Ever since the release of panopticlick, a lot of research went into browser-based fingerprinting techniques. Last week, researchers published a paper describing a cross-browser fingerprinting technique, which depends on OS and hardware-level features. This technique allows a web page to reliably fingerprint your machine, meaning that you can’t even hide when you switch browsers. At the moment, there’s little you can do against this. The technique seems to be less effective in the Tor browser, but mainly because it disables many technologies used to create the fingerprint.
Right after releasing the previous edition, news broke of a UXSS exploit in IE that allows to bypass the Same Origin Policy of the browser. In a nutshell, the exploit comes down to abusing the way an origin is assigned to an ActiveXObject. This enables the attacker to create an object he controls with an origin of his choice, thereby creating a way to bypass the Same Origin Policy.
Do you remember the heart bleed vulnerability from a couple of years ago? Now there’s ticket bleed, albeit on a much smaller scale. The vulnerability allows the extraction of uninitialized memory, very much like heart bleed did. It has been discovered in the networking stack of F5 products, which are typically found in large enterprise-scale networks.
But it’s not all bad news. A lot of people are putting in a lot of effort to make the web better and more secure. One of my readers pointed me to this blog post, which outlines a number of best practices for using JSON Web Tokens (JWT). If you’re (considering) using JWT tokens, this is definitely required reading material!
There are two upcoming events I wanted to highlight:
- On February 28th, I will talk at the OWASP Belgium chapter meeting, about how modern web security technologies no longer suffice.
- On April 24 and 25, you can attend the Web Security Essentials training course, which will show you where your applications are vulnerable, how you can protect them, and which best practices you should be applying today. Attending the course also means you get a free set of YubiKeys. More information and registration.
As usual, you can find the full list of events on my speaking page.