Your Browser Is Sharing Your Secrets: Vulnerabilities Hiding In Plain Sight

Guido Vranken


There are a number of factors that can affect or void the confidentiality of a web browsing session. Notable items include not using a secure channel (HTTPS) or using an ill-configured HTTPS endpoint, Cross-Site Scripting that can be used to intentionally transmit private information, session fixation, and crossbreed attacks such as CRIME (presupposes some session control as well as eavesdropping), and others.

Configuration of a website as well as penetration tests tend to focus on eliminating these risks so as to ensure confidentiality, while an old relic stemming from the HTTP protocol’s formative stage, – and one which has assumed omnipresence on the web –, remains largely ignored; from both my experience with bug bounties as well with the production of external websites I can attest that reliance on additional externally hosted JavaScript libraries tends to be preceded by less deliberation than some other, more infrastructural additions.

While the…

View original post 2,032 more words


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: