Browserscope Security Test Suite
I'm often asked whether browsers are moving in the right direction when it comes to security. We are constantly barraged by news about the latest embarrassing browser exploit or social network worm, so it's easy to get the impression that vendors are just twiddling their thumbs as civilizations burn, or that new features cause more problems than they solve.
I think there actually has been a great deal of progress, and that far from being a catastrophic failure, the web today is a safer place to do your banking, shopping, and communicating than ever before. I think that negative news stories are about the worst success metric imaginable, and that as an industry we place far too little emphasis on concrete improvements that make the web a better platform for secure web applications. If you believe that you make what you measure, it's a wonder we've made any progress at all.
With the help of my colleagues, I'm hoping we can change that. Today, we're announcing a new web-based suite of security tests that are designed to provide a constructive metric for browser security. These tests are part of Browserscope, a community-driven project for tracking browser functionality. Browserscope was created to foster innovation by vendors by making it easy to compare functionality across browsers. It's also a great resource for web developers who want to know which browsers can provide the functionality they need.
The Browserscope security tests are not there to tell you whether your browser is vulnerable to the latest buffer overflow exploit that's in the news. Rather, we're interested in long-term security improvements that can be adopted by all vendors and make the web a better platform for developing powerful web applications. We've just scratched the surface in terms of the tests we hope to add, but here's what's in the initial test suite:
Secure cross-origin messaging. (3 tests) It used to be that in order to get some data from another site on the client side, you'd have to find a loophole in the browser's same origin policy. The common trick was to give the other site all your privileges via a <script> tag, which requires a trust relationship between sites that is bordering on absurd. Luckily, we've seen rapid deployment of secure cross-origin messaging in recent years. We're testing for the new postMessage communication primitive, as well as deserialization (JSON.parse) and sanitization (toStaticHTML) features that allow sites to safely manipulate the data they receive.
XSS mitigations. (3 tests) Web 2.0 is all about combining user-generated content, but sanitizing this content is quite difficult. Recently browser vendors have stepped in to make life easier by automatically blocking the most common form of cross-site scripting (XSS) attacks. We simulate a reflected XSS attack to check whether these filters are in place. Stylesheets are another common XSS vector, so we check whether the browser blocks script in CSS (expressions and cross-site XBL). And finally, we test the httpOnly cookie attribute, which makes it harder for XSS attacks to hijack a session.
Execution environment integrity. (2 tests) Earlier this year, we wrote about the various challenges that script authors face when running in a hostile execution environment. For example, Flash Player, Google's AJAX API, and many bookmarklets use the global
location object to determine what page they're running on. If a web page can trick the script into thinking it's running on a different page, the script might give away the user's password or otherwise behave incorrectly. We're testing whether browsers are protecting the integrity of
location and other native APIs that can be used for JSON hijacking.
Cross-origin DOM access. (2 tests) We've also included some tests for whether browsers are following the HTML5 standard for accessing documents in other origins. Following the industry standards for security policy enforcement reduces the risk of cross-origin privilege leaks, and helps web application authors by providing consistent a consistent platform to develop on.
These tests are just the beginning. We're planning to add tests for browser encryption (Strict-Transport-Security), clickjacking mitigations (X-Frame-Options), and more. Got an idea for a test you'd like to see? Send a message to the Browserscope group and let us know. Oh, and don't forget to run the tests: