loading
Papers Papers/2022 Papers Papers/2022

Research.Publish.Connect.

Paper

Paper Unlock

Authors: Christoph Kerschbaumer 1 ; Sid Stamm 2 and Stefan Brunthaler 3

Affiliations: 1 Mozilla Corporation, United States ; 2 Rose-Hulman Institute of Technology, United States ; 3 SBA Research, Austria

Keyword(s): Web Browser Security, Content-Security-Policy (CSP), Cross Site Scripting (XSS).

Abstract: Content Security Policy (CSP) defends against Cross Site Scripting (XSS) by restricting execution of JavaScript to a set of trusted sources listed in the CSP header. A high percentage (90%) of sites among the Alexa top 1,000 that deploy CSP use the keyword unsafe-inline, which permits all inline scripts to run—including attacker–injected scripts—making CSP ineffective against XSS attacks. We present a system that constructs a CSP policy for web sites by whitelisting only expected content scripts on a site. When deployed, this auto-generated CSP policy can effectively protect a site’s visitors from XSS attacks by blocking injected (non-whitelisted) scripts from being executed. While by no means perfect, our system can provide significantly improved resistance to XSS for sites not yet using CSP.

CC BY-NC-ND 4.0

Sign In Guest: Register as new SciTePress user now for free.

Sign In SciTePress user: please login.

PDF ImageMy Papers

You are not signed in, therefore limits apply to your IP address 44.223.36.100

In the current month:
Recent papers: 100 available of 100 total
2+ years older papers: 200 available of 200 total

Paper citation in several formats:
Kerschbaumer, C.; Stamm, S. and Brunthaler, S. (2016). Injecting CSP for Fun and Security. In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - ICISSP; ISBN 978-989-758-167-0; ISSN 2184-4356, SciTePress, pages 15-25. DOI: 10.5220/0005650100150025

@conference{icissp16,
author={Christoph Kerschbaumer. and Sid Stamm. and Stefan Brunthaler.},
title={Injecting CSP for Fun and Security},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - ICISSP},
year={2016},
pages={15-25},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005650100150025},
isbn={978-989-758-167-0},
issn={2184-4356},
}

TY - CONF

JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - ICISSP
TI - Injecting CSP for Fun and Security
SN - 978-989-758-167-0
IS - 2184-4356
AU - Kerschbaumer, C.
AU - Stamm, S.
AU - Brunthaler, S.
PY - 2016
SP - 15
EP - 25
DO - 10.5220/0005650100150025
PB - SciTePress