Injecting CSP for Fun and Security

Christoph Kerschbaumer, Sid Stamm, Stefan Brunthaler

Abstract

Content Security Policy (CSP) defends against Cross Site Scripting (XSS) by restricting execution of JavaScript to a set of trusted sources listed in the CSP header. A high percentage (90%) of sites among the Alexa top 1,000 that deploy CSP use the keyword unsafe-inline, which permits all inline scripts to run—including attacker–injected scripts—making CSP ineffective against XSS attacks. We present a system that constructs a CSP policy for web sites by whitelisting only expected content scripts on a site. When deployed, this auto-generated CSP policy can effectively protect a site’s visitors from XSS attacks by blocking injected (non-whitelisted) scripts from being executed. While by no means perfect, our system can provide significantly improved resistance to XSS for sites not yet using CSP.

References

  1. Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., and Vigna, G. (2008). Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Proceedings of IEEE Symposium on Security and Privacy, pages 387- 401. IEEE.
  2. Bisht, P. and Venkatakrishnan, V. (2008). Xss-guard: precise dynamic prevention of cross-site scripting attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 23-43. Springer.
  3. Canali, D., Cova, M., Vigna, G., and Kruegel, C. (2011). Prophiler: a fast filter for the large-scale detection of malicious web pages. In Proceedings of the international conference on World wide web, pages 197-206. ACM.
  4. Doupé, A., Cui, W., Jakubowski, M. H., Peinado, M., Kruegel, C., and Vigna, G. (2013). dedacota: toward preventing server-side xss via automatic code and data separation. In CCS, pages 1205-1216. ACM.
  5. Erlingsson, Ú., Pihur, V., and Korolova, A. (2014). RAPPOR: Randomized aggregatable privacy-preserving ordinal response. In Proceedings of the ACM Conference on Computer and Communications Security, pages 1054-1067. ACM.
  6. Greathouse, J. L. and Austin, T. (2011). The potential of sampling for dynamic analysis. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pages 3:1-3:6. ACM.
  7. Grigorik, I. (2013). High Performance Browser Networking. O'Reilly.
  8. Hope, P. and Walther, B. (2008). Web Security Testing Cookbook. O'Reilly.
  9. Jovanovic, N., Kruegel, C., and Kirda, E. (2006). Pixy: A static analysis tool for detecting web application vulnerabilities. In Proceedings of IEEE Symposium on Security and Privacy, pages 6-pp. IEEE.
  10. Kerschbaumer, C., Hennigan, E., Larsen, P., Brunthaler, S., and Franz, M. (2013). CrowdFlow: Efficient information flow security. ISC, Springer.
  11. Microsoft (2012). Microsoft security intelligence report, volume 13. http://www.microsoft.com/security/sir/default.aspx. (checked: August, 2015).
  12. Microsoft (2012). SmartScreen Filter. http://windows.microsoft.com/en-US/internetexplorer/products/ie-9/features/smartscreen-filter. (checked: August, 2015).
  13. Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., and Vigna, G. (2012). You are what you include: Large-scale evaluation of remote javascript inclusions. In Proceedings of the ACM Conference on Computer and Communications Security. ACM.
  14. OWASP (2012). The open web application security project. https://www.owasp.org/. (checked: August, 2015).
  15. Provos, N. (2012). Safe browsing - protecting web users for 5 years and counting. http://googleonlinesecurity.blogspot.com/2012/06/safebrowsing-protecting-web-users-for.html. (checked: August, 2015).
  16. Russo, A., Sabelfeld, A., and Chudnov, A. (2009). Tracking information flow in dynamic tree structures. In Proceedings of the European Symposium on Research in Computer Security, pages 86-103. Springer.
  17. Schwenk, J., Heiderich, M., and Niemietz, M. (2015). Waiting for CSP: Securing Legacy Web Applications with JSAgents. In Proceedings of the European Symposium on Research in Computer Security, page TBA. Springer.
  18. Stamm, S., Sterne, B., and Markham, G. (2010). Reining in the web with content security policy. In Proceedings of the ACM International Conference on World Wide Web, pages 921-930, New York, NY, USA. ACM.
  19. Stefan, D., Yang, E. Z., Marchenko, P., Russo, A., Herman, D., Karp, B., and Mazieres, D. (2014). Protecting users by confining javascript with cowl. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation.
  20. The MITRE Corporation (2012). Common weakness enumeration: A community-developed dictionary of software weakness types. http://cwe.mitre.org/top25/. (checked: August, 2015).
  21. The Tor Project (2012). Tor (anonymity network). https://www.torproject.org/. (checked: August, 2015).
  22. Thomas, K., Grier, C., Ma, J., Paxson, V., and Song, D. (2011). Design and evaluation of a real-time url spam filtering service. In Proceedings of IEEE Symposium on Security and Privacy, pages 447-462.
  23. W3C - World Wide Web Consortium (2004). Document object model (DOM) level 3 core specification. http://www.w3.org/TR/2004/REC-DOM-Level3-Core-20040407/DOM3-Core.pdf. (checked: August, 2015).
  24. W3C - World Wide Web Consortium (2014). Content Security Policy Level 2. http://www.w3.org/TR/CSP2/. (checked: August, 2015).
  25. Weissbacher, M., Lauinger, T., and Robertson, W. (2014). Why Is CSP Failing? Trends and Challenges in CSP Adoption. In Research in Attacks, Intrusions and Defenses, volume 8688, pages 212-233. Springer International Publishing.
Download


Paper Citation


in Harvard Style

Kerschbaumer C., Stamm S. and Brunthaler S. (2016). Injecting CSP for Fun and Security . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 15-25. DOI: 10.5220/0005650100150025


in Bibtex Style

@conference{icissp16,
author={Christoph Kerschbaumer and Sid Stamm and Stefan Brunthaler},
title={Injecting CSP for Fun and Security},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={15-25},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005650100150025},
isbn={978-989-758-167-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Injecting CSP for Fun and Security
SN - 978-989-758-167-0
AU - Kerschbaumer C.
AU - Stamm S.
AU - Brunthaler S.
PY - 2016
SP - 15
EP - 25
DO - 10.5220/0005650100150025