Invasive browser sniffing and countermeasures
Proceedings of the 15th international conference on World Wide Web
Protecting browser state from web privacy attacks
Proceedings of the 15th international conference on World Wide Web
Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
Protection and communication abstractions for web browsers in MashupOS
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
BrowserShield: vulnerability-driven filtering of dynamic HTML
OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Protecting browsers from dns rebinding attacks
Proceedings of the 14th ACM conference on Computer and communications security
SpyProxy: execution-based detection of malicious web content
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
SOMA: mutual approval for included content in web pages
Proceedings of the 15th ACM conference on Computer and communications security
Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Financial Cryptography and Data Security
Protecting browsers from cross-origin CSS attacks
Proceedings of the 17th ACM conference on Computer and communications security
AdJail: practical enforcement of confidentiality and integrity policies on web advertisements
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Towards client-side HTML security policies
HotSec'11 Proceedings of the 6th USENIX conference on Hot topics in security
Protecting private web content from embedded scripts
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
App isolation: get the security of multiple browsers with just one
Proceedings of the 18th ACM conference on Computer and communications security
WebJail: least-privilege integration of third-party components in web mashups
Proceedings of the 27th Annual Computer Security Applications Conference
Attacks on WebView in the Android system
Proceedings of the 27th Annual Computer Security Applications Conference
Practical end-to-end web content integrity
Proceedings of the 21st international conference on World Wide Web
JavaScript in JavaScript (js.js): sandboxing third-party scripts
WebApps'12 Proceedings of the 3rd USENIX conference on Web Application Development
Establishing browser security guarantees through formal shim verification
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Clickjacking: attacks and defenses
Security'12 Proceedings of the 21st USENIX conference on Security symposium
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
You are what you include: large-scale evaluation of remote javascript inclusions
Proceedings of the 2012 ACM conference on Computer and communications security
Scriptless attacks: stealing the pie without touching the sill
Proceedings of the 2012 ACM conference on Computer and communications security
The bug that made me president a browser- and web-security case study on helios voting
VoteID'11 Proceedings of the Third international conference on E-Voting and Identity
JSand: complete client-side sandboxing of third-party JavaScript without browser modifications
Proceedings of the 28th Annual Computer Security Applications Conference
When tolerance causes weakness: the case of injection-friendly browsers
Proceedings of the 22nd international conference on World Wide Web
deDacota: toward preventing server-side XSS via automatic code and data separation
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
PreparedJS: secure script-templates for javascript
DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
A survey on server-side approaches to securing web applications
ACM Computing Surveys (CSUR)
Hi-index | 0.00 |
The last three years have seen a dramatic increase in both awareness and exploitation of Web Application Vulnerabilities. 2008 and 2009 saw dozens of high-profile attacks against websites using Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) for the purposes of information stealing, website defacement, malware planting, clickjacking, etc. While an ideal solution may be to develop web applications free from any exploitable vulnerabilities, real world security is usually provided in layers. We present content restrictions, and a content restrictions enforcement scheme called Content Security Policy (CSP), which intends to be one such layer. Content restrictions allow site designers or server administrators to specify how content interacts on their web sites-a security mechanism desperately needed by the untamed Web. These content restrictions rules are activated and enforced by supporting web browsers when a policy is provided for a site via HTTP, and we show how a system such as CSP can be effective to lock down sites and provide an early alert system for vulnerabilities on a web site. Our scheme is also easily deployed, which is made evident by our prototype implementation in Firefox and on the Mozilla Add-Ons web site.