The Confused Deputy: (or why capabilities might have been invented)
ACM SIGOPS Operating Systems Review
Subspace: secure cross-domain communication for web mashups
Proceedings of the 16th international conference on World Wide Web
Protection and communication abstractions for web browsers in MashupOS
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Dynamic pharming attacks and locked same-origin policies for web browsers
Proceedings of the 14th ACM conference on Computer and communications security
Protecting browsers from dns rebinding attacks
Proceedings of the 14th ACM conference on Computer and communications security
SMash: secure component model for cross-domain mashups on unmodified browsers
Proceedings of the 17th international conference on World Wide Web
Securing frame communication in browsers
SS'08 Proceedings of the 17th conference on Security symposium
Secure file system services for web 2.0 applications
Proceedings of the 2009 ACM workshop on Cloud computing security
A lattice-based approach to mashup security
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Object views: fine-grained sharing in browsers
Proceedings of the 19th international conference on World wide web
Towards privacy-enhancing identity management in mashup-providing platforms
DBSec'10 Proceedings of the 24th annual IFIP WG 11.3 working conference on Data and applications security and privacy
FIRM: capability-based inline mediation of Flash behaviors
Proceedings of the 26th Annual Computer Security Applications Conference
Strengthening XSRF defenses for legacy web applications using whitebox analysis and transformation
ICISS'10 Proceedings of the 6th international conference on Information systems security
A middleware for securing mobile mashups
Proceedings of the 20th international conference companion on World wide web
Protecting private web content from embedded scripts
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
App isolation: get the security of multiple browsers with just one
Proceedings of the 18th ACM conference on Computer and communications security
Secure mashup-providing platforms - implementing encrypted wiring
ICWE'11 Proceedings of the 11th international conference on Current Trends in Web Engineering
Security of web mashups: a survey
NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
TreeHouse: JavaScript sandboxes to helpWeb developers help themselves
USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
Jigsaw: efficient, low-effort mashup isolation
WebApps'12 Proceedings of the 3rd USENIX conference on Web Application Development
Analyzing and defending against web-based malware
ACM Computing Surveys (CSUR)
Protecting sensitive web content from client-side vulnerabilities with CRYPTONS
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
A secure proxy-based cross-domain communication for web mashups
Journal of Web Engineering
Hi-index | 0.00 |
The current security model used by web browsers, the Same Origin Policy (SOP), does not support secure cross-domain communication desired by web mashup developers. The developers have to choose between no trust, where no communication is allowed, and full trust, where third-party content runs with the full privilege of the integrator. Furthermore, the SOP has its own set of security vulnerabilities and pitfalls, including Cross-Site Request Forgery, DNS rebinding and dynamic pharming. To overcome the unfortunate tradeoff between security and functionality forced upon today's mashup developers, we propose OMash, a simple abstraction that treats web pages as objects and allows objects to communicate only via their declared public interfaces. Since OMash does not rely on the SOP for controlling DOM access or cross-domain data exchange, it does not suffer from the SOP's vulnerabilities. We show that OMash satisfies the trust relationships desired by mashup authors and may be configured to be backward compatible with the SOP. We implemented a prototype of OMash using Mozilla Firefox 2.0 and demonstrated several proof-of-concept applications.