Injecting CSP for Fun and Security

@inproceedings{Kerschbaumer2016InjectingCF,
  title={Injecting CSP for Fun and Security},
  author={Christoph Kerschbaumer and Sid Stamm and S. Brunthaler},
  booktitle={ICISSP},
  year={2016}
}
  • Christoph Kerschbaumer, Sid Stamm, S. Brunthaler
  • Published in ICISSP 2016
  • Computer Science
  • Content Security Policy (CSP) defends against Cross Site Scripting (XSS) by restricting execution of JavaScript to a set of trusted sources listed in the CSP header. A high percentage (90%) of sites among the Alexa top 1,000 that deploy CSP use the keyword Unsafe-inline, which permits all inline scripts to run— including attacker–injected scripts—making CSP ineffective against XSS attacks. We present a system that constructs a CSP policy for web sites by whitelisting only expected content… CONTINUE READING

    Figures, Tables, and Topics from this paper.

    Assessing the Impact of Script Gadgets on CSP at Scale
    CSPAutoGen: Black-box Enforcement of Content Security Policy upon Real-world Websites
    • 23
    • PDF
    CCSP: Controlled Relaxation of Content Security Policies by Runtime Policy Composition
    • 6
    • PDF
    Enforcing Content Security by Default within Web Browsers
    • 4
    • PDF
    Hardening Firefox against Injection Attacks

    References

    Publications referenced by this paper.
    SHOWING 1-10 OF 23 REFERENCES
    Reining in the web with content security policy
    • 182
    • PDF
    XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks
    • 174
    • PDF
    Waiting for CSP - Securing Legacy Web Applications with JSAgents
    • 3
    Why Is CSP Failing? Trends and Challenges in CSP Adoption
    • 54
    • Highly Influential
    • PDF
    Pixy: a static analysis tool for detecting Web application vulnerabilities
    • 646
    • PDF
    Protecting Users by Confining JavaScript with COWL
    • 72
    • PDF
    CrowdFlow: Efficient Information Flow Security
    • 12
    • PDF
    Web security testing cookbook - systematic techniques to find problems fast
    • 26
    • PDF
    Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications
    • 367
    • PDF