WIXLIB

tw book.book Page ix Tuesday, October 18, 2011 10:07 AMCONTENTS IN DETAILPREFACExviiAcknowledgments . xix1S E C U R IT Y I N T H E W O R L D O F W E B A P P L IC A T I O N S1Information Security in a Nutshell . 1Flirting with Formal Solutions . 2Enter Risk Management. 4Enlightenment Through Taxonomy . 6Toward Practical Approaches . 7A Brief History of the Web . 8Tales of the Stone Age: 1945 to 1994 . 8The First Browser Wars: 1995 to 1999 . 10The Boring Period: 2000 to 2003 . 11Web 2.0 and the Second Browser Wars: 2004 and Beyond . 12The Evolution of a Threat. 14The User as a Security Flaw. 14The Cloud, or the Joys of Communal Living. 15Nonconvergence of Visions . 15Cross-Browser Interactions: Synergy in Failure . 16The Breakdown of the Client-Server Divide . 17P A R T I : A NA T O M Y O F T H E W E B2IT S TA R T S W I T H A U R L2123Uniform Resource Locator Structure. 24Scheme Name . 24Indicator of a Hierarchical URL . 25Credentials to Access the Resource. 26Server Address . 26Server Port . 27Hierarchical File Path. 27Query String. 28Fragment ID. 28Putting It All Together Again . 29Reserved Characters and Percent Encoding . 31Handling of Non-US-ASCII Text. 32Common URL Schemes and Their Function. 36Browser-Supported, Document-Fetching Protocols . 36Protocols Claimed by Third-Party Applications and Plug-ins. 36Nonencapsulating Pseudo-Protocols. 37Encapsulating Pseudo-Protocols . 37Closing Note on Scheme Detection . 38The Tangled Web 2011 by Michal Zalewski

tw book.book Page x Tuesday, October 18, 2011 10:07 AMResolution of Relative URLs . 38Security Engineering Cheat Sheet. 40When Constructing Brand-New URLs Based on User Input . 40When Designing URL Input Filters . 40When Decoding Parameters Received Through URLs . 403H YP E R T E X T T R A N S F E R P R O T O C O L41Basic Syntax of HTTP Traffic . 42The Consequences of Supporting HTTP/0.9 . 44Newline Handling Quirks. 45Proxy Requests. 46Resolution of Duplicate or Conflicting Headers. 47Semicolon-Delimited Header Values. 48Header Character Set and Encoding Schemes . 49Referer Header Behavior . 51HTTP Request Types . 52GET. 52POST . 52HEAD . 53OPTIONS. 53PUT . 53DELETE . 53TRACE . 53CONNECT . 54Other HTTP Methods . 54Server Response Codes. 54200–299: Success . 54300–399: Redirection and Other Status Messages. 55400–499: Client-Side Error . 55500–599: Server-Side Error . 56Consistency of HTTP Code Signaling . 56Keepalive Sessions . 56Chunked Data Transfers . 57Caching Behavior . 58HTTP Cookie Semantics. 60HTTP Authentication. 62Protocol-Level Encryption and Client Certificates . 64Extended Validation Certificates. 65Error-Handling Rules . 65Security Engineering Cheat Sheet. 67When Handling User-Controlled Filenames in Content-Disposition Headers . 67When Putting User Data in HTTP Cookies. 67When Sending User-Controlled Location Headers . 67When Sending User-Controlled Redirect Headers. 67When Constructing Other Types of User-Controlled Requests or Responses. 67xContents in D e ta i lThe Tangled Web 2011 by Michal Zalewski

tw book.book Page xi Tuesday, October 18, 2011 10:07 AM4H YP E R T E X T M A RK U P L A NGU AG E69Basic Concepts Behind HTML Documents . 70Document Parsing Modes. 71The Battle over Semantics . 72Understanding HTML Parser Behavior . 73Interactions Between Multiple Tags . 74Explicit and Implicit Conditionals. 75HTML Parsing Survival Tips. 76Entity Encoding . 76HTTP/HTML Integration Semantics. 78Hyperlinking and Content Inclusion . 79Plain Links . 79Forms and Form-Triggered Requests. 80Frames. 82Type-Specific Content Inclusion . 82A Note on Cross-Site Request Forgery. 84Security Engineering Cheat Sheet. 85Good Engineering Hygiene for All HTML Documents . 85When Generating HTML Documents with Attacker-Controlled Bits . 85When Converting HTML to Plaintext . 85When Writing a Markup Filter for User Content . 865CASCADING STYLE SHEETS87Basic CSS Syntax . 88Property Definitions . 89@ Directives and XBL Bindings . 89Interactions with HTML . 90Parser Resynchronization Risks. 90Character Encoding. 91Security Engineering Cheat Sheet. 93When Loading Remote Stylesheets . 93When Putting Attacker-Controlled Values into CSS . 93When Filtering User-Supplied CSS. 93When Allowing User-Specified Class Values on HTML Markup . 936BROWSER-SIDE SCRIPTS95Basic Characteristics of JavaScript. 96Script Processing Model . 97Execution Ordering Control . 100Code and Object Inspection Capabilities . 101Modifying the Runtime Environment . 102JavaScript Object Notation and Other Data Serializations . 104E4X and Other Syntax Extensions. 106The Tangled Web 2011 by Michal ZalewskiContents in D etai lxi

tw book.book Page xii Tuesday, October 18, 2011 10:07 AMStandard Object Hierarchy . 107The Document Object Model . 109Access to Other Documents . 111Script Character Encoding. 112Code Inclusion Modes and Nesting Risks . 113The Living Dead: Visual Basic . 114Security Engineering Cheat Sheet. 115When Loading Remote Scripts . 115When Parsing JSON Received from the Server . 115When Putting User-Supplied Data Inside JavaScript Blocks . 115When Interacting with Browser Objects on the Client Side . 115If You Want to Allow User-Controlled Scripts on Your Page . 1167N O N - H TM L D O C U M E N T T Y P E S117Plaintext Files . 117Bitmap Images . 118Audio and Video . 119XML-Based Documents . 119Generic XML View . 120Scalable Vector Graphics. 121Mathematical Markup Language. 122XML User Interface Language. 122Wireless Markup Language. 123RSS and Atom Feeds . 123A Note on Nonrenderable File Types . 124Security Engineering Cheat Sheet. 125When Hosting XML-Based Document Formats . 125On All Non-HTML Document Types. 1258C O N TE N T R E N D E R I NG WI T H BR O WS E R PL U G - IN S127Invoking a Plug-in. 128The Perils of Plug-in Content-Type Handling . 129Document Rendering Helpers. 130Plug-in-Based Application Frameworks . 131Adobe Flash . 132Microsoft Silverlight . 134Sun Java . 134XML Browser Applications (XBAP) . 135ActiveX Controls. 136Living with Other Plug-ins . 137Security Engineering Cheat Sheet. 138When Serving Plug-in-Handled Files . 138When Embedding Plug-in-Handled Files . 138If You Want to Write a New Browser Plug-in or ActiveX Component . 138xiiC on t e n t s i n D e t a i lThe Tangled Web 2011 by Michal Zalewski

tw book.book Page xiii Tuesday, October 18, 2011 10:07 AMPART II: BROWSER SECURITY FEATURES9C O N TE N T I S O L AT IO N L O G IC139141Same-Origin Policy for the Document Object Model . 142document.domain . 143postMessage(.) . 144Interactions with Browser Credentials. 145Same-Origin Policy for XMLHttpRequest . 146Same-Origin Policy for Web Storage . 148Security Policy for Cookies . 149Impact of Cookies on the Same-Origin Policy. 150Problems with Domain Restrictions. 151The Unusual Danger of “localhost” . 152Cookies and “Legitimate” DNS Hijacking. 153Plug-in Security Rules . 153Adobe Flash . 154Microsoft Silverlight . 157Java . 157Coping with Ambiguous or Unexpected Origins . 158IP Addresses . 158Hostnames with Extra Periods . 159Non–Fully Qualified Hostnames . 159Local Files . 159Pseudo-URLs . 161Browser Extensions and UI . 161Other Uses of Origins . 161Security Engineering Cheat Sheet. 162Good Security Policy Hygiene for All Websites . 162When Relying on HTTP Cookies for Authentication . 162When Arranging Cross-Domain Communications in JavaScript . 162When Embedding Plug-in-Handled Active Content from Third Parties . 162When Hosting Your Own Plug-in-Executed Content. 163When Writing Browser Extensions . 16310O R IG I N I N H E R IT A N C E165Origin Inheritance for about:blank . 166Inheritance for data: URLs. 167Inheritance for javascript: and vbscript: URLs . 169A Note on Restricted Pseudo-URLs . 170Security Engineering Cheat Sheet. 17211L I F E O U T S I D E S A M E - O R I G IN R U L E S173Window and Frame Interactions . 174Changing the Location of Existing Documents . 174Unsolicited Framing. 178The Tangled Web 2011 by Michal ZalewskiContents i n Detailxiii

tw book.book Page xiv Tuesday, October 18, 2011 10:07 AMCross-Domain Content Inclusion . 181A Note on Cross-Origin Subresources. 183Privacy-Related Side Channels . 184Other SOP Loopholes and Their Uses . 185Security Engineering Cheat Sheet. 186Good Security Hygiene for All Websites . 186When Including Cross-Domain Resources . 186When Arranging Cross-Domain Communications in JavaScript . 18612O T H E R S E C U R I T Y B O U N D A R IE S187Navigation to Sensitive Schemes. 188Access to Internal Networks. 189Prohibited Ports . 190Limitations on Third-Party Cookies. 192Security Engineering Cheat Sheet. 195When Building Web Applications on Internal Networks. 195When Launching Non-HTTP Services, Particularly on Nonstandard Ports . 195When Using Third-Party Cookies for Gadgets or Sandboxed Content . 19513C O N TE N T R E C O G N IT IO N M E CH A N I S M S197Document Type Detection Logic. 198Malformed MIME Types . 199Special Content-Type Values. 200Unrecognized Content Type . 202Defensive Uses of Content-Disposition . 203Content Directives on Subresources . 204Downloaded Files and Other Non-HTTP Content . 205Character Set Handling . 206Byte Order Marks . 208Character Set Inheritance and Override . 209Markup-Controlled Charset on Subresources. 209Detection for Non-HTTP Files. 210Security Engineering Cheat Sheet. 212Good Security Practices for All Websites. 212When Generating Documents with Partly Attacker-Controlled Contents . 212When Hosting User-Generated Files . 21214D E A L I N G W IT H R O GU E S C R IP T S213Denial-of-Service Attacks . 214Execution Time and Memory Use Restrictions . 215Connection Limits . 216Pop-Up Filtering . 217Dialog Use Restrictions. 218Window-Positioning and Appearance Problems . 219Timing Attacks on User Interfaces . 222xivContents in D e ta i lThe Tangled Web 2011 by Michal Zalewski

tw book.book Page xv Tuesday, October 18, 2011 10:07 AMSecurity Engineering Cheat Sheet. 224When Permitting User-Created iframe Gadgets on Your Site . 224When Building Security-Sensitive UIs . 22415EX TR I NSI C S IT E P R IV ILE G ES225Browser- and Plug-in-Managed Site Permissions . 226Hardcoded Domains . 227Form-Based Password Managers. 227Internet Explorer’s Zone Model . 229Mark of the Web and Zone.Identifier . 231Security Engineering Cheat Sheet. 232When Requesting Elevated Permissions from Within a Web Application . 232When Writing Plug-ins or Extensions That Recognize Privileged Origins. 232PART III: A GLIMPSE OF THINGS TO COME16NE W A ND U PC O M ING S E C U R I TY FE A TU R E S233235Security Model Extension Frameworks . 236Cross-Domain Requests . 236XDomainRequest . 239Other Uses of the Origin Header . 240Security Model Restriction Frameworks . 241Content Security Policy. 242Sandboxed Frames . 245Strict Transport Security. 248Private Browsing Modes. 249Other Developments . 250In-Browser HTML Sanitizers. 250XSS Filtering . 251Security Engineering Cheat Sheet. 25317OTHER BROWSER MECHANISMS OF NOTE255URL- and Protocol-Level Proposals . 256Content-Level Features. 258I/O Interfaces . 25918C O M M O N W E B V U L N E RA B I L I T I E S261Vulnerabilities Specific to Web Applications. 262Problems to Keep in Mind in Web Application Design. 263Common Problems Unique to Server-Side Code . 265The Tangled Web 2011 by Michal ZalewskiC on t e n t s i n D e t a i lxv

tw book.book Page xvi Tuesday, October 18, 2011 10:07 AMEPILOGUE267N O TE S269INDEX273xviContents in D e ta i lThe Tangled Web 2011 by Michal Zalewski