Web browsers and other mistakes
At Microsoft's Blue Hat gathering, a security researcher reveals a laundry list of attacks and how various browsers respond.
Correction, 3:40 p.m. PDT: This story initially misspelled Dan Kaminsky's last name.
On Friday at Microsoft's Blue Hat conference in Redmond, Wash., Alex "Kuza55" K. of SIFT challenged the software company and others to build a better Internet browser by detailing the many ways browsers fail to parse malicious code.
Dan Kaminsky, of IOActive, told CNET News.com that Kuza55 talked about the "obscure internal elements of things you can do to Web browsers. Like how to use browsers to attack other protocols. Or how to use text in a browser to attack other particular protocols."
Kuza55 started his talk by showing ways to use browser cookies for XSS attacks. In one method, "by abusing the path attribute (within a cookie) we can effectively overwrite cookies very specifically, or for the whole domain by setting lots of them." Kuza55's noted that in Firefox and in Opera there is a limit to the number of cookies that can be stored within each browser, with the oldest cookie being removed to make room for the new. Thus, it is possible for an attacker to overwrite the existing cookies in these browsers by exhausting the limit. Internet Explorer does not have such a limit.
The talk also addressed potential abuses of the FindMimeFromData function, discussed one directory transversal bug within Flash 188.8.131.52, and how to use 7-bit Unicode Transformation Format (UTF-7) as a means to inject encoded meta tags or encoded cross-site scripting into a browser. For the latter, Kuza55 cited the work of Yosuke Hasegawa.
Kuza55 also mentioned abuses of HTTP protocol, DNS, and subdomains. He faulted the browser makers several times for not providing enough documentation, and said he had to use trial and error to make these findings. Despite that, he's continuing his research.