ABE (or “Automatic Boundaries Enforcer“) is like a WAF in the browser, it provides a CRSF filter and the default rule to block cross-zone request to protect LAN and local resources like SOHO routers & firewalls. Advice for developers: Experiment protecting your own applications with ABE and avoid cross-zone requests. NoScript works with two zones: the Internet and the private space (based on RFC1918). As a final remark from Giorgio, don’t try the NoScript alternatives for Chrome, they don’t work at all! You find an issue with NoScript? Don’t report it via the social media but instead use a private email address and send sensitive data encrypted with PGP. Good talk with nice recommendation to build NoScript-compliant websites
To test the security of those frameworks, Mario started with some “pokes“. He showed how easy it was to compromise well-known frameworks. A first conclusion was that most of them did not work with CSP (“Content Security Policy“) enabled. But he also demonstrated that AngularJS was able to bypass this security technique! Lot of source code examples were reviewed. But the most interesting part (IMHO) was the demonstration of how to abuse Chrome Packaged Apps. Google describe them as following:
Really? “as capable as native app, but as safe as a web page“… Remember that AngularJS is able to bypass CFP is (as seen in previous demos). So, Mario demonstrated how to use this issue to escalate privileges of his rogue packaged app! Brilliant! Think about an app accessing your microphone, your drives, your webcam etc… The problem in this case: it’s not a bug but a feature. If Google changes the way Chrome is working at the moment, most applications will be broken! The final step for Mario was to build a metric to be able to classify the different frameworks (he tested 12 of them). All the details are available on this wiki page: code.google.com/p/mustache-security. Have a look and feel free to share your findings, Mario is looking for some help!
That’s all for tonight… See you at a next event!