Security News > 2022 > January > WebSpec, a formal framework for browser security analysis, reveals new cookie attack

Folks at Technische Universität Wien in Austria have devised a formal security framework called WebSpec to analyze browser security.

They've used it to identify multiple logical flaws affecting web browsers, revealing a new cookie-based attack and an unresolved Content Security Policy contradiction.

Browsers, as they explain in an academic paper, "WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms," have become tremendously complex and continue to become more so as additional components get added to the web platform.

New web platform components undergo compliance testing, the researchers say, but their specifications get reviewed manually by technical experts to understand how new technologies interact with legacy APIs and individual browser implementations.

"In particular, we show how WebSpec is able to discover a new attack on the Host- prefix for cookies as well as a new inconsistency between the inheritance rules for the Content Security Policy and a planned change in the HTML standard," the paper explains.

In any event, the availability of WebSpec as a tool to formally evaluate browser behavior should make life a bit easier for those struggling to maintain sprawling browser codebases.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/01/08/webspec_browser_security/