JSCSP: A novel policy-based XSS defense mechanism for browsers
To mitigate cross-site scripting attacks (XSS), the W3C group recommends web service providers to employ a computer security standard called Content Security Policy (CSP). However, less than 3.7 percent of real-world websites are equipped with CSP according to Google’s survey. The low scalability of...
Saved in:
| Main Authors: | , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2022
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/7083 https://ink.library.smu.edu.sg/context/sis_research/article/8086/viewcontent/09144421.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-8086 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-80862022-04-07T07:41:17Z JSCSP: A novel policy-based XSS defense mechanism for browsers XU, Guangquan XIE, Xiaofei HUANG, Shuhan ZHANG, Jun PAN, Lei LOU, Wei LIANG, Kaitai To mitigate cross-site scripting attacks (XSS), the W3C group recommends web service providers to employ a computer security standard called Content Security Policy (CSP). However, less than 3.7 percent of real-world websites are equipped with CSP according to Google’s survey. The low scalability of CSP is incurred by the difficulty of deployment and non-compatibility for state-of-art browsers. To explore the scalability of CSP, in this article, we propose JavaScript based CSP (JSCSP), which is able to support most of real-world browsers but also to generate security policies automatically. Specifically, JSCSP offers a novel self-defined security policy which enforces essential confinements to related items, including JavaScript functions, DOM elements and data access. Meanwhile, JSCSP has an efficient algorithm to automatically generate the policy directives and enforce them in a cascading way, which is more fine-grained and practical than the functionalities provided by CSP. We further implement JSCSP on a Chrome extension, and our evaluation shows that the extension is compatible with popular JavaScript libraries. Our JSCSP extension can detect and block the tested attacking vectors extracted from the prevalent web applications. We state that JSCSP delivers better performance compared to other XSS defense solutions. 2022-03-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/7083 info:doi/10.1109/TDSC.2020.3009472 https://ink.library.smu.edu.sg/context/sis_research/article/8086/viewcontent/09144421.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Cross-site scripting attacks content security policy origin confinement JavaScript sandbox cookie protection Programming Languages and Compilers Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Cross-site scripting attacks content security policy origin confinement JavaScript sandbox cookie protection Programming Languages and Compilers Software Engineering |
| spellingShingle |
Cross-site scripting attacks content security policy origin confinement JavaScript sandbox cookie protection Programming Languages and Compilers Software Engineering XU, Guangquan XIE, Xiaofei HUANG, Shuhan ZHANG, Jun PAN, Lei LOU, Wei LIANG, Kaitai JSCSP: A novel policy-based XSS defense mechanism for browsers |
| description |
To mitigate cross-site scripting attacks (XSS), the W3C group recommends web service providers to employ a computer security standard called Content Security Policy (CSP). However, less than 3.7 percent of real-world websites are equipped with CSP according to Google’s survey. The low scalability of CSP is incurred by the difficulty of deployment and non-compatibility for state-of-art browsers. To explore the scalability of CSP, in this article, we propose JavaScript based CSP (JSCSP), which is able to support most of real-world browsers but also to generate security policies automatically. Specifically, JSCSP offers a novel self-defined security policy which enforces essential confinements to related items, including JavaScript functions, DOM elements and data access. Meanwhile, JSCSP has an efficient algorithm to automatically generate the policy directives and enforce them in a cascading way, which is more fine-grained and practical than the functionalities provided by CSP. We further implement JSCSP on a Chrome extension, and our evaluation shows that the extension is compatible with popular JavaScript libraries. Our JSCSP extension can detect and block the tested attacking vectors extracted from the prevalent web applications. We state that JSCSP delivers better performance compared to other XSS defense solutions. |
| format |
text |
| author |
XU, Guangquan XIE, Xiaofei HUANG, Shuhan ZHANG, Jun PAN, Lei LOU, Wei LIANG, Kaitai |
| author_facet |
XU, Guangquan XIE, Xiaofei HUANG, Shuhan ZHANG, Jun PAN, Lei LOU, Wei LIANG, Kaitai |
| author_sort |
XU, Guangquan |
| title |
JSCSP: A novel policy-based XSS defense mechanism for browsers |
| title_short |
JSCSP: A novel policy-based XSS defense mechanism for browsers |
| title_full |
JSCSP: A novel policy-based XSS defense mechanism for browsers |
| title_fullStr |
JSCSP: A novel policy-based XSS defense mechanism for browsers |
| title_full_unstemmed |
JSCSP: A novel policy-based XSS defense mechanism for browsers |
| title_sort |
jscsp: a novel policy-based xss defense mechanism for browsers |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2022 |
| url |
https://ink.library.smu.edu.sg/sis_research/7083 https://ink.library.smu.edu.sg/context/sis_research/article/8086/viewcontent/09144421.pdf |
| _version_ |
1770576208786882560 |