Security Blog
The latest news and insights from Google on security and safety on the Internet
Fostering research on new web security threats
4 dicembre 2020
Posted by Artur Janc and terjanq, Information Security Engineers
The web is an ecosystem built on openness and composability. It is an excellent platform for building capable applications, and it powers thousands of services created and maintained by engineers at Google that are depended on by billions of users. However, the web's open design also allows unrelated applications to sometimes interact with each other in ways which may undermine the platform's security guarantees.
Increasingly, security issues discovered in modern web applications hinge upon the misuse of long-standing web platform behaviors, allowing unsavory sites to reveal information about the user or their data in other web applications. This class of issues, broadly referred to as cross-site leaks (XS-Leaks), poses interesting challenges for security engineers and web browser developers due to a diversity of attacks and the complexity of building comprehensive defenses.
To promote a better understanding of these issues and protect the web from them, today marks the launch of the
XS-Leaks wiki
—an open knowledge base to which the security community is invited to participate, and where researchers can share information about new attacks and defenses.
The XS-Leaks wiki
Available at
xsleaks.dev
(
code
on GitHub), the wiki explains the principles behind cross-site leaks, discusses common attacks, and proposes defense mechanisms aimed at mitigating these attacks. The wiki is composed of smaller articles that showcase the details of each cross-site leak, their implications, proof-of-concept code to help demonstrate the issue, and effective defenses.
To improve the state of web security, we're inviting the security community to work with us on expanding the XS-Leaks wiki with information about new offensive and defensive techniques.
Defenses
An important goal of the wiki is to help web developers understand the defense mechanisms offered by web browsers that can comprehensively protect their web applications from various kinds of cross-site leaks.
Each attack described in the wiki is accompanied by an overview of security features which can thwart or mitigate it; the wiki aims to provide actionable guidance to assist developers in the adoption of new browser security features such as
Fetch Metadata Request Headers
,
Cross-Origin Opener Policy
,
Cross-Origin Resource Policy
, and
SameSite cookies
.
The Security Team at Google has benefited from over a
decade
of productive collaboration with security experts and browser engineers to improve the security of the web platform. We hope this new resource encourages further research into creative attacks and robust defenses for a major class of web security threats. We're excited to work together with the community to continue making the web safer for all users.
Special thanks to Manuel Sousa for starting the wiki as part of his internship project at Google, and to the contributors to the
xsleaks
GitHub repository for their original research in this area.
Nessun commento :
Posta un commento
Etichette
#sharethemicincyber
#supplychain #security #opensource
android
android security
android tr
app security
big data
biometrics
blackhat
C++
chrome
chrome enterprise
chrome security
connected devices
CTF
diversity
encryption
federated learning
fuzzing
Gboard
google play
google play protect
hacking
interoperability
iot security
kubernetes
linux kernel
memory safety
Open Source
pha family highlights
pixel
privacy
private compute core
Rowhammer
rust
Security
security rewards program
sigstore
spyware
supply chain
targeted spyware
tensor
Titan M2
VDP
vulnerabilities
workshop
Archive
2024
dic
nov
ott
set
ago
lug
giu
mag
apr
mar
feb
gen
2023
dic
nov
ott
set
ago
lug
giu
mag
apr
mar
feb
gen
2022
dic
nov
ott
set
ago
lug
giu
mag
apr
mar
feb
gen
2021
dic
nov
ott
set
ago
lug
giu
mag
apr
mar
feb
gen
2020
dic
nov
ott
set
ago
lug
giu
mag
apr
mar
feb
gen
2019
dic
nov
ott
set
ago
lug
giu
mag
apr
mar
feb
gen
2018
dic
nov
ott
set
ago
lug
giu
mag
apr
mar
feb
gen
2017
dic
nov
ott
set
lug
giu
mag
apr
mar
feb
gen
2016
dic
nov
ott
set
ago
lug
giu
mag
apr
mar
feb
gen
2015
dic
nov
ott
set
ago
lug
giu
mag
apr
mar
feb
gen
2014
dic
nov
ott
set
ago
lug
giu
apr
mar
feb
gen
2013
dic
nov
ott
ago
giu
mag
apr
mar
feb
gen
2012
dic
set
ago
giu
mag
apr
mar
feb
gen
2011
dic
nov
ott
set
ago
lug
giu
mag
apr
mar
feb
2010
nov
ott
set
ago
lug
mag
apr
mar
2009
nov
ott
ago
lug
giu
mar
2008
dic
nov
ott
ago
lug
mag
feb
2007
nov
ott
set
lug
giu
mag
Feed
Follow @google
Follow
Give us feedback in our
Product Forums
.
Nessun commento :
Posta un commento