Injecting CSP for Fun and Security

@inproceedings{Kerschbaumer2016InjectingCF,
  title={Injecting CSP for Fun and Security},
  author={Christoph Kerschbaumer and Sid Stamm and Stefan Brunthaler},
  booktitle={ICISSP},
  year={2016}
}
Content Security Policy (CSP) defends against Cross Site Scripting (XSS) by restricting execution of JavaScript to a set of trusted sources listed in the CSP header. A high percentage (90%) of sites among the Alexa top 1,000 that deploy CSP use the keyword Unsafe-inline, which permits all inline scripts to run— including attacker–injected scripts—making CSP ineffective against XSS attacks. We present a system that constructs a CSP policy for web sites by whitelisting only expected content… Expand
Assessing the Impact of Script Gadgets on CSP at Scale
The Web, as one of the core technologies of modern society, has profoundly changed the way we interact with people and data. One of the worst attacks on the Web is Cross-Site Scripting (XSS), inExpand
CSPAutoGen: Black-box Enforcement of Content Security Policy upon Real-world Websites
TLDR
This work proposes CSPAutoGen to enable CSP in real-time, without server modifications, and being compatible with real-world websites, and conducts extensive case studies on five popular websites, indicating that CSP autoGen can preserve the behind-the-login functionalities. Expand
CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy
TLDR
The "strict-dynamic" keyword is proposed, an addition to the CSP specification that facilitates the creation of policies based on cryptographic nonces, without relying on domain whitelists, in order to understand their security benefits. Expand
On the Content Security Policy Violations due to the Same-Origin Policy
TLDR
This work describes how CSP may be violated due to the SOP when a page contains an embedded iframe from the same origin, and discusses measures to avoid CSP violations. Expand
Strenghtening Content Security Policy via Monitoring and URL Parameters Filtering
TLDR
4 extensions to strengthen CSP via a monitoring mechanism: the ability to selectively exclude whitelisted content, express more fine grained checks on URL arguments, explicitly prevent redirections to partially Whitelisted origins, and an efficient reporting mechanism to collect content that are allowed by a CSP enforced on a webpage are discussed. Expand
CCSP: Controlled Relaxation of Content Security Policies by Runtime Policy Composition
TLDR
This paper presents Compositional CSP, an extension of CSP based on runtime policy composition that is designed to overcome the limitations arising from the use of static white-lists, while avoiding a major overhaul of C SP and the logic underlying policy writing. Expand
Enforcing Content Security by Default within Web Browsers
TLDR
By equipping every resource load with a loading context, this approach enforces an opt-out security mechanism performing security checks by default by consulting a centralized security manager. Expand
Hardening Firefox against Injection Attacks
TLDR
This work studies common threats to discover common threats and explains how to address them systematically to harden Firefox. Expand
Training Manager Rendering Task Generator Headless Browser Cluster Browser Instance Browser Instance Link Spider / Test Cases Template Generator Host Whitelist Generator Template
Content security policy (CSP)—which has been standardized by W3C and adopted by all major commercial browsers—is one of the most promising approaches for defending against cross-site scripting (XSS)Expand
Implementing and enhancing the COWL W3C Standard
Web applications are often composed by resources such as JavaScript written, and provided, by different parties. This reuse leads to questions concerning security, and whether one can trust thatExpand
...
1
2
...

References

SHOWING 1-10 OF 23 REFERENCES
Reining in the web with content security policy
TLDR
This work presents content restrictions, and a content restrictions enforcement scheme called Content Security Policy (CSP), which intends to be one such layer of real world security in layers, and shows how a system such as CSP can be effective to lock down sites and provide an early alert system for vulnerabilities on a web site. Expand
XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks
TLDR
XSS-Guard is proposed, a new framework that is designed to be a prevention mechanism against XSS attacks on the server side that works by dynamically learning the set of scripts that a web application intends to create for any HTML request. Expand
Waiting for CSP - Securing Legacy Web Applications with JSAgents
TLDR
JSAgents, a novel and flexible approach to defeat MI attacks using DOM meta-programming, which enforces a security policy on the DOM of the browser at a place in the markup processing chain "just before" the rendering of the markup. Expand
Why Is CSP Failing? Trends and Challenges in CSP Adoption
TLDR
Despite being proposed as a principled and robust browser security mechanism against content injection attacks such as XSS, CSP adoption is minuscule— measurements show that CSP is deployed in enforcement mode on only 1% of the Alexa Top 100. Expand
deDacota: toward preventing server-side XSS via automatic code and data separation
TLDR
This paper presents a novel approach to securing legacy web applications by automatically and statically rewriting an application so that the code and data are clearly separated in its web pages, which protects the application and its users from a large range of server-side cross-site scripting attacks. Expand
Pixy: a static analysis tool for detecting Web application vulnerabilities
TLDR
This paper uses flow-sensitive, interprocedural and context-sensitive dataflow analysis to discover vulnerable points in a program and applies it to the detection of vulnerability types such as SQL injection, cross-site scripting, or command injection. Expand
Protecting Users by Confining JavaScript with COWL
TLDR
COWL introduces label-based mandatory access control to browsing contexts in a way that is fully backward-compatible with legacy web content and allows both the inclusion of untrusted scripts in applications and the building of mashups that combine sensitive information from multiple mutually distrusting origins, all while protecting users' privacy. Expand
CrowdFlow: Efficient Information Flow Security
TLDR
This work presents a novel approach to information flow security that distributes the tracking workload across all page visitors by probabilistically switching between two JavaScript execution modes, and reports attempts to steal information from a user's browser to a third party that maintains a blacklist of malicious URLs. Expand
Web security testing cookbook - systematic techniques to find problems fast
TLDR
The recipes in the Web Security Testing Cookbook demonstrate how developers and testers can check for the most common web security issues, while conducting unit tests, regression tests, or exploratory tests, which are repeatable, concise, and systematic-perfect for integrating into your regular test suite. Expand
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications
TLDR
This paper combines static and dynamic analysis techniques to identify faulty sanitization procedures that can be bypassed by an attacker, and is able to identify several novel vulnerabilities that stem from erroneous sanitized procedures. Expand
...
1
2
3
...