Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

From: Ryan Barnett <rcbarnett_at_gmail.com>
Date: Fri, 10 Aug 2007 20:27:48 -0400

Ivan Ristic wrote a proposal paper about a year ago called "Secure
Browsing Mode" that you might want to look at -
http://www.modsecurity.org/blog/archives/Secure_Browsing_Mode_Proposal.pdf

It also references Gervase's paper.

On 8/10/07, Anurag Agarwal <anurag.agarwal_at_yahoo.com> wrote:
> I am looking to get views from people on the list about a proposed security
> restriction in the browsers
>
> The browser should check with the webserver which domains it can interact
> with (load files from or submit post data to, etc) for that website. How the
> check is implemented is upto the browser.
>
> For example: If a page from mybank.com is trying to submit data to
> attacker.com then before submitting the data, the browser should check with
> the mybank.com if it is allowed to do so.
>
> Q1. is it reasonable?
> Q2. What are the pros and cons of this approach?
> Q3. Would it limit some types of browser attacks (like some xss vectors,
> etc)?
> Q4. Would it open any new types of attack vectors?
>
>
> I know there are security researchers, browser vendors, corporate security
> folks and various other smart webappsec people on this list. I would really
> appreciate if they can chip in with their 2 cents on this topic.
>
>
> Any feedback is highly appreciated
>
> Cheers,
>
> Anurag Agarwal
>
> SEEC - An application security search engine
> Web: www.attacklabs.com , www.myappsecurity.com
> Email : anurag.agarwal_at_yahoo.com
> Blog : http://myappsecurity.blogspot.com 

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------
Received on Aug 15 2007
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos