lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0801260041240.16521@dione.cc>
Date: Sat, 26 Jan 2008 00:49:09 +0100 (CET)
From: Michal Zalewski <lcamtuf@...ne.cc>
To: bugtraq@...urityfocus.com
Cc: security@...illa.org, full-disclosure@...ts.grok.org.uk
Subject: Tool availability - browser DOM Checker

Hi,

Along with my colleague Filipe Almeida, I'd like to announce the 
availability of DOM Checker, an automated tool for validating browser 
security policy enforcement. The project is hosted at:

http://code.google.com/p/dom-checker/

The tool features several fairly neat features, including exhaustive 
hierarchy crawling and side-channel blind write validation to reduce the 
number of false positives.

DOM Checker had been used to find a number of major security bypass and 
information disclosure problems in several popular browsers, and we had 
worked closely with vendors to resolve them (although it's worth noting 
that the tool still reports anywhere from 10 to 30 low-risk, 
design-related information disclosure issues in these programs).

Our hope is that this tool may serve as a framework for ongoing browser 
security research, and would be integrated by browser vendors with their 
regression testing and general release QA processes.

Please note that this code is experimental - if you encounter any 
problems, or simply have an idea on how to make it better, let us know.

Cheers,
/mz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ