Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] Cure53 Browser Security White Paper Dr.-Ing. Mario Heiderich Alex Inführ, MSc. Fabian Fäßler, BSc. Nikolai Krein, MSc. Masato Kinugawa Tsang-Chi "Filedescriptor" Hong, BSc. Dario Weißer, BSc. Dr. Paula Pustułka Cure53, Berlin · 29.11.17 1/330 Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] List of Tables .............................................................................................................................. 3 List of Figures ............................................................................................................................ 5 Chapter 1. Introducing Cure53 BS White Paper ......................................................................... 7 Browser Security Landscape: An Overview ............................................................................ 9 The Authors .......................................................................................................................13 The Sponsor ......................................................................................................................15 Earlier Projects & Related Work .........................................................................................15 Research Scope ................................................................................................................16 Version Details ...................................................................................................................19 Research Methodology, Project Schedule & Teams ...........................................................19 Security Features ...............................................................................................................24 Chapter 2. Memory Safety Features .........................................................................................28 Process Level Sandboxing .................................................................................................45 Chapter 3. CSP, XFO, SRI & Other Security Features ..............................................................53 Chapter 4. DOM Security Features ......................................................................................... 115 Chapter 5. Security Features of Browser Extensions & Plugins ............................................. 168 Chapter 6. UI Security Features .............................................................................................. 216 Other Features, Security Response & Observations ........................................................ 268 Chapter 7. Conclusions & Final Verdict ................................................................................... 281 Microsoft MSIE11 ............................................................................................................. 281 Microsoft Edge ................................................................................................................. 284 Google Chrome................................................................................................................ 287 Scoring Tables ..................................................................................................................... 290 Memory Safety Features Meta-Table ................................................................................... 291 CSP, XFO, SRI & other Security Features Meta-Table ......................................................... 292 DOM Security Features Meta-Table ..................................................................................... 294 Browser Extension & Plugin Security Meta-Table ................................................................ 297 UI Security Features & Other Aspects Meta-Table ............................................................... 298 Appendix ................................................................................................................................. 300 Cure53, Berlin · 29.11.17 2/330 Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] List of Tables Table 1. Chrome Process List ...................................................................................................33 Table 2. MSIE Process List .......................................................................................................34 Table 3. Edge Process List ........................................................................................................36 Table 4. ASLR Policies ..............................................................................................................39 Table 5. CFG Policies ................................................................................................................40 Table 6. Font Loading Policies ..................................................................................................41 Table 7. Dynamic Code Policies ................................................................................................42 Table 8. Image Load Policies ....................................................................................................43 Table 9. Binary Signature Policies .............................................................................................44 Table 10 System Call Disable Policies ......................................................................................48 Table 11. Directory Access Test Results ....................................................................................49 Table 12. File Access Test Results ............................................................................................50 Table 13. Registry Access Test Results .....................................................................................51 Table 14.Network Access Test Results ......................................................................................52 Table 15. XFO Browser Support ................................................................................................64 Table 16. X-UA-Compatible Browser Support ...........................................................................69 Table 17. Content Sniffing Behavior across Browsers ...............................................................73 Table 18. Content-Type forcing across browsers .......................................................................74 Table 19. Number of supported non-standard Charsets ............................................................80 Table 20. BOM support in the tested browsers ..........................................................................81 Table 21. Priority of BOM over Content-Type ............................................................................81 Table 22. XSS Filter enables Charset XSS ................................................................................82 Table 23. X-XSS-Protection Filter Browser Support ..................................................................84 Table 24. Chances and outcomes of bypassing XSS Filters ......................................................89 Table 25. XXN can introduce XSS .............................................................................................92 Table 26. XSS Filters can introduce Infoleaks ...........................................................................94 Table 27.Overview of CSP Directives by CSP Version ..............................................................96 Table 28. CSP Directive Support ...............................................................................................97 Table 29. Subresource Integrity Browser Support ................................................................... 100 Table 30. Service Worker Browser Support ............................................................................. 102 Table 31. Security Zones Support ........................................................................................... 110 Table 32. Plans for future Security Features ............................................................................ 111 Table 33. Number of DOM Properties exposed in window ....................................................... 120 Table 34. SOP implementation flaws ....................................................................................... 122 Table 35. Proper handling of document.domain ...................................................................... 123 Table 36. Browser Support of PSL .......................................................................................... 124 Table 37. Browser Support of Secure Cookies ........................................................................ 128 Table 38. Browser Support of HttpOnly Cookies ...................................................................... 129 Cure53, Berlin · 29.11.17 3/330 Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] Table 39. Requests being considered top-level ....................................................................... 131 Table 40. Browser Support of SameSite Cookies .................................................................... 131 Table 41. Browser Support of Cookie Prefixes ........................................................................ 133 Table 42. Cookie ordering across browsers ............................................................................