#232 substring match validation of url inadequate

[Steve Jenson]

FIXED
We found a second significant vulnerability in the
RenderPGranter’s enforcement of restrictions on the
renderer. The RenderPGranter allows the renderer to
request loading of a new URL, and is supposed to ensure
that this URL is mentioned in the current web page;
only if this check succeeds should the RenderPGranter
pass on this request to the DarpaBrowser. The
RenderPGranter performed this check by doing a
substring match between the requested URL string and
the current HTML document. However, this substring
match is easily fooled: as a simple example, if the
current document contains a link that has been
commented out, the substring check will still succeed
on this URL, and hence a malicious renderer could
change to displaying this commented-out link. Though
the renderer does not gain unrestricted access to the
entire web, this is a violation of the security policy.
The problem here can be viewed as a failure of
capability discipline: security checks are being
performed on strings rather than on the underlying
objects that represent the entities to which access is
being requested.

Followups

Comment Date By
the new DarpaMemless browser parses the html, and uses
a parse tree with embedded capabilities for operation.
2002-Apr-29 17:42 marcs