May 2, 2008 2:50 PM PDT

Web browsers and other mistakes

Posted by Robert Vamosi

Correction, 3:40 p.m. PDT: This story initially misspelled Dan Kaminsky's last name.

On Friday at Microsoft's Blue Hat conference in Redmond, Wash., Alex "Kuza55" K. of SIFT challenged the software company and others to build a better Internet browser by detailing the many ways browsers fail to parse malicious code.

In the talk, Kuza55 included details on how various attacks use logged out cross-site scripting (XSS), cross-site reference frame-protected cross-site scripting, JavaScript hijacking, session fixation, XSS reference frame token fixation, and CSRF vulnerabilities to compromise desktop Internet browsers. The talk was provided to CNET as a PowerPoint presentation.

Dan Kaminsky, of IOActive, told CNET News.com that Kuza55 talked about the "obscure internal elements of things you can do to Web browsers. Like how to use browsers to attack other protocols. Or how to use text in a browser to attack other particular protocols."

Kuza55 started his talk by showing ways to use browser cookies for XSS attacks. In one method, "by abusing the path attribute (within a cookie) we can effectively overwrite cookies very specifically, or for the whole domain by setting lots of them." Kuza55's noted that in Firefox and in Opera there is a limit to the number of cookies that can be stored within each browser, with the oldest cookie being removed to make room for the new. Thus, it is possible for an attacker to overwrite the existing cookies in these browsers by exhausting the limit. Internet Explorer does not have such a limit.

The talk also addressed potential abuses of the FindMimeFromData function, discussed one directory transversal bug within Flash 9.0.124.0, and how to use 7-bit Unicode Transformation Format (UTF-7) as a means to inject encoded meta tags or encoded cross-site scripting into a browser. For the latter, Kuza55 cited the work of Yosuke Hasegawa.

Kuza55 also mentioned abuses of HTTP protocol, DNS, and subdomains. He faulted the browser makers several times for not providing enough documentation, and said he had to use trial and error to make these findings. Despite that, he's continuing his research.