browser security scorecard

[David Lindsay]

Is anyone aware of a browser security scorecard project? I vaguely
remember seeing something along these lines a few months ago but
perhaps not...

Either way, I think it would be useful to have a track discussing such
things at the conference with the end goal being a new project to
track/measure browsers in this regard. The obvious comparison (to me
at least) is the Acid compatibility tests at acidtests.org, e.g.
http://acid3.acidtests.org/ These appear to be successful at getting
browsers to adhere better to standards and I believe a similar
security focused project could have a similar effect.

What do you all think? Is this worth pursuing? Is it worth having a
track for this at the summit?

Any feedback is welcome :)

Thanks!
-david

[dinis cruz]

Arshan tried to do that for that last Summit.

Arshan, can you share what happened and how far did you got?

Dinis Cruz

[John Wilander]

These are the places I've been surfing when investigating security features ...

http://www.browserscope.org/ (security tab)

http://kangax.github.com/es5-compat-table/ (especially Strict-Mode row) and http://kangax.github.com/es5-compat-table/strict-mode/

Something like that you were thinking of?

   /J

2011/1/14 David Lindsay <thorn...@gmail.com>

--
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com

Co-organizer Global Summit, http://www.owasp.org/index.php/Summit_2011

Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee

[John Wilander]

Then you have Google's BrowserSec Handbook with lots of tables:

http://code.google.com/p/browsersec/wiki/Main

I've spent a couple of hours there too. :)

  /J

2011/1/15 John Wilander <john.w...@owasp.org>

[dinis cruz]

see email below (forwarding Arshan's response since he is not on these lists)

For reference, here is some of the work Arshan did:

• http://www.owasp.org/index.php/OWASP_Working_Session_-_Browser_Security
• http://www.owasp.org/index.php/Intrinsic_Security_Working_Group
• http://www.owasp.org/index.php/ISWG_Open_Letters_to_ISWG
  
• The attached file is a matrix Arshan started that mapped the Browser's Security Features

Dinis Cruz

On 14 January 2011 18:58, Arshan Dabirsiaghi <arshan.da...@aspectsecurity.com> wrote:

Not much happened. Me and Mario (who sadly ended up missing the conf) came up with a Google Docs spreadsheet noting some interesting security-relevant differences among browsers – then I realized the Google Browser Security Handbook made the data gathering look really half ass. Then we came up with another few initiatives that I later thought were too confrontational to pursue further (an open letter to the browsers, etc).

 

I would strongly encourage you to do this, though. In 2008 we created a Google Docs spreadsheet noting security features provided by programming frameworks (J2EE, .NET, ColdFusion, etc.). This led to some phone calls with Adobe and some frank communication with other vendors, hopefully effecting more change (some of it is still in the works) than I thought would be possible. Just don’t make it too confrontational, and I think you’ll do a lot of good.

 

FYI I think a lot of people lose credibility with browser/vendor folks by overstating risks. The browsers are guilty of 1,000,000 misdemeanors but not many real crimes.

 

Good luck,

Arshan

[David Lindsay]

Wow, good info, everyone :) The browserscope.org website is the one I
recall seeing a couple of months ago. I'm happy to see that others at
OWASP have been thinking along the same lines.

I would like to see work continue where Arshan left off (or is
currently at). Would this make more sense as part of a current track
or a new one?

-david

[Mario Heiderich]

I found some ancient google docs in my folder - maybe that was what you guys referred to?

https://spreadsheets0.google.com/ccc?key=pWqXgSu_wNm_yizFgNplENA&hl=en#gid=0

https://spreadsheets.google.com/ccc?key=0ApvvXg-NoxS9cFdxWGdTdV93Tm0tR2tTUGdPR3lPV1E&hl=en#gid=0

Cheers,

.mario

--
_________________________
php-ids.org | @0x6D6172696F
[[ø,_]=!''+'',[,,,$,,,æ]=!_+''+{}][$+æ+_+ø]+_ 

[dinis cruz]

Can you make sure that these docs and links are referenced in the Respective Browser Working Session page?

Those pages should be the single source of reference material for these working Session (think of the attendee that is about to join the working session and wants to be aware of the current status)

Thx

Dinis Cruz

[gaz Heyes]

There is a "JS Check" button in Hackvertor which produces a report like this:-

---Use strict---
with:true
eval can assign:true
this is:[object Window]
this call is:[object Window]
this apply is:[object Window]
duplicate object props:true
arguments.callee:true
arguments.caller:true
octals:true
delete on variables/func:true
---E4X---
Variables:true
Inline:true
---Variables---
constants:true
---Objects---
.create:false
.preventExtensions:false
.seal:false
.isSealed:false
.freeze:false
.isFrozen:false
.isExtensible:false
.getOwnPropertyDescriptor:false
.keys:false
.valueOf:true
.toSource:true
.toString:true
---Functions---
.name:true
.callee:true
.caller:true
unicode encoding:true
unicode encode parenthesis?:false
setter function x(){}:true
getter function x(){}:true
function get x(){}:false
function set x(){}:false
---Arrays---
indexOf():true
lastIndexOf():true
every():true
filter():true
forEach():true
map():true
some():true
reduce():true
reduceRight():true
---Strings---
String Indexes:true
---Getters/Setters---
__defineGetter__:true
__defineSetter__:true
__lookupGetter__:true
__lookupSetter__:true
Object.defineProperty:false
Object.defineProperties:false
---IE specific---
toStaticHTML():true
---Destructuring assignments---
Arrays:true
Assignment correct?:true
---Expression closures---
Variable:true
Inline:false
---DOM prototypes overwrites __syntax___---
location:false
location.hash:false
location.host:false
location.hostname:false
location.href:false
location.search:false
document.domain:true
document.referrer:true
document.URL:true
navigator.userAgent:true
---DOM prototypes overwrites defineProperty---
location:false
location.hash:false
location.host:false
location.hostname:false
location.href:false
location.search:false
document.domain:false
document.referrer:false
document.URL:false
navigator.userAgent:false

Sorta like a simple ES5 security check which we could improve

[David Lindsay]

@Gareth Nice! How did you come up with that list to begin with?

I'll work on compiling links of the work done thus far. I'm still
looking for feedback on how to integrate it with the discussions at
the OWASP summit.

Thanks everyone,
-david

[gaz Heyes]

On 17 January 2011 22:12, David Lindsay <thorn...@gmail.com> wrote:

@Gareth Nice!  How did you come up with that list to begin with?

A mixture of hacking DOM objects to return evil values and reading the standard. Also finding flaws, like unicode encoded parens in FF2 (awesome :) ), I just keep adding them as I find em. Some of them are feature tests and some are security checks, I think it would be cool to focus on security checks