Shuo Tang
ABSTRACT
Browser designers create security mechanisms to help web developers protect web applications, but web developers are usually slow to use these features in web-based applications (web apps). In this paper we introduce Zan, a browser-based system for applying new browser security mechanisms to legacy web apps automatically. Our key insight is that web apps often contain enough information, via web developer source-code patterns or key properties of web-app objects, to allow the browser to infer opportunities for applying new security mechanisms to existing web apps. We apply this new concept to protect authentication cookies, prevent web apps from being framed unwittingly, and perform JavaScript object deserialization safely. We evaluate Zan on up to the 1000 most popular websites for each of the three cases. We find that Zan can provide complimentary protection for the majority of potentially applicable websites automatically without requiring additional code from the web developers and with negligible incompatibility impact.
- JSON in JavaScript. http://www.json.org/js.html.Google Scholar
- Mitigating cross-site scripting with HTTP-only cookies. http://msdn.microsoft.com/en-us/library/ms533046.aspx.Google Scholar
- Qt - A Cross-platform application and UI. http://qt.nokia.com/.Google Scholar
- Symantec internet security threat report april 2010. http://www.symantec.com/business/theme.jsp?themeid=threatreport.Google Scholar
- The WebKit Open Source Project. http://webkit.org/.Google Scholar
- Alexa. Alexa top 500 global sites. http://www.alexa.com/topsites.Google Scholar
- M. Balduzzi, M. Egele, E. Kirda, D. Balzarotti, and C. Kruegel. A solution for the automated detection of clickjacking attacks. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS '10, pages 135--144, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- R. Barnett. Helping protect cookies with httponly flag. http://blog.modsecurity.org/2008/12/helping-protect-cookies-with-httpon%ly-flag.html, 2008.Google Scholar
- A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 75--88, 2008. Google ScholarDigital Library
- A. Barth, C. Jackson, C. Reis, and The Google Chrome Team. The security architecture of the chromium browser, 2008. http://crypto.stanford.edu/websec/chromium/chromium-security-architectu%re.pdf.Google Scholar
- BBC. Facebook "clickjacking" spreads across site, June 2010. http://www.bbc.co.uk/news/10224434.Google Scholar
- Google Inc. Chromium. http://www.chromium.org/chromium-os.Google Scholar
- Google Inc. Google Caja. http://code.google.com/p/google-caja/.Google Scholar
- C. Grier, S. Tang, and S. T. King. Secure web browsing with the OP web browser. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, pages 402--416, May 2008. Google ScholarDigital Library
- C. Grier, S. Tang, and S. T. King. Designing and implementing the OP and OP2 web browsers. ACM Trans. Web, 5:11:1--11:35, May 2011. Google ScholarDigital Library
- M. V. Gundy and H. Chen. Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In Proceedings of the Network and Distributed System Security Symposium, February 2009.Google Scholar
- R. Hansen and J. Grossman. Clickjacking, September 2008. http://www.sectheory.com/clickjacking.htm.Google Scholar
- T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the 16th international conference on World Wide Web, WWW '07, pages 601--610, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- R. Kohavi and F. Provost. Glossary of terms. Machine Learning, 30(2):271--274, 1998. Google ScholarDigital Library
- D. M. Kristol. Http cookies: Standards, privacy, and politics. ACM Trans. Internet Technol., 1:151--198, November 2001. Google ScholarDigital Library
- E. Lawrence. Combating clickjacking with X-Frame-Options, March 2010. http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickj%acking- with-x-frame-options.aspx.Google Scholar
- G. Maone. NoScript - JavaScript/Java/Flash blocker for a safer Firefox experience!, 2008. http://noscript.net/.Google Scholar
- Y. Nadji, P. Saxen, and D. Song. Document structure integrity: A robust basis for cross-site scripting defense. In Proceedings of the Network and Distributed System Security Symposium, February 2009.Google Scholar
- E. V. Nava and D. Lindsay. Abusing internet explorer 8's xss filters. http://p42.us/ie8xss/Abusing_IE8s_XSS_Filters.pdf, 2010.Google Scholar
- D. Ross. IEBlog : IE8 Security Part IV: The XSS Filter, 2008. http://blogs.msdn.com/ie/archive/2008/07/01/ie8-security-part-iv-the-xs%s-filter.aspx.Google Scholar
- G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson. Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In in IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010), 2010.Google Scholar
- P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In Proceedings of the 17th Network and Distributed System Security Symposium (NDSS), February 2010.Google Scholar
- U. Shankar and C. Karlof. Doppelganger: Better browser privacy without the bother. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS), pages 154--167, 2006. Google ScholarDigital Library
- C. E. Shannon. A mathematical theory of communication. The Bell System Technical Journal, 27:379--423,623--656, July, October 1948.Google ScholarCross Ref
- K. Singh, A. Moshchuk, H. J. Wang, and W. Lee. On the incoherencies in web browser access control policies. In Proceedings of the IEEE Symposium on Security and Privacy, May 2010. Google ScholarDigital Library
- P. Stone. Next generation clickjacking, April 2010. http://www.contextis.co.uk/resources/white-papers/clickjacking/Context-%Clickjacking_white_paper.pdf.Google Scholar
- Symantec Inc. Symantec global Internet security threat report: Trends for 2008, April 2009. http://www.symantec.com/business/theme.jsp?themeid=threatreport.Google Scholar
- S. Tang, C. Grier, O. Aciicmez, and S. T. King. Alhambra: a system for creating, enforcing, and testing browser security policies. In Proceedings of the 19th international conference on World wide web, WWW '10, pages 941--950, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- S. Tang, H. Mai, and S. T. King. Trust and protection in the illinois browser operating system. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI'10, Berkeley, CA, USA, 2010. USENIX Association. Google ScholarDigital Library
- M. Ter Louw and V. Venkatakrishnan. Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In Proceedings IEEE Symposium on Security and Privacy, pages 331--346, May 2009. Google ScholarDigital Library
- Twitter. Clickjacking blocked, February 2009. http://blog.twitter.com/2009/02/clickjacking-blocked.html.Google Scholar
- P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proceedings of the Network and Distributed System Security Symposium (NDSS), February 2007.Google Scholar
- W3C. HTML 5. http://www.w3.org/TR/html5/.Google Scholar
- W3C. The iframe element. http://www.w3.org/TR/html5/the-iframe-element.html.Google Scholar
- H. J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and communication abstractions for web browsers in MashupOS. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP), October 2007. Google ScholarDigital Library
- H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal OS construction of the Gazelle web browser. In Proceedings of the 2009 USENIX Security Symposium, August 2009. Google ScholarDigital Library
- W. Zeller and E. W. Felten. Cross-site request forgeries: Exploitation and prevention. Technical report, Princeton University, October 2008. http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf.Google Scholar
Index Terms
- Fortifying web-based applications automatically
Recommendations
Client-side cross-site scripting protection
Web applications are becoming the dominant way to provide access to online services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is ...
CookieGraph: Understanding and Detecting First-Party Tracking Cookies
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications SecurityAs third-party cookie blocking is becoming the norm in mainstream web browsers, advertisers and trackers have started to use first-party cookies for tracking. To understand this phenomenon, we conduct a differential measurement study with versus without ...
Migration of Web Applications with Seamless Execution
VEE '15Web applications (apps) are programmed using HTML5, CSS, and JavaScript, and are distributed in the source code format. Web apps can be executed on any devices where a web browser is installed, allowing one-source, multi-platform environment. We can ...
Comments