browser security scorecard

11 views
Skip to first unread message

David Lindsay

unread,
Jan 14, 2011, 1:35:01 PM1/14/11
to OWASP Summit BrowserSec
Is anyone aware of a browser security scorecard project? I vaguely
remember seeing something along these lines a few months ago but
perhaps not...

Either way, I think it would be useful to have a track discussing such
things at the conference with the end goal being a new project to
track/measure browsers in this regard. The obvious comparison (to me
at least) is the Acid compatibility tests at acidtests.org, e.g.
http://acid3.acidtests.org/ These appear to be successful at getting
browsers to adhere better to standards and I believe a similar
security focused project could have a similar effect.

What do you all think? Is this worth pursuing? Is it worth having a
track for this at the summit?

Any feedback is welcome :)

Thanks!
-david

dinis cruz

unread,
Jan 14, 2011, 1:43:33 PM1/14/11
to owasp-summi...@googlegroups.com, Arshan Dabirsiaghi, arshan.da...@gmail.com
Arshan tried to do that for that last Summit.

Arshan, can you share what happened and how far did you got?

Dinis Cruz

John Wilander

unread,
Jan 14, 2011, 6:20:37 PM1/14/11
to owasp-summi...@googlegroups.com
These are the places I've been surfing when investigating security features ...


Something like that you were thinking of?

   /J

2011/1/14 David Lindsay <thorn...@gmail.com>

John Wilander

unread,
Jan 14, 2011, 6:26:02 PM1/14/11
to owasp-summi...@googlegroups.com
Then you have Google's BrowserSec Handbook with lots of tables:

I've spent a couple of hours there too. :)

  /J

2011/1/15 John Wilander <john.w...@owasp.org>

dinis cruz

unread,
Jan 14, 2011, 6:27:59 PM1/14/11
to Arshan Dabirsiaghi, owasp-summi...@googlegroups.com, arshan.da...@gmail.com
see email below (forwarding Arshan's response since he is not on these lists)

For reference, here is some of the work Arshan did:
Dinis Cruz


On 14 January 2011 18:58, Arshan Dabirsiaghi <arshan.da...@aspectsecurity.com> wrote:

Not much happened. Me and Mario (who sadly ended up missing the conf) came up with a Google Docs spreadsheet noting some interesting security-relevant differences among browsers – then I realized the Google Browser Security Handbook made the data gathering look really half ass. Then we came up with another few initiatives that I later thought were too confrontational to pursue further (an open letter to the browsers, etc).

 

I would strongly encourage you to do this, though. In 2008 we created a Google Docs spreadsheet noting security features provided by programming frameworks (J2EE, .NET, ColdFusion, etc.). This led to some phone calls with Adobe and some frank communication with other vendors, hopefully effecting more change (some of it is still in the works) than I thought would be possible. Just don’t make it too confrontational, and I think you’ll do a lot of good.

 

FYI I think a lot of people lose credibility with browser/vendor folks by overstating risks. The browsers are guilty of 1,000,000 misdemeanors but not many real crimes.

 

Good luck,

Arshan

Browser Security Feature Matrix.pdf

David Lindsay

unread,
Jan 14, 2011, 7:11:52 PM1/14/11
to owasp-summi...@googlegroups.com, Arshan Dabirsiaghi, arshan.da...@gmail.com
Wow, good info, everyone :) The browserscope.org website is the one I
recall seeing a couple of months ago. I'm happy to see that others at
OWASP have been thinking along the same lines.

I would like to see work continue where Arshan left off (or is
currently at). Would this make more sense as part of a current track
or a new one?

-david

Mario Heiderich

unread,
Jan 14, 2011, 7:18:07 PM1/14/11
to owasp-summi...@googlegroups.com, Arshan Dabirsiaghi, arshan.da...@gmail.com
I found some ancient google docs in my folder - maybe that was what you guys referred to?


Cheers,
.mario

--
_________________________
php-ids.org | @0x6D6172696F
[[ø,_]=!''+'',[,,,$,,,æ]=!_+''+{}][$+æ+_+ø]+_ 

dinis cruz

unread,
Jan 16, 2011, 7:45:32 AM1/16/11
to owasp-summi...@googlegroups.com, Arshan Dabirsiaghi, arshan.da...@gmail.com
Can you make sure that these docs and links are referenced in the Respective Browser Working Session page?

Those pages should be the single source of reference material for these working Session (think of the attendee that is about to join the working session and wants to be aware of the current status)

Thx

Dinis Cruz

gaz Heyes

unread,
Jan 16, 2011, 2:56:32 PM1/16/11
to owasp-summi...@googlegroups.com, Arshan Dabirsiaghi, arshan.da...@gmail.com
There is a "JS Check" button in Hackvertor which produces a report like this:-

---Use strict---
with:true
eval can assign:true
this is:[object Window]
this call is:[object Window]
this apply is:[object Window]
duplicate object props:true
arguments.callee:true
arguments.caller:true
octals:true
delete on variables/func:true
---E4X---
Variables:true
Inline:true
---Variables---
constants:true
---Objects---
.create:false
.preventExtensions:false
.seal:false
.isSealed:false
.freeze:false
.isFrozen:false
.isExtensible:false
.getOwnPropertyDescriptor:false
.keys:false
.valueOf:true
.toSource:true
.toString:true
---Functions---
.name:true
.callee:true
.caller:true
unicode encoding:true
unicode encode parenthesis?:false
setter function x(){}:true
getter function x(){}:true
function get x(){}:false
function set x(){}:false
---Arrays---
indexOf():true
lastIndexOf():true
every():true
filter():true
forEach():true
map():true
some():true
reduce():true
reduceRight():true
---Strings---
String Indexes:true
---Getters/Setters---
__defineGetter__:true
__defineSetter__:true
__lookupGetter__:true
__lookupSetter__:true
Object.defineProperty:false
Object.defineProperties:false
---IE specific---
toStaticHTML():true
---Destructuring assignments---
Arrays:true
Assignment correct?:true
---Expression closures---
Variable:true
Inline:false
---DOM prototypes overwrites __syntax___---
location:false
location.hash:false
location.host:false
location.hostname:false
location.href:false
location.search:false
document.domain:true
document.referrer:true
document.URL:true
navigator.userAgent:true
---DOM prototypes overwrites defineProperty---
location:false
location.hash:false
location.host:false
location.hostname:false
location.href:false
location.search:false
document.domain:false
document.referrer:false
document.URL:false
navigator.userAgent:false

Sorta like a simple ES5 security check which we could improve

David Lindsay

unread,
Jan 17, 2011, 5:12:00 PM1/17/11
to owasp-summi...@googlegroups.com, Arshan Dabirsiaghi, arshan.da...@gmail.com
@Gareth Nice! How did you come up with that list to begin with?

I'll work on compiling links of the work done thus far. I'm still
looking for feedback on how to integrate it with the discussions at
the OWASP summit.

Thanks everyone,
-david

gaz Heyes

unread,
Jan 17, 2011, 5:32:13 PM1/17/11
to owasp-summi...@googlegroups.com, Arshan Dabirsiaghi, arshan.da...@gmail.com
On 17 January 2011 22:12, David Lindsay <thorn...@gmail.com> wrote:
@Gareth Nice!  How did you come up with that list to begin with?

A mixture of hacking DOM objects to return evil values and reading the standard. Also finding flaws, like unicode encoded parens in FF2 (awesome :) ), I just keep adding them as I find em. Some of them are feature tests and some are security checks, I think it would be cool to focus on security checks
Reply all
Reply to author
Forward
0 new messages