Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
ESCUDO: A Fine-Grained Protection Model for Web Browsers
ICDCS '10 Proceedings of the 2010 IEEE 30th International Conference on Distributed Computing Systems
Hi-index | 0.00 |
Modern web applications combine content from several sources (with varying security characteristics), and incorporate significant portion of user-supplied contents to enrich browsing experience. However, the de facto web protection model, the same-origin policy (SOP), has not adequately evolved to manage the security consequences of this additional complexity. As a result, making web applications subject to a broad sphere of attacks (cross-site scripting, cross-site request forgery and others). The fundamental problem is the failure of access control. To solve this, in this work, we present DIEGO, a new fine-grained access control model for web browsers. Our overall design approach is to combine mandatory access-control (MAC) principles of operating system with tag pairing isolation technique in order to provide stealthy protection. To support backwards compatibility, DIEGO defaults to the same-origin policy (SOP) for web applications.