Injecting CSP for Fun and Security

@inproceedings{Kerschbaumer2016InjectingCF,
  title={Injecting CSP for Fun and Security},
  author={Christoph Kerschbaumer and Sid Stamm and Stefan Brunthaler},
  booktitle={ICISSP},
  year={2016}
}
Content Security Policy (CSP) defends against Cross Site Scripting (XSS) by restricting execution of JavaScript to a set of trusted sources listed in the CSP header. A high percentage (90%) of sites among the Alexa top 1,000 that deploy CSP use the keyword Unsafe-inline, which permits all inline scripts to run— including attacker–injected scripts—making CSP ineffective against XSS attacks. We present a system that constructs a CSP policy for web sites by whitelisting only expected content… CONTINUE READING

References

Publications referenced by this paper.
SHOWING 1-10 OF 22 REFERENCES

RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response

  • ACM Conference on Computer and Communications Security
  • 2014
VIEW 1 EXCERPT

High Performance Browser Networking

I. Grigorik
  • O’Reilly.
  • 2013
VIEW 1 EXCERPT

deDacota: toward preventing server-side XSS via automatic code and data separation

  • ACM Conference on Computer and Communications Security
  • 2013
VIEW 1 EXCERPT

Common weakness enumeration: A community-developed dictionary of software weakness types

The MITRE Corporation
  • http://cwe.mitre.org/top25/. (checked: August, 2015).
  • 2012
VIEW 1 EXCERPT

Safe browsing - protecting web users for 5 years and counting

N. Provos
  • http://googleonlinesecurity.blogspot.com/2012/06/safebrowsing-protecting-web-users-for.html. (checked: August, 2015).
  • 2012
VIEW 2 EXCERPTS

Similar Papers

Loading similar papers…