loading
Documents

Research.Publish.Connect.

Paper

Authors: Christoph Kerschbaumer 1 ; Sid Stamm 2 and Stefan Brunthaler 3

Affiliations: 1 Mozilla Corporation, United States ; 2 Rose-Hulman Institute of Technology, United States ; 3 SBA Research, Austria

ISBN: 978-989-758-167-0

Keyword(s): Web Browser Security, Content-Security-Policy (CSP), Cross Site Scripting (XSS).

Abstract: Content Security Policy (CSP) defends against Cross Site Scripting (XSS) by restricting execution of JavaScript to a set of trusted sources listed in the CSP header. A high percentage (90%) of sites among the Alexa top 1,000 that deploy CSP use the keyword unsafe-inline, which permits all inline scripts to run—including attacker–injected scripts—making CSP ineffective against XSS attacks. We present a system that constructs a CSP policy for web sites by whitelisting only expected content scripts on a site. When deployed, this auto-generated CSP policy can effectively protect a site’s visitors from XSS attacks by blocking injected (non-whitelisted) scripts from being executed. While by no means perfect, our system can provide significantly improved resistance to XSS for sites not yet using CSP.

PDF ImageFull Text

Download
Sign In Guest: Register as new SciTePress user now for free.

Sign In SciTePress user: please login.

PDF ImageMy Papers

You are not signed in, therefore limits apply to your IP address 54.163.22.209

In the current month:
Recent papers: 100 available of 100 total
2+ years older papers: 200 available of 200 total

Paper citation in several formats:
Kerschbaumer C., Stamm S. and Brunthaler S. (2016). Injecting CSP for Fun and Security.In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 15-25. DOI: 10.5220/0005650100150025

@conference{icissp16,
author={Christoph Kerschbaumer and Sid Stamm and Stefan Brunthaler},
title={Injecting CSP for Fun and Security},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={15-25},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005650100150025},
isbn={978-989-758-167-0},
}

TY - CONF

JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Injecting CSP for Fun and Security
SN - 978-989-758-167-0
AU - Kerschbaumer C.
AU - Stamm S.
AU - Brunthaler S.
PY - 2016
SP - 15
EP - 25
DO - 10.5220/0005650100150025

Login or register to post comments.

Comments on this Paper: Be the first to review this paper.