Security Features Meta-Table .....................................................................................294 Browser Extension & Plugin Security Meta-Table ................................................................297 UI Security Features & Other Aspects Meta-Table ...............................................................298 Appendix .................................................................................................................................300 Cure53, Berlin · 29.11.17 2/330 Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] List of Tables Table 1. Chrome Process List ...................................................................................................33 Table 2. MSIE Process List .......................................................................................................34 Table 3. Edge Process List ........................................................................................................36 Table 4. ASLR Policies ..............................................................................................................39 Table 5. CFG Policies................................................................................................................40 Table 6. Font Loading Policies ..................................................................................................41 Table 7. Dynamic Code Policies ................................................................................................42 Table 8. Image Load Policies ....................................................................................................43 Table 9. Binary Signature Policies .............................................................................................44 Table 10 System Call Disable Policies ......................................................................................48 Table 11. Directory Access Test Results ....................................................................................49 Table 12. File Access Test Results ............................................................................................50 Table 13. Registry Access Test Results .....................................................................................51 Table 14.Network Access Test Results ......................................................................................52 Table 15. XFO Browser Support ................................................................................................64 Table 16. X-UA-Compatible Browser Support ...........................................................................69 Table 17. Content Sniffing Behavior across Browsers ...............................................................73 Table 18. Content-Type forcing across browsers .......................................................................74 Table 19. Number of supported non-standard Charsets ............................................................80 Table 20. BOM support in the tested browsers ..........................................................................81 Table 21. Priority of BOM over Content-Type ............................................................................81 Table 22. XSS Filter enables Charset XSS................................................................................82 Table 23. X-XSS-Protection Filter Browser Support ..................................................................84 Table 24. Chances and outcomes of bypassing XSS Filters ......................................................89 Table 25. XXN can introduce XSS .............................................................................................92 Table 26. XSS Filters can introduce Infoleaks ...........................................................................94 Table 27.Overview of CSP Directives by CSP Version ..............................................................96 Table 28. CSP Directive Support ...............................................................................................97 Table 29. Subresource Integrity Browser Support ...................................................................100 Table 30. Service Worker Browser Support .............................................................................102 Table 31. Security Zones Support ........................................................................................... 110 Table 32. Plans for future Security Features ............................................................................ 111 Table 33. Number of DOM Properties exposed in window .......................................................120 Table 34. SOP implementation flaws .......................................................................................122 Table 35. Proper handling of document.domain ......................................................................123 Table 36. Browser Support of PSL ..........................................................................................124 Table 37. Browser Support of Secure Cookies ........................................................................128 Table 38. Browser Support of HttpOnly Cookies......................................................................129 Cure53, Berlin · 29.11.17 3/330 Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] Table 39. Requests being considered top-level .......................................................................131 Table 40. Browser Support of SameSite Cookies ....................................................................131 Table 41. Browser Support of Cookie Prefixes ........................................................................133 Table 42. Cookie ordering across browsers .............................................................................134 Table 43. Browser limitations on Cookies ................................................................................135 Table 44. Ambiguous/invalid URL parsing ...............................................................................136 Table 45. Unencoded location properties ................................................................................137 Table 46. Restricted Ports across browsers ............................................................................139 Table 47. URI schemes that allow script execution ..................................................................141 Table 48. Parsing of Character References .............................................................................143 Table 49. Non-Standard Attribute Quotes / JavaScript & CSS Whitespace..............................145 Table 50. Support for non-alphanumeric Tag Names ...............................................................147 Table 51. mXSS Potential for text/html Data ............................................................................150 Table 52. Copy & Paste Security and Clipboard Sanitization ...................................................151 Table 53. Location Spoofing for window / document ................................................................156 Table 54. Location spoofing for window/document ..................................................................157 Table 55. Elements supporting named reference ....................................................................158 Table 56. Clobbering behaviors across Browsers ....................................................................160 Table 57. Sendable Headers for Simple Requests ..................................................................162 Table 58. Sendable Headers for Preflighted Requests ............................................................163 Table 59. Readable Headers for Responses ...........................................................................164 Table 60. Plans for future Security Features ............................................................................165 Table 61. Overview of Extension Support ................................................................................171 Table 62. Manifest Keys for Web Extensions on Chrome and Edge ........................................174 Table 63. Permissions supported in Web Extension ................................................................177 Table 64. Web Extension deployment aspects ........................................................................180 Table 65. Web Extension security test results .........................................................................182 Table 66. ActiveX behavior with EPM ......................................................................................191 Table 67. ActiveX vs. WebExtension .......................................................................................191 Table 68. Google Chrome administration methods ..................................................................196 Table 69. Active Directory - Extension Policies for Chrome .....................................................197 Table 70. Policies defined in the Google Admin Console .........................................................199 Table 71. Key examples in Master Preferences.......................................................................202 Table 72. Technologies to administrate Microsoft Edge ...........................................................203 Table 73. Microsoft Edge admin policies for extensions ..........................................................203 Table 74. Technologies to administrate Internet Explorer ........................................................205 Table 75. Active Directory policy files defined in the context of administrative extensions .......206 Table 76. Possible settings for IEAK tool .................................................................................210 Table 77. Extension administration ..........................................................................................212 Table 78. Roadmap for Edge Extensions ................................................................................213 Cure53, Berlin · 29.11.17 4/330 Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] Table 79. Google Chrome platform status ...............................................................................213 Table 80. SSL Error behavior for MSIE11, Edge and Chrome .................................................223 Table 81. Security indicators for address bar ...........................................................................229 Table 82. MSIE11/Edge language symbol with character information ......................................235 Table 83. Edge Group Policies ................................................................................................264 Table 84. MSIE11 Group Policies ............................................................................................264 Table 85. Chrome Group Policies ............................................................................................266 Table 86. Password Manager Storage Security .......................................................................276 Table 87. Password Manager XSS Safety ...............................................................................278 Table 88. UAF/U2F support in MSIE11, Edge and Chrome .....................................................280 Table 89. Chapter 2 Scoring Table ..........................................................................................291 Table 90. Chapter 3 Scoring Table ..........................................................................................292 Table 91. Chapter 4 Scoring Table ..........................................................................................294 Table 92. Chapter 5 Scoring Table ..........................................................................................297 Table 93. Chapter 6 Scoring Table ..........................................................................................298 Table 94. WebExtenstion. Proxy settings ................................................................................328 List of Figures Figure 1. DEP Setting for all Browser Processes ......................................................................37 Figure 2. CFG Settings for all Browser Processes ....................................................................40 Figure 3. Different MSIE Gold bar for several file types ...........................................................103 Figure 4. Site Zones, security templates and fine-grained settings ..........................................106 Figure 5. Permissions: Content Scripts vs WebView Tag ........................................................185 Figure 6. Out-of-date ActiveX Filtering ....................................................................................193 Figure 7. Out-of-date ActiveX opened outside of IE .................................................................194 Figure 8. Active Directory policies on Chrome .........................................................................197 Figure 9. Extension Policies on Chrome..................................................................................197 Figure 10. Invalid CA error on MSIE11 ....................................................................................225 Figure 11. Invalid CA error on Edge ........................................................................................225 Figure 12. Invalid CA error on Chrome ....................................................................................226 Figure 13. Invalid CA exception granted on MSIE11................................................................227 Figure 14. Invalid CA exception granted on Edge....................................................................227 Figure 15. Invalid CA exception granted on Chrome ...............................................................228 Figure 16. MSIE11 spoofing lock icon with a favicon ...............................................................231 Figure 17. Edge address bar bug ............................................................................................231 Figure 18. Comparing effects of long domain names ..............................................................232 Figure 19. MSIE11 mixed content dialog .................................................................................233 Figure 20. ԍооԍӏе.com confusable in different Browsers .........................................................235 Figure 21. data URI in Chrome version 59 ..............................................................................236 Figure 22. Comparing EV certificates in MSIE11, Edge, and Chrome .....................................237 Cure53, Berlin · 29.11.17 5/330 Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] Figure 23. Browser behaviors with HTTP auth URLs ..............................................................238 Figure 24. HTTP authentication dialogs in different browsers ..................................................239 Figure 25. window.showModalDialog() on MSIE11 ..................................................................241 Figure 26. Comparing alert() and prompt() on Edge and Chrome............................................242 Figure 27. alert(), confirm() and prompt() on MSIE11 ..............................................................243 Figure 28. onbeforeunload box on MSIE11 .............................................................................244 Figure 29. onbeforeunload box on Edge .................................................................................244 Figure 30. onbeforeunload box on Chrome .............................................................................244 Figure 31. alert() from onbeforeunload event on MSIE11 ........................................................245 Figure 32. Comparing default window.open windows ..............................................................246 Figure 33. Tabnabbing demo showing a tab redirected to a Gmail phishing s...
View Full Document

  • Fall '19
  • Test, Internet Explorer, Web browser, Usage share of web browsers, Google Chrome, Mario Heiderich, Bielefelder Str.

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture