Dear diary… Today I found some vulnerabilities – A journal helps to keep up with the latest in application security

Teo Selenius Senior Security Specialist

Teo Selenius

Senior Security Specialist

March 31, 2021 at 09:58

Applications get new features every day, and at the same time, security functions change. How do developers and architects keep up? Nixu’s cybersecurity expert Teo Selenius started to keep a blog to keep his findings in order, and to share the latest features. Appsecmonkey.com is growing rapidly.


The best way to learn is to teach others

Teo Selenius works as a cybersecurity expert at Nixu Engineering. He helps IT developers, architects, and other technical personnel in different organizations to build and maintain code that supports application security.

“How to create code safely, how to use version control safely, how to build, deploy, and monitor applications safely, these are all related to app security,” Selenius lists.

He encounters new application security tips and tricks almost every day. “The best way to learn new things is to write them down, or to teach them to someone else,” he says. “It’s good practice.”

Selenius launched his blog called appsecmonkey.com in February 2021. In a few weeks, dozens of posts and articles were already set. The theme is app security and everything you need to know about it.

application security nixu monkey
The mascot of Appsecmonkey.com wears a hat and carries a flag.
 

Evil holes lurking in browsers

One example that Selenius got acquainted with when writing the blog was browser cross-site leaks, also called “XS-Leaks”. XS-leaks are browser side-channel attacks that enable malicious websites to exploit browser features in order to make deductions about the browser user. These deductions can compromise the user’s privacy and security.

When browsing the internet, people usually have different tabs open: for instance, one tab is open for your web bank, and another is a Google search. Even though they run in the same browser, the browser still isolates the two different sites. Google can’t access the bank account, or the bank doesn’t have access to the user’s Google search results.

However, some connections between the sites have been allowed. For instance, Google might download some pictures from the bank and show them in the search. Another website could send post data to the banking website to facilitate SSO login. Or the bank could load static resources from a content distribution network.

Browsers allow all of this to happen, but at the same time they allow attacks against the browser user. “For instance, you can enter a malicious site that sends requests to different websites on your behalf,” Selenius explaines. “The attacking page cannot see your content, but it can time the HTTP requests or determine which pages redirect you another page. This can often be abused to determine which websites the user has previously visited. This is a threat to privacy. Sometimes the deductions can be used to retrieve the actual data from another website. This is a threat to security.”

Sharing security controls is caring

Browsers have quite recently implemented security controls that web applications can implement to defend their users from XS-leaks and other cross-site attacks. Some, such as SameSite cookies, are already widely supported. Others, like fetch metadata headers, are only supported by Chrome and Edge but can be used in a backwards compatible way.

Selenius has written a thorough article about defending against XS-leaks in Appsecmonkey.

After studying the new features, Selenius shared the info with his colleagues at Nixu and started using it in the client work.Now, checking for these security controls in case of XS-leaks is a part of the basic security reporting system at Nixu.

 

Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.

 

Related blogs