

SecureCanvas – interface-based protection - homakov
http://securecanvas.com/

======
Eridrus
How do you plan to deal with self-xss? It sounds like you could xss yourself
and bypass any of the protections.

To me this sounds a lot like previous solutions that 'solved' security by
adding hmac tokens to every link. This sounds like it would have fewer issues
with AJAXey apps, but given the general prevalence of xss vs other bug classes
I'm not sure its worth it unless you have a plan for dealing with self-xss
besides filtering <>'"

~~~
homakov
That's a very good question. Yes if you are able to inject a script it will be
executed in the virtual browser and it will bypass it (not completely, you
still have XHR and cannot exploit heartbleed like bugs).

First - default xss auditor by chrome will be used. It kills most reflective
xss.

Second - whats wrong with filtering? It is ugly but bulletproof. Without <>"
you cannot break the markup.

Third - we will be offering free antixss audit. It is routinely patched.

Main goal of this technology to prevent complex server side bugs and 0days.
Interface based XSS are both rare and easy to spot.

~~~
Eridrus
I am surprised to hear you say that Chrome's antixss auditor is a good enough
solution. I havent examined it myself, but my understanding was that there
were quite a few bypasses and the chrome team isn't super interested in making
it work.

I must admit it's been quite a while since I did any consulting, but rare is
not how I would have described xss when talking about web apps that customers
had.

Besides XSS, you're also vulnerable to HPP attacks on links. Especially with
RESTful sites where you do something Directory traversal-like on links. Though
I don't know how common that is going to be through form fields, rather than
URL tampering, its not something I've seen anyone care about.

I guess people with legacy crap might be willing to accept the filtering, but
it doesn't seem like something anyone would accept if their app had any social
component.

Good luck I guess, its an interesting idea, but it seems like a very niche
product due to all the usability impact it will have. Maybe there is a market
for "citrix for web apps" :)

~~~
homakov
> quite a few bypasses

the longer it exists the less bypasses left. it is really good at preventing
simple reflective xss.

> talking about web apps that customers had.

Remark - we are talking about interface-based xss only, not all of them. It's
really rare for segment this product is targeting (online banks etc).

> but it doesn't seem like something anyone would accept if their app had any
> social component

the goal is to make it work for everyone out of box, including widgets and
social components. and there are no unsolvable issues.

> Maybe there is a market for "citrix for web apps"

the market here is huge - everyone who cares about security the most. It
prevents _all_ 0days except those that can be exploited via interface.

Absolute 0day protection. Doesn't it sound epic? Yes, securecanvas's stack
itself is another layer and may have 0days but its attack surface is small.

