With Carrots & Sticks - Can the browser handle web security?| Frederik Braun
Home Assistant can not be secured for internet access| Frederik Braun
Modern solutions against cross-site attacks| Frederik Braun
Comments| Lobsters
Frederik Braun - The Mozilla Monument in San Francisco| Frederik Braun
Frederik Braun - What is mixed content?| Frederik Braun
Today, I found someone tweeting about a neat security bug in Chrome, that bypasses how Chrome disallows extensions from injecting JavaScript into special domains like chrome.google.com. The intention of this block is that browsers give special permissions to some internal pages that allow troubleshooting, resetting the browser, installing …| Frederik Braun
This is my update to the 2021 JavaScript IPC blog post from the Firefox Attack & Defense blog. Firefox uses Inter-Process Communication (IPC) to implement privilege separation, which makes it an important cornerstone in our security architecture. A previous blog post focused on fuzzing the C++ side of IPC. This blog …| Frederik Braun
In order to fully discuss security issues, their common root causes and useful prevention or mitigation techniques, you will need some common ground on the security model of the web. This, in turn, relies on various terms and techniques that will be presented in the next sections. Feel free to …| Frederik Braun
This article first appeared on the Firefox Attack & Defense blog. Despite alltheefforts of fixing Cross-Site Scripting (XSS) on the web, it continuously ranks as one of the most dangerous security issues in software. In particular, DOM-based XSS is gaining increasing relevance: DOM-based XSS is a form of XSS …| Frederik Braun
This article first appeared on the HTMLHell Advent Calendar 2022. Motivation When thinking of HTML-related security bugs, people often think of script injection attacks, which is also known as Cross-Site Scripting (XSS). If an attacker is able to submit, modify or store content on your web page, they might include …| Frederik Braun
This document sat in my archives. I originally created this so I have notes for my participation in the Working Draft podcast - a German podcast for web developers. That's why this article is in German as well. The podcast episode 452 was published in 2020, but I never published this …| Frederik Braun
Note: This is the reference sheet version. The details and the big picture are covered in Understanding Web Security Checks in Firefox (Part 1). Principals as a level of privilege A security context is always using one of these four kinds of Principals: ContentPrincipal: This principal is used for typical …| Frederik Braun
This blog post has first appeared on the Mozilla Attack & Defense blog and was co-authored with Christoph Kerschbaumer and Tom Ritter In a recent academic publication titled Hardening Firefox against Injection Attacks (to appear at SecWeb – Designing Security for the Web) we describe techniques which we have incorporated into Firefox …| Frederik Braun
This blog post has first appeared on the Mozilla Attack & Defense blog and was co-authored with Christoph Kerschbaumer This is the first part of a blog post series that will allow you to understand how Firefox implements Web Security fundamentals, like the Same-Origin Policy. This first post of the series …| Frederik Braun
This article first appeared on the Mozilla Security blog I recently gave a talk at OWASP Global AppSec in Amsterdam and summarized the presentation in a blog post about how to achieve "critical"-rated code execution vulnerabilities in Firefox with user-interface XSS. The end of that blog posts encourages the …| Frederik Braun
This is the blog post version of my presentation form OWASP Global AppSec in Amsterdam 2019. It was presented in the AllStars Track. Abstract: Browsers are complicated enough to have attack surface beyond memory safety issues. This talk will look into injection flaws in the user interface of Mozilla Firefox …| Frederik Braun
Life keeps me busy, which is why this blog is seeing less and less publications. It's also the reason why I couldn't join the Global Climate Strike on September 20th. Friends have pointed me towards the Digital Global Climate Strike, where you can embed a script in your website and …| Frederik Braun
Update: In July 2019, Chrome developers announced that they are going to remove XSSAuditor. You can follow their bug tracker here. Recently, Google Chrome changed the default mode for their Cross-Site Scripting filter XSSAuditor from block to filter. This means that instead of blocking the page load completely, XSSAuditor will …| Frederik Braun
For those who have not participated in my challenge, this document is about implementing security features in ServiceWorkers. A ServiceWorker (SW) is a type of Web Worker that can intercept and modify HTTP requests. A ServiceWorker is allowed to see requests towards your own as well as other origins – though …| Frederik Braun
TLDR: If SSH is enabled in the advanced settings, you can just login with the default password 1234. Given the age of the installed SSH daemon, you will likely have to enable legacy cryptography like so: ssh-oKexAlgorithms=+diffie-hellman-group1-sha1-caes256-cbc-oHostKeyAlgorithms=+ssh-dss-lroot …| Frederik Braun
Background GitHub is one of the first big webistes using Subresource Integrity and can thus defend against potentially bad Content Delivery Networks (CDNs). The tricky thing with SRI is that you have to include it for every HTML tag that points to a CDN if you want the security benefit …| Frederik Braun
I have written two Firefox OS apps, which are both not very popular. You may stop reading here if you haven't used either squeezefox or wallabag-fxos. This article is about how I think they should evolve, while Firefox OS is currently transitioning into a community-led B2G OS. The apps I …| Frederik Braun
I found the address of the teacher's pinboard! Can you try to get in and read all teachers' notes? Maybe you need to attack the admin account as well. The fluxfingers (again) hosted the Capture The Flag (CTF) event for the hack.lu security conference in Luxembourg. It's long since …| Frederik Braun
This blog post is the text-version of my presentation from OWASP AppSec EU 2015. You can download the slides or watch the video on YouTube Introduction In this blog post, I explain Subresource Integrity (SRI), of which I am one of the co-editors. SRI is an upcoming W3C standard that …| Frederik Braun
Earlier this week, Twitter rolled out a new account dashboard. This new feature allows users to manage app access to their account and gain insights into previous logins and their metadata (IP address, app name and date). Curious how this works or what my login history looks like, I gave …| Frederik Braun
Deutsch Damals, als Firefox 1.0 herauskam, unterstützten hunderttausende Freiwillige das Spread Firefox-Projekt um eine Werbeanzeige in der New York Times zu kaufen. In deutschland passierte dasselbe, mit dem Namen jedes Unterstützers auf dieser Werbeseite, in der Frankfurter Allgemeinen Zeitung. Hier ist eine text version dieser Anzeige, damit diejenigen die …| Frederik Braun
Anonabox is not a magic bullet! Yesterday, a lot of mainstream media (e.g., WIRED) started reporting about anonabox, an "an open source embedded networking device designed specifically to run Tor.", to quote their Kickstarter campaign. For those of you who don't know what Tor is: It's a network run …| Frederik Braun
This article has been superseded by a more-recent write-up of my presentation from OWASP AppSec EU 2015. Alternatively, you can download the slides or watch the video on YouTube Some time ago, I complained about the prevalence of CDNs for JavaScript hosting and the trust model that comes with including …| Frederik Braun
On Firefox OS (FxOS), every app has its own set of permissions. The operating system makes sure that an app may only do things that are requested in the app manifest. Some of these permissions are always set to Ask. Sometimes just because the web platform is built this way …| Frederik Braun
This is a short summary about a goofy XSS/CSRF exploit on an internal web page at Mozilla. A few weeks ago I discovered that our "phonebook" supports a limited wiki-syntax in the profile descriptions (i.e. [link text http://example.com]). Despite proper sanitizing to forbid all markup injections …| Frederik Braun
This article was also published in the third issue of the International Journal of PoC || GTFO. This is my submission after editorial "grooming" and "[dressing] in the best Sunday clothes of proper church English" :-). Many beginners of Python have suffered at the hand of the almighty SyntaxError. One of the …| Frederik Braun
This blog post about X-Frame-Options was originally published on the Mozilla Security Blog A few weeks ago, Mario Heiderich and I published a white paper about the X-Frame-Options security header. In this blog post, I want to summarize the key arguments for settings this security header in your web application …| Frederik Braun
I originally blogged about html2dom on the Mozilla Security Blog Having spent significant time to review the source code of some Firefox OS core apps, I noticed that a lot of developers like to use innerHTML (or insertAdjacentHTML). It is indeed a useful API to insert HTML from a given …| Frederik Braun
I spent a few days working on a security review for Thunderbird's HTML sanitizer. Thunderbird has three presets for viewing mail: Original HTML, Simple HTML, and Plain Text. No matter which preset the user prefers, emails should not execute JavaScript. And this is where the HTML sanitizer joins our party …| Frederik Braun
In our Security Disaster of the Week, H. Marco and Ismael Ripoll found out that all applications statically linked and compiled via glibc since 2006 have their pointers protected by being XORed with zero. Exploit mitigation at its finest. My favorite type of browser vulnerability remains the good old Same-Origin …| Frederik Braun
Frederik Braun - The First Post| Frederik Braun
Frederik Braun - How I got a new domain name| Frederik Braun