Security News > 2022 > January > WebSpec, a formal framework for browser security analysis, reveals new cookie attack
Folks at Technische Universität Wien in Austria have devised a formal security framework called WebSpec to analyze browser security.
They've used it to identify multiple logical flaws affecting web browsers, revealing a new cookie-based attack and an unresolved Content Security Policy contradiction.
Browsers, as they explain in an academic paper, "WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms," have become tremendously complex and continue to become more so as additional components get added to the web platform.
New web platform components undergo compliance testing, the researchers say, but their specifications get reviewed manually by technical experts to understand how new technologies interact with legacy APIs and individual browser implementations.
"In particular, we show how WebSpec is able to discover a new attack on the Host- prefix for cookies as well as a new inconsistency between the inheritance rules for the Content Security Policy and a planned change in the HTML standard," the paper explains.
In any event, the availability of WebSpec as a tool to formally evaluate browser behavior should make life a bit easier for those struggling to maintain sprawling browser codebases.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/01/08/webspec_browser_security/
Related news
- Enhancing national security: The four pillars of the National Framework for Action (source)
- Opera Browser Fixes Big Security Hole That Could Have Exposed Your Information (source)
- Stop LUCR-3 Attacks: Learn Key Identity Security Tactics in This Expert Webinar (source)
- Comprehensive Guide to Building a Strong Browser Security Program (source)
- T-Mobile US 'monitoring' China's 'industry-wide attack' amid fresh security breach fears (source)
- Microsoft Fixes AI, Cloud, and ERP Security Flaws; One Exploited in Active Attacks (source)
- Update your OpenWrt router! Security issue made supply chain attack possible (source)
- CERT-UA Warns of Phishing Attacks Targeting Ukraine’s Defense and Security Force (source)