[FD] HTTPS Only 3.1 (Detailed Analysis, Browser Security, Open Source, Python)

2016-03-23 Thread David Leo
To secure browser which is very fragile, the approach of HTTPS Only 3.1 is exceptionally simple: 1. Only HTTPS URLs(no other protocols) 2. Whitelist of domains(anything outside of whitelist is blocked) Now, let's look at threats: 1. Man in the middle - it's fixed. 2. Phishing always requires the

[FD] Browser Security Tool: HTTPS Only 2.1 (Major Release, Open Source, Python)

2016-03-03 Thread David Leo
When we browse the web, top threats are: 1. Remote code execution - everything is lost 2. Man in the middle - sniffing, and tampering 3. Phishing - simple, old, and still quite useful 4. Cross site scripting - data of the vulnerable domain is lost 5. CSRF - unauthorized action So, what if the

[FD] Browser Security Tool: HTTPS Only (Why, How, Open Source, Python)

2016-02-16 Thread David Leo
(@moderators The original post was too brief. This one has details.) Summary This tool completely locks browser - just HTTPS, nothing else. This tool is extremely simple - less than 100 lines of code(Python and JavaScript). Why Firefox Add-on Firesheep Brings Hacking to the Masses

[FD] Open source tool for applying Google Chrome security updates

2015-08-12 Thread David Leo
The Problem If you are a network administrator, keeping browser updated is the first thing to do for security. Chrome is a very good browser, but it's a little bit complicated to answer this simple question: what is the version of the latest stable Chrome? And for people in places such as

[FD] Google Chrome Address Spoofing - Google's Opinion

2015-07-07 Thread David Leo
It's public now: https://code.google.com/p/chromium/issues/detail?id=497588 Interesting Points: They did reproduce I can reproduce this locally They say it's DoS seems like any renderer denial-of-service (The browser does not crash!) They say it's not security issue remove security flags from

[FD] Google Chrome Address Spoofing (Request For Comment)

2015-06-30 Thread David Leo
Impact: The click to verify thing is completely broken... Anyone can be BBB Accredited Business etc. You can make whitehouse.gov display We love Islamic State :-) Note: No user interaction on the fake page. Code: * index.html script function next() {

Re: [FD] Safari Address Spoofing (How We Got It)

2015-06-02 Thread David Leo
/items/bestsec/ We like it. We read it. On 2015/5/31 23:09, Michal Zalewski wrote: Well... http://lcamtuf.blogspot.com/2010/06/yeah-about-that-address-bar-thing.html On Thu, May 28, 2015 at 10:47 PM, David Leo david@deusen.co.uk wrote: Proof of concept: http://www.deusen.co.uk/items/iwhere

[FD] Safari Address Spoofing (How We Got It)

2015-05-31 Thread David Leo
Proof of concept: http://www.deusen.co.uk/items/iwhere.9500182225526788/ It works on fully patched versions of iOS and OS X. How it works: Just keep trying to load the web page of target domain. How We Got It: Safari changes address bar to new URL, BEFORE new content is loaded. BestSec

[FD] Very Important Info About Major Internet Explorer Vulnerability - NOT Patched

2015-02-07 Thread David Leo
1. Spartan - vulnerable (Windows 10) http://www.deusen.co.uk/items/insider3show.3362009741042107/SpartanWin10_screenshot.png Thanks to Zaakiy Siddiqui! 2. ?php sleep(2); header(Location: http://www.dailymail.co.uk/robots.txt;); ? Many asked for it. 3. It's Universal XSS, as we tested: Not only

Re: [FD] Major Internet Explorer Vulnerability - NOT Patched

2015-02-07 Thread David Leo
Analyst | Security Operations Centre | Royal Bank of Canada -Original Message- From: Fulldisclosure [mailto:fulldisclosure-boun...@seclists.org] On Behalf Of Zaakiy Siddiqui Sent: 2015, February, 04 6:46 PM To: David Leo; Joey Fowler Cc: fulldisclosure@seclists.org; b

[FD] Major Internet Explorer Vulnerability - NOT Patched

2015-01-31 Thread David Leo
Deusen just published code and description here: http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk can be changed by external domain. How To Use 1.