Your Browser Is Sharing Your Secrets: Vulnerabilities Hiding In Plain Sight

Guido Vranken

Introduction

There are a number of factors that can affect or void the confidentiality of a web browsing session. Notable items include not using a secure channel (HTTPS) or using an ill-configured HTTPS endpoint, Cross-Site Scripting that can be used to intentionally transmit private information, session fixation, and crossbreed attacks such as CRIME (presupposes some session control as well as eavesdropping), and others.

Configuration of a website as well as penetration tests tend to focus on eliminating these risks so as to ensure confidentiality, while an old relic stemming from the HTTP protocol’s formative stage, – and one which has assumed omnipresence on the web –, remains largely ignored; from both my experience with bug bounties as well with the production of external websites I can attest that reliance on additional externally hosted JavaScript libraries tends to be preceded by less deliberation than some other, more infrastructural additions.

While the…

View original post 2,032 more words

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: