Injecting CSP for Fun and Security

@inproceedings{Kerschbaumer2016InjectingCF,
  title={Injecting CSP for Fun and Security},
  author={Christoph Kerschbaumer and Sid Stamm and Stefan Brunthaler},
  booktitle={ICISSP},
  year={2016}
}
Content Security Policy (CSP) defends against Cross Site Scripting (XSS) by restricting execution of JavaScript to a set of trusted sources listed in the CSP header. A high percentage (90%) of sites among the Alexa top 1,000 that deploy CSP use the keyword Unsafe-inline, which permits all inline scripts to run— including attacker–injected scripts—making CSP ineffective against XSS attacks. We present a system that constructs a CSP policy for web sites by whitelisting only expected content… 

Figures and Tables from this paper

Assessing the Impact of Script Gadgets on CSP at Scale

The Web, as one of the core technologies of modern society, has profoundly changed the way we interact with people and data. One of the worst attacks on the Web is Cross-Site Scripting (XSS), in

CSPAutoGen: Black-box Enforcement of Content Security Policy upon Real-world Websites

TLDR
This work proposes CSPAutoGen to enable CSP in real-time, without server modifications, and being compatible with real-world websites, and conducts extensive case studies on five popular websites, indicating that CSP autoGen can preserve the behind-the-login functionalities.

CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy

TLDR
The "strict-dynamic" keyword is proposed, an addition to the CSP specification that facilitates the creation of policies based on cryptographic nonces, without relying on domain whitelists, in order to understand their security benefits.

On the Content Security Policy Violations due to the Same-Origin Policy

TLDR
This work describes how CSP may be violated due to the SOP when a page contains an embedded iframe from the same origin, and discusses measures to avoid CSP violations.

Strenghtening Content Security Policy via Monitoring and URL Parameters Filtering

TLDR
4 extensions to strengthen CSP via a monitoring mechanism: the ability to selectively exclude whitelisted content, express more fine grained checks on URL arguments, explicitly prevent redirections to partially Whitelisted origins, and an efficient reporting mechanism to collect content that are allowed by a CSP enforced on a webpage are discussed.

CCSP: Controlled Relaxation of Content Security Policies by Runtime Policy Composition

TLDR
This paper presents Compositional CSP, an extension of CSP based on runtime policy composition that is designed to overcome the limitations arising from the use of static white-lists, while avoiding a major overhaul of C SP and the logic underlying policy writing.

Enforcing Content Security by Default within Web Browsers

TLDR
By equipping every resource load with a loading context, this approach enforces an opt-out security mechanism performing security checks by default by consulting a centralized security manager.

Hardening Firefox against Injection Attacks

TLDR
This work studies common threats to discover common threats and explains how to address them systematically to harden Firefox.

SoK: All or Nothing - A Postmortem of Solutions to the Third-Party Script Inclusion Permission Model and a Path Forward

TLDR
This work creates a monitoring system in the Firefox browser which captures third-party script access to user supplied PII in HTML Form Elements, and proposes a research direction that allows web applications to take advantage of the interoperability of the web execution model while also respecting an end user's privacy and security.

SecurityAuditor: An XDriver Security Oriented Module for the Evaluation of Security Header Policies SecurityAuditor: An XDriver Security Oriented Module for the Evaluation of Security Header Policies

TLDR
In this master thesis the SecurityAuditor module was developed, an XDriver module that used XDriver functionalities in order to evaluate the Security Header Policies and it was concluded that the XDriver solved many Selenium exceptions.

References

SHOWING 1-10 OF 23 REFERENCES

Reining in the web with content security policy

TLDR
This work presents content restrictions, and a content restrictions enforcement scheme called Content Security Policy (CSP), which intends to be one such layer of real world security in layers, and shows how a system such as CSP can be effective to lock down sites and provide an early alert system for vulnerabilities on a web site.

XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks

TLDR
XSS-Guard is proposed, a new framework that is designed to be a prevention mechanism against XSS attacks on the server side that works by dynamically learning the set of scripts that a web application intends to create for any HTML request.

Waiting for CSP - Securing Legacy Web Applications with JSAgents

TLDR
JSAgents, a novel and flexible approach to defeat MI attacks using DOM meta-programming, which enforces a security policy on the DOM of the browser at a place in the markup processing chain "just before" the rendering of the markup.

Why Is CSP Failing? Trends and Challenges in CSP Adoption

TLDR
Despite being proposed as a principled and robust browser security mechanism against content injection attacks such as XSS, CSP adoption is minuscule— measurements show that CSP is deployed in enforcement mode on only 1% of the Alexa Top 100.

deDacota: toward preventing server-side XSS via automatic code and data separation

TLDR
This paper presents a novel approach to securing legacy web applications by automatically and statically rewriting an application so that the code and data are clearly separated in its web pages, which protects the application and its users from a large range of server-side cross-site scripting attacks.

Pixy: a static analysis tool for detecting Web application vulnerabilities

TLDR
This paper uses flow-sensitive, interprocedural and context-sensitive dataflow analysis to discover vulnerable points in a program and applies it to the detection of vulnerability types such as SQL injection, cross-site scripting, or command injection.

Protecting Users by Confining JavaScript with COWL

TLDR
COWL introduces label-based mandatory access control to browsing contexts in a way that is fully backward-compatible with legacy web content and allows both the inclusion of untrusted scripts in applications and the building of mashups that combine sensitive information from multiple mutually distrusting origins, all while protecting users' privacy.

CrowdFlow: Efficient Information Flow Security

TLDR
This work presents a novel approach to information flow security that distributes the tracking workload across all page visitors by probabilistically switching between two JavaScript execution modes, and reports attempts to steal information from a user's browser to a third party that maintains a blacklist of malicious URLs.

Web security testing cookbook - systematic techniques to find problems fast

TLDR
The recipes in the Web Security Testing Cookbook demonstrate how developers and testers can check for the most common web security issues, while conducting unit tests, regression tests, or exploratory tests, which are repeatable, concise, and systematic-perfect for integrating into your regular test suite.

Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications

TLDR
This paper combines static and dynamic analysis techniques to identify faulty sanitization procedures that can be bypassed by an attacker, and is able to identify several novel vulnerabilities that stem from erroneous sanitized procedures.