Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
BrowserShield: vulnerability-driven filtering of dynamic HTML
OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Talking to strangers without taking their candy: isolating proxied content
Proceedings of the 1st Workshop on Social Network Systems
Securing frame communication in browsers
Communications of the ACM - One Laptop Per Child: Vision vs. Reality
Lightweight self-protecting JavaScript
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
A lattice-based approach to mashup security
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Reining in the web with content security policy
Proceedings of the 19th international conference on World wide web
Noninterference through Secure Multi-execution
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
GATEKEEPER: mostly static enforcement of security and reliability policies for javascript code
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
AdJail: practical enforcement of confidentiality and integrity policies on web advertisements
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Automatic and precise client-side protection against CSRF attacks
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
CsFire: transparent client-side mitigation of malicious cross-domain requests
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
Security of web mashups: a survey
NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
Safe wrappers and sane policies for self protecting javascript
NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
A two-tier sandbox architecture for untrusted JavaScript
Proceedings of the Workshop on JavaScript Tools
Better security and privacy for web browsers: a survey of techniques, and a new implementation
FAST'11 Proceedings of the 8th international conference on Formal Aspects of Security and Trust
You are what you include: large-scale evaluation of remote javascript inclusions
Proceedings of the 2012 ACM conference on Computer and communications security
JSand: complete client-side sandboxing of third-party JavaScript without browser modifications
Proceedings of the 28th Annual Computer Security Applications Conference
Aspectizing JavaScript security
Proceedings of the 3rd workshop on Modularity in systems software
PreparedJS: secure script-templates for javascript
DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
| Hi-index | 0.00 |
In the last decade, the Internet landscape has transformed from a mostly static world into Web 2.0, where the use of web applications and mashups has become a daily routine for many Internet users. Web mashups are web applications that combine data and functionality from several sources or components. Ideally, these components contain benign code from trusted sources. Unfortunately, the reality is very different. Web mashup components can misbehave and perform unwanted actions on behalf of the web mashup's user. Current mashup integration techniques either impose no restrictions on the execution of a third-party component, or simply rely on the Same-Origin Policy. A least-privilege approach, in which a mashup integrator can restrict the functionality available to each component, can not be implemented using the current integration techniques, without ownership over the component's code. We propose WebJail, a novel client-side security architecture to enable least-privilege integration of components into a web mashup, based on high-level policies that restrict the available functionality in each individual component. The policy language was synthesized from a study and categorization of sensitive operations in the upcoming HTML 5 JavaScript APIs, and full mediation is achieved via the use of deep aspects in the browser. We have implemented a prototype of WebJail in Mozilla Firefox 4.0, and applied it successfully to mainstream platforms such as iGoogle and Facebook. In addition, microbenchmarks registered a negligible performance penalty for page load-time (7ms), and the execution overhead in case of sensitive operations (0.1ms).