DevelopSec

AppSec

by Leave a Comment

Chrome is making some changes.. are you ready?

Last year, Chrome announced that it was making a change to default cookies to SameSite:Lax if there is no SameSite setting explicitly set. I wrote about this change last year (https://www.jardinesoftware.net/2019/10/28/samesite-by-default-in-2020/). This change could have an impact on some sites, so it is important that you test this out. The changes are supposed to start rolling out in February (this month). The linked post shows how to force these defaults in both FireFox and Chrome.

In addition to this, Chrome has announced that it is going to start blocking mixed-content downloads (https://blog.chromium.org/2020/02/protecting-users-from-insecure.html). In this case, they are starting in Chrome 83 (June 2020) with blocking executable file downloads (.exe, .apk) that are over HTTP but requested from an HTTPS site.

The issue at hand is that users are mislead into thinking the download is secure due to the requesting page indicating it is over HTTPS. There isn’t a way for them to clearly see that the request is insecure. The linked Chrome blog describes a timeline of how they will slowly block all mixed-content types.

For many sites this might not be a huge concern, but this is a good time to check your sites to determine if you have any type of mixed content and ways to mitigate this.

You can identify mixed content on your site by using the Javascript Console. It can be found under the Developer Tools in your browser. This will prompt a warning when it identifies mixed content. There may also be some scanners you can use that will crawl your site looking for mixed content.

To help mitigate this from a high level, you could implement CSP to upgrade insecure requests:

Content-Security-Policy: upgrade-insecure-requests

This can help by upgrading insecure requests, but it is not supported in all browsers. The following post goes into a lot of detail on mixed content and some ways to resolve it: https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content

The increase in protections of the browsers can help reduce the overall threats, but always remember that it is the developer’s responsibility to implement the proper design and protections. Not all browsers are the same and you can’t rely on the browser to provide all the protections.

by Leave a Comment

Ep. 117: How Browsers are Helping with Security

Browsers play a role in web application security, but where does their responsibility stop and the developer’s start? In this episode, we are going to discuss a few changes happening in the Chrome browser, that change security by default.

Listen to the Episode:

SameSite Default
Chrome has announced a few changes that we need to watch out for in the near future. We previously talked about the default value for samesite that is coming up fast. I wrote about this here: https://www.jardinesoftware.net/2019/10/28/samesite-by-default-in-2020/

This change could impact any application and as developers we should be aware of security defaults in the browsers.

Mixed Content
Also, they are getting ready to start blocking mixed content downloads:
https://blog.chromium.org/2020/02/protecting-users-from-insecure.html

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

[Read more…] about Ep. 117: How Browsers are Helping with Security

by Leave a Comment

Ep. 116: Chrome Retires XSS Auditor

Do you rely on the browser to protect your application from Cross-Site Scripting? Over the years, many of the popular browsers attempted to create these XSS filters to help reduce the risk of the vulnerability. Unfortunately, over the years we have seen a lot of bypasses to these filters. Chrome announced they are removing their XSS Auditor. Hear some of our thoughts on the changes.

Listen to the Episode:

 

References

https://www.chromium.org/developers/design-documents/xss-auditor

[Read more…] about Ep. 116: Chrome Retires XSS Auditor

by Leave a Comment

Ep. 115: Is CSRF Really Dead?

In 2020, Chrome will default the SameSite attribute to Lax on all cookies. SameSite helps mitigate CSRF, but does that mean CSRF is Dead?

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.

 DevelopSec provides application security training to add value to your application security program. Contact us today to see how we can help.

[Read more…] about Ep. 115: Is CSRF Really Dead?

by Leave a Comment

Ep. 114: Investing in People for Better Application Security

In this episode, James talks about investing in the development teams to increase application security priorities.

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.

 DevelopSec provides application security training to add value to your application security program. Contact us today to see how we can help.

[Read more…] about Ep. 114: Investing in People for Better Application Security

by Leave a Comment

Interesting Browser Difference

Update 8/16/19 – It appears that not long after I published this, Chrome sent an update that now mimics FireFox. In Chrome you now get a new tab that has a URL of “about:blank#blocked”.

When working on a recent test I noticed something pretty interesting when I had found what I thought was a Cross-Site Scripting vulnerability. I have posted previously on the ability to execute XSS when you control the HREF attribute of a link tag. This is done by setting a url to javascript:alert(9);. This might look like:

<a href=”javascript:alert(9);”>Click Me</a>

This is similar to the situation I had. However, when I was testing with FireFox, I found that the alert box was not appearing. Instead, when I clicked the link, it would open a new tab and the URL would be javascript:alert(9);. No Alert box. What gives??

So I could see the payload there, but it wouldn’t execute. I was confused. I decided to load up Chrome and see what happens there. To my surprise, although it is what I originally expected, the alert box was displayed.

It turns out, the link tag wasn’t as simple as the above example. Instead it looked more like this:

<a href=”javascript:alert(9);” target=”_blank” rel=”noopener no referrer”>Click Me</a>

After performing a little more testing, it appears that when the target and red attributes exist, Firefox opens a new tab instead of executing the specified JavaScript. I m not sure if this is a bug in how FireFox handles this scenario or not, but it does highlight an interesting point about differences with browsers.

In the event your testing runs across this same type of scenario, take the time to try different browsers to see if the results change.