tw_book.book Page 283 Tuesday, October 18, 2011 10:07 AM INDEX Symbols & Numbers Accept request header, 43 Access-Control-Allow-Origin header, & (ampersand), in HTML, 71 237–238, 240 < > (angle brackets) acrobat: scheme, 36 browser interpretation, 74–75 action parameter, for <form> tag, 80 in HTML, 71 ActionScript, 132–134 <![CDATA[...]]> blocks, 72, 78, 250 Active Server Pages, 75 <!DOCTYPE> directive, 71 ActiveX, 129, 136–137 <!ENTITY> directive, 76 address bars, 220 <!-- and -->, for HTML comments, 72 and EV SSL, 65 <% ... %> blocks, Internet Explorer hiding, 221 and, 75 manipulation, 256–257 @ directives, in CSS, 89–90 Adobe Flash, 119, 130, 132–134 \ (backslashes) in URLs, browser accep- and cross-domain HTTP headers, 147n tance of, 29 file handling without Content-Type, 199 ` (backticks), as quote characters, 74, 111 HTML parser offered by plug-in, 133 !- directives, 76 policy file spoofing risks, 156–157 // fixed string, in URLs, 25 security rules, 154–157 % (percent sign), for character Adobe Reader, 130 encoding, 31 Adobe Shockwave Player, 132 . (period), hostnames with, and cookie- ADS (Alternate Data Stream) Zone setting algorithms, 159 Identifier, 231 ?-directives, 76 advertisements, new window for, 217 <?xml-stylesheet href=... ?> directive, 88 Akamai Download Manager, 137 ; (semicolon), as delimiter Allow-forms keyword, for sandbox in HTTP headers, 48–49 parameter, 246 in URLs, 29 AllowFullScreen parameter, for Flash, 155 200–299 status codes, 54 AllowNetworking parameter, for Flash, 155 300–399 status codes, 55 Allow-same-origin keyword, for sandbox 400–499 status codes, 55–56 parameter, 246 500–599 status codes, 56 AllowScriptAccess parameter, for Flash, 154 Allow-scripts keyword, for sandbox A parameter, 246 Allow-top-navigation keyword, for sandbox <a href=...> tag (HTML), 79 parameter, 246 target parameter, 174–175 Alternate Data Stream (ADS) Zone about:blank document, origin inheritance, Identifier, 231 165, 166–167 ambient authority, 60, 60n about:config (Firefox), navigation risks, 188 ampersand (&), in HTML, 71 absolute URLs, vs. relative, 25 anchor element (HTML), specifying Accept-Language request header, 43 name of, 28 The Tangled Web © 2011 by Michal Zalewski tw_book.book Page 284 Tuesday, October 18, 2011 10:07 AM angle brackets (< >) BMP file format, 83 browser interpretation, 74–75 <body> tag (HTML), 83 in HTML, 71 BOM (byte order marks), 208 anonymity, scripts and, 249 Breckman, John, 52n anonymous requests, in CORS, 239 browser cache anonymous windows, 175 information in, 59 antimalware, 236n poisoning, 60 Apache browser extensions and UI, 161 and Host headers, 47 browser-managed site permissions, 226–227 PATH_INFO, 201 browser market share, May 2011, 19 APNG file format, 83 browser-side scripts, 95–116 Apple QuickTime, 119, 130, 132 browser wars, 10–11, 233 Apple Safari. See Safari (Apple) buffer overflow, 265 <applet> tag (HTML), 83, 128, 135, 183 bugs, preventing classes of, 7 application/binary, 212 Bush, Vannevar, 8 application/javascript document type, 118 byte order marks (BOM), 208 application/json document type, 118, 202 application/mathml+xml document type, 119 C application/octet-stream document type, 200–201, 212 cache. See browser cache application/x-www-for-urlencoded, 81 Cache-Control directive, 48, 59 Arce, Ivan, 2n cache manifests, 257 Arya, Abhishek, 209 cache poisoning, 189, 263 asynchronous XMLHttpRequest, 146 caching behavior, in HTTP, 58–60 Atom, 123 caching HTTP proxy, keepalive <audio> tag (HTML), 84, 119 sessions and, 57 authentication, in HTTP, 62–63 Caja, 116 authorization, vs. authentication, 62n Cake (proposal), 257 Authorization header (HTTP), 63 call stack, limiting size, 216 callto: scheme, 36 <canvas> tag (HTML5), 183 B CAPTCHA, 184–185, 185n background parameter for HTML tags, 83 Cascading Style Sheets (CSS), 11, 12, 73, background processes, in JavaScript, 258 83, 87–93 backslashes (\) in URLs, browser accep- basic syntax, 88–90 tance of, 29 character encoding, 91–92 backticks (`), as quote characters, 74, 111 interaction with HTML, 90 Bad Request status error (400), 55 opacity property, 179 bandwidth, and XML, 123n parser resynchronization risks, 90–91 Barth, Adam, 16, 177, 240, 241, 246, 257 property definitions, 89 Base64 encoding, 50n case of tags, HTML vs. XML, 72 basic credential-passing method, 63 <![CDATA[...]]> blocks, 72, 78, 250 Bell-La Padula security model, 2, 4 certificate authorities, 64 Berners-Lee, Tim, 9, 41, 69 certificates and semantic web, 72–73 extended validation, 65 World Wide Web browser, 9 warning dialog example, 66 World Wide Web Consortium, 11 cf: scheme, 36 <bgsound> tag (HTML), 84, 119 characters binary HTTP, 257 delimiting, in URLs, 29 bitmap images, browser recognition of, 118 encoding in CSS, 91–92 blacklists encoding in filenames, 49–51 of HTTP headers in XMLHttpRequest, 147 encoding in HTML, 76–78 malicious URLs, 236n encoding in JavaScript, 112–113 _blank, as link target, 80 encoding in URLs, 31–35 printable, browser treatment of, 32 The Tangled Web 284 INDEX © 2011 by Michal Zalewski tw_book.book Page 285 Tuesday, October 18, 2011 10:07 AM reserved, 31–35 Common UNIX Printing System (CUPS), unreserved, 32 152–153 character sets Common Vulnerability Scoring System byte order marks and detection, 208 (CVSS), 6–7 detection for non-HTTP files, 210–211 Common Weakness Enumeration (CWE), 6 handling, 206–211 complex selectors, in CSS, 88 for headers, 49–51 computer proficiency of user, 14 inheritance and override, 209 conditionals, explicit and implicit, in markup-controlled, on subresources, HTML, 75–76 209–210 conflicting headers, resolution of, 47–48 sniffing, 264 CONNECT requests, 46, 54 in URLs, 33 Connolly, Dan, 9 @charset (CSS), 89 content directives, on subresources, 204 children objects in JavaScript, 108 Content-Disposition directive, 48, 84, 122 Chrome defensive uses, 203–204 autodetection of passive document NUL character and, 51 types, 205 plug-in-executed code and, 204 cached pages in, 37 user-controlled filenames in, 67 characters in URL scheme name content inclusion in HTML ignored by, 25 hyperlinking and, 79–84 deleting JavaScript function, 103 type-specific, 82–84 and file extensions in URLs, 130 Content-Length header, 43, 52, 147 local file access, 160 in keepalive sessions, 56–58 modal dialogs for prompts, 219 content recognition, 197–211 navigation timing, 259 content rendering, plug-ins for, 127–138 prerendering page, 258–259 Content Security Policy (CSP), 242–245, printable characters in, 32 250, 253 privileged JavaScript in, 161 criticisms of, 244–245 and realm string, 63 violations, 244 and RFC 2047 encoding, 50 content sniffing, 197–198, 205, 264 stored password retrieval, 228 Content-Type directive, 49, 71, 84 SWF file handling without application/binary, 212 Content-Type, 199 application/JavaScript, 118 time limits on continuously executing application/json, 118, 202 scripts, 215 application/mathml+xml, 119 WebKit parsing engine, 70n application/octet-stream, 200–201, 212 window.open() function and, 218 charset parameter, 206, 208 Windows Presentation Foundation image/jpeg, 118, 202, 205 plug-ins, 136 image/svg+xml, 124 chunked data transfers, 57–58 logic to handle absence, 198–199 clickjacking, 179, 180–181, 263 plug-ins and, 128, 204 click() method, 218 slash-delmited alphanumeric client certificates, 64–66 tokens in, 199 client-server architecture, 17–18 special values, 200–201 client-side data, 165 text/css, 118 client-side databases, 258 text/html, 124 client-side errors (400–499), 55–56 text/plain, 118, 156, 200–201, 204, 212 client-side scripts, restricting privileges of unrecognized, 202–203 HTML generated by, 250–251 and XML document parsing, 120 cloud, 15 control characters, JavaScript shorthand Clover, Andrew, 184 notation, 112 command injection, 265 cookie-authenticated text, reading, 181 comments Cookie header. See cookies in CSS syntax, 89 cookie injection, 264 in XHTML and HTML, 72 The Tangled Web © 2011 by Michal Zalewski INDEX 285 tw_book.book Page 286 Tuesday, October 18, 2011 10:07 AM cookies, 11, 257 D deleting, 62 and DNS hijacking, 153 daap: scheme, 36 forcing, 264 data: scheme, 37, 167–168 limitations on third-party, 192–194 data transfers, chunked, 57–58 and same-origin policy, 150–151 Date/If-Modified-Since header pair, 59 security policy for, 149–153 deceptive framing, 180 semantics, 60–62 dedicated workers, for background user data in, 67 processes, 258 CORS. See Cross-Origin Resource default policy, CSP directive for, 243 Sharing (CORS) default ports, for protocols, overriding, 27 CR characters, stripping from HTTP DELETE method (HTTP), 53 headers, 45 deleting credential-passing methods, 63 cookies, 62 credentials, in URLs, 26 JavaScript functions, 102–103 CRLF (newline), 45 delimiting characters, in URLs, 29 cross-browser interactions, 16–17 denial-of-service (DoS) attacks, 214–219, cross-document links, 8, 9 248, 264 cross-domain communications, and frame DeviceOrientation API, 258 descendant policy, 176–178 dialog use restrictions, 218–219 cross-domain content inclusion, 181–183 digest credential-passing method, 63 cross-domain policy files, 155–156 Digital Rights Management (DRM), 131 cross-domain requests, 236–239 directory traversal, 265 Cross-Origin Resource Sharing (CORS), disable-xss-protection, 242n 148, 236 <div> tag (HTML), 73 current status, 239 DNS hijacking, and cookies, 153 non-simple requests and preflight, 238 DNS labels, security mechanisms request types, 236–237 based on, 142n security checks, 237–238 DNS names, in URLs, browser cross-origin subresources,
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages18 Page
-
File Size-