A Single-Site Browser's impact on XSS, CSRF, and Clickjacking

Discussion in 'other software & services' started by Dermot7, Feb 11, 2012.

Thread Status:
Not open for further replies.
  1. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    https://blog.whitehatsec.com/a-single-site-browsers-impact-on-xss-csrf-and-clickjacking/
     
    Last edited: Feb 11, 2012
  2. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Very interesting!
    Isn't it possible to convert a regular browser into a "single-site browser"? For example, one could make a filter using AdBlock Plus to block everything and then add an exception for the site(s) one wants to allow?

    Edit: from the link, "Practically no one in the marketplace offers SSBs, you have to build them yourself. "
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You already can achieve this in Chromium (I think it was introduced back in Google Chrome as well.).

    Example:

    "C:\Program Files\Chromium\chrome.exe" --host-rules="MAP * 127.0.0.1, EXCLUDE *.google.com"

    In the above example, you'd be mapping everything to 127.0.0.1 (loopback), except google.com and any sub-domain. You could also map to -www.google.com, and in this case you'd only be able to connect to -www.google.com, but not any sub-domains.

    I've been running my Chromium profiles to access my e-mail accounts, Youtube and others this way for a long time now.

    To add more domains, you'd use a comma separated list.

    --host-rules="MAP * 127.0.0.1, EXCLUDE *.google.com","MAP * 127.0.0.1, EXCLUDE *.wilderssecurity.com"

    ####

    From the explanation:

    Source: -http://src.chromium.org/svn/trunk/src/chrome/common/chrome_switches.cc
     
  4. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Also very interesting :)
    Did you encounter a time when it wasn't working?
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, I have. I was the one reporting it*. :D After a while, they reintroduced it back. It's too valuable to kill it, IMHO. :D

    * It wasn't a bug. They had deliberately killed the --host-rules flag, before I reported it.
     
  6. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Yes, they claimed it was a dev thing only and that later some extension or the other would provide the facility. The nice thing about Chromium/Chrome is the number of switches available. Firefox has very few.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Firefox has way more - about:config is huge and you can create keys of your own. Chrome only has like... maybe 50-100 active flags, most of which don't do much.
     
  8. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Is about:config a command-line switch? Is it?
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Well you got me there lol
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    There's also one other way to have Site-specific in Google Chrome, by going to Wrench - Tools - Create Application Shortcuts.

    I find the --host-rules flag a more elegant way, as you still retain the full browser (settings and all that). I suppose people always have different preferences, though. :)
     
  11. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    I went back to the link referenced by Dermot7 in the first post. There's a comment linking to a pdf file (from Oct 2011 and co-authored by at least one Google heavyweight) that makes very difficult reading.

    The file is titled "App Isolation: Get the Security of Multiple Browsers with Just One". I wonder if things are more complicated than they appear :D
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    smart :thumb:
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Of course... lol
     
  14. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Some more background reading:
    "App Isolation: Get the Security of Multiple Browsers with Just One" >>> link to pdf file -http://research.google.com/pubs/archive/37198.pdf-
    BTW, one of the authors, CR, is "an active ultimate frisbee player".
     
Loading...
Thread Status:
Not open for further replies.