A Single-Site Browser's impact on XSS, CSRF, and Clickjacking

Discussion in 'other software & services' started by Dermot7, Feb 11, 2012.

Thread Status:
Not open for further replies.
  1. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,319
    Location:
    Surrey, England.
    https://blog.whitehatsec.com/a-single-site-browsers-impact-on-xss-csrf-and-clickjacking/
     
    Last edited: Feb 11, 2012
  2. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,267
    Very interesting!
    Isn't it possible to convert a regular browser into a "single-site browser"? For example, one could make a filter using AdBlock Plus to block everything and then add an exception for the site(s) one wants to allow?

    Edit: from the link, "Practically no one in the marketplace offers SSBs, you have to build them yourself. "
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You already can achieve this in Chromium (I think it was introduced back in Google Chrome as well.).

    Example:

    "C:\Program Files\Chromium\chrome.exe" --host-rules="MAP * 127.0.0.1, EXCLUDE *.google.com"

    In the above example, you'd be mapping everything to 127.0.0.1 (loopback), except google.com and any sub-domain. You could also map to -www.google.com, and in this case you'd only be able to connect to -www.google.com, but not any sub-domains.

    I've been running my Chromium profiles to access my e-mail accounts, Youtube and others this way for a long time now.

    To add more domains, you'd use a comma separated list.

    --host-rules="MAP * 127.0.0.1, EXCLUDE *.google.com","MAP * 127.0.0.1, EXCLUDE *.wilderssecurity.com"

    ####

    From the explanation:

    Source: -http://src.chromium.org/svn/trunk/src/chrome/common/chrome_switches.cc
     
  4. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,267
    Also very interesting :)
    Did you encounter a time when it wasn't working?
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, I have. I was the one reporting it*. :D After a while, they reintroduced it back. It's too valuable to kill it, IMHO. :D

    * It wasn't a bug. They had deliberately killed the --host-rules flag, before I reported it.
     
  6. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,267
    Yes, they claimed it was a dev thing only and that later some extension or the other would provide the facility. The nice thing about Chromium/Chrome is the number of switches available. Firefox has very few.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Firefox has way more - about:config is huge and you can create keys of your own. Chrome only has like... maybe 50-100 active flags, most of which don't do much.
     
  8. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,267
    Is about:config a command-line switch? Is it?
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Well you got me there lol
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    There's also one other way to have Site-specific in Google Chrome, by going to Wrench - Tools - Create Application Shortcuts.

    I find the --host-rules flag a more elegant way, as you still retain the full browser (settings and all that). I suppose people always have different preferences, though. :)
     
  11. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,267
    I went back to the link referenced by Dermot7 in the first post. There's a comment linking to a pdf file (from Oct 2011 and co-authored by at least one Google heavyweight) that makes very difficult reading.

    The file is titled "App Isolation: Get the Security of Multiple Browsers with Just One". I wonder if things are more complicated than they appear :D
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    smart :thumb:
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Of course... lol
     
  14. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,267
    Some more background reading:
    "App Isolation: Get the Security of Multiple Browsers with Just One" >>> link to pdf file -http://research.google.com/pubs/archive/37198.pdf-
    BTW, one of the authors, CR, is "an active ultimate frisbee player".
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.