Researchers discover new cookie attack affecting modern web browsers

Specialists from an Austrian university developed a formal security framework to analyze the security of web browsers. Dubbed as WebSpec, this project has already proved useful for the identification of multiple logical flaws that affect the most used web browsers, in addition to finding a new variant of attack based on cookies and other unpublished flaws.

Not all errors detected by this framework are considered vulnerabilities, although they cannot cause problems. According to the researchers, these are inconsistencies between the specifications of the web platform and the way these specifications are implemented in web browsers.

According to the researchers, web browsers have become highly complex developments, so their specifications are manually reviewed by technical experts to understand how new technologies interact with legacy APIs and individual browser implementations. However, these review processes often omit some logical flaws, which could lead to the emergence of critical security vulnerabilities.

WebSpec uses the proof language of the Coq theorem to analyze in detail the interaction of browsers and their specific behavior. This approach makes browser security a matter of automated testing known as Satisfiability Modulo Theories (SMT).

 To analyze inconsistencies between web specifications and browsers, the researchers defined ten “invariants,” associated with web platform properties that are expected to be maintained throughout its lifetime and despite updates and interactions with other products. These invariable elements represent verifiable conditions that should be met for security purposes.

During testing, the researchers used WebSpec to find a new attack on the prefix __Host- for cookies, as well as a new inconsistency between the inheritance rules for the Content Security Policy and a planned change to the HTML standard.

According to the report, it is assumed that HTTP cookies with the prefix “__Host-” are only set by the host domain or the scripts included in the pages of that domain. WebSpec found an attack to break the related invariable test. These kinds of errors reside in all current web browsers.

Although today’s web platforms are vulnerable to all sorts of attacks, researchers believe that eventually web browser developers will be able to implement this and other tools to significantly strengthen the security of their software.

In their tests, the researchers also used WebSpec to uncover an inconsistency with the way Blob objects inherit their Content Security Policy.

The availability of WebSpec as a tool for formally assessing browser behavior should make life a little easier for those struggling to maintain expanding browser code bases.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.