Learn how to take advantage of browser security improvements to help protect your Web applications and visitors.

1. Securing Web Applications

3. IE 7 significantly reduced attack surface
against the browser and local machine…

4. …but Social Engineering and exploitation
of add-ons continues to grow.
WebApp attacks
(CSRF, XSS, ClickJacking, splitting) may
be the next big vector.
And the next generation of attackers is
coming out of grade school.

5. Worst of all, it turns out that crime does pay
after all.

6. Why is browser security so elusive?

8. The security
architecture of
the current web
platform was
largely an
afterthought.

9. Maybe there’s a shortcut?

10. We could block nearly 100% of
exploits by removing one
component from the system…

12. Or, we could block a majority of
exploits by removing a different
component from the system…

14. So, if we re-architect everything, or get
rid of the users, or get rid of the
network, then security might be easy.
FAIL

15. Making the correct tradeoffs is hard.

16. IE8 Security Vision
IE8 is the most secure browser by default.

17. IE8 Security Investments
Address the evolving threat landscape
Browser &
Social Web App
Add-on
Engineering Vulnerabilities
Vulnerabilities

18. What’s the best way to
develop
secure, performant, and
reliable C/C++ code?

19. Don’t.

20. Non-Binary Extensibility

21. Non-Binary Extensibility

22. Non-Binary Extensibility

23. Non-Binary Extensibility

24. Lots of other investments

25. The Weakest Link

26. Sometimes, threats
are obvious…

27. …but bad guys are
getting smarter…

28. Fake codecs and add-ons

29. Fake antivirus
scanners & utilities

32. A more
effective
warning?

33. SmartScreen Download Block

34. SmartScreen Block Page

35. Domain Highlighting

36. HTTPS - Extended Validation

37. HTTPS Mistakes

38. Insecure Login Form

39. Certificate Mismatch

40. Mixed Content - Prompt

41. Mixed Content Blocked

42. Mixed Content shown – No lock

43. Mixed Content - Troubleshooting

44. Preventing XSS

45. XSS Threats
Researcher Bryan Sullivan: “XSS is the new buffer overflow.”

46. XSS Statistics
HTTP
Response
Predictable Splitting
Other
Resource 5% 6%
Location 5%
SQL Leakage
5%
Content
Spoofing
6%
Info Leakage
4%
XSS
70%
Source: WhiteHat Security, August 2008

47. IE8 XSS Filter

48. Comprehensive XSS Protection

49. Securing Mashups

50. How are mashups built today?

51. XDomainRequest

52. HTML5 postMessage()

53. postMessage – Sending
// Find target frame
var oFrame =
document.getElementsByTagName('iframe')[0];
// postMessage will only deliver the 'Hello’
// message if the frame is currently
// at the expected target site
oFrame.contentWindow.postMessage('Hello',
'http://recipient.example.com');

54. postMessage – Listening
// Listen for the event. For non-IE, use
// addEventListener instead.
document.attachEvent('onmessage',
function(e){
if (e.domain == 'expected.com') {
// e.data contains the string
// We can use it here. But how?
}
});

55. JavaScript Object Notation
{quot;Weatherquot;:
{
quot;Cityquot;: quot;Seattlequot;,
quot;Zipquot;: 98052,
quot;Forecastquot;: {
quot;Todayquot;: quot;Sunnyquot;,
quot;Tonightquot;: quot;Darkquot;,
quot;Tomorrowquot;: quot;Sunnyquot;
}
}}

56. JavaScript Object Notation

57. Native JSON Support

58. window.toStaticHTML()
window.toStaticHTML(
quot;This is some <b>HTML</b> with embedded
script following... <script>
alert('bang!'); </script>!“
);
returns:
This is some <b>HTML</b> with embedded
script following... !

59. Putting it all together…
if (window.XDomainRequest){
var xdr = new XDomainRequest();
xdr.onload = function(){
var objWeather = JSON.parse(xdr.responseText);
var oSpan = window.document.getElementById(quot;spnWeatherquot;);
oSpan.innerHTML = window.toStaticHTML(
quot;Tonight it will be <b>quot; +
objWeather.Weather.Forecast.Tonight +
quot;</b> in <u>quot; + objWeather.Weather.City + quot;</u>.quot;
);
};
xdr.open(quot;POSTquot;, quot;http://evil.example.com/getweather.aspxquot;);
xdr.send(quot;98052quot;);
}

60. Best Practices
Microsoft Anti-Cross
Site Scripting Library
Content-Type: text/html; charset=UTF-8
Set-Cookie: secret=value; httponly

61. ClickJacking

62. Hosting unsafe files

63. MIME-Sniffing
image/*
Content-Disposition: attachment;filename=“file.htm”;
X-Download-Options: NoOpen

64. Privacy

65. File Upload Control
Server no longer gets full filename:
Content-Disposition: form-data;
name=quot;file1quot;; filename=quot;File.zip“
Local JavaScript sees a fixed path for
compatibility:
file1.value == “C:fakepathFile.zip”

66. Enhanced Cleanup

67. InPrivate™

68. InPrivate™ Browsing
Bonus: Helps mitigate CSS “Visited Links” History theft vector

69. Background on 3rd Party Aggregation
Contoso.com Woodgrovebank.com Tailspin.com Southridge1-1.com Farbrican.com adventureworks.com Litware-final.com
Example.com
User Visits 5
4
1 7
2 8
3 6
Unique Sites
1
1
Prosware-sol.com
3rd party Syndicator
Web server

70. Watcher
Passive Security Auditor
http://websecuritytool.codeplex.com/

71. Creating a great experience on Digg with IE8
IE8 in the real world
Building high performance web applications
and sites

73. ericlaw@microsoft.com
Please fill out your evaluation forms! T54F

74. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.