Wait­ing for CSP — Se­cu­ring Le­ga­cy Web Ap­p­li­ca­ti­ons with JSA­gents

Mario Hei­de­rich, Mar­cus Nie­mietz, Jörg Schwenk

Wait­ing for CSP — Se­cu­ring Le­ga­cy Web Ap­p­li­ca­ti­ons with JSA­gents, ESO­RICS 2015, 20th Eu­ropean Sym­po­si­um on Re­se­arch in Com­pu­ter Se­cu­ri­ty


Ab­stract

Mar­kup In­jec­tion (MI) at­tacks, ran­ging from clas­si­cal Cross-Si­te Script­ing (XSS) and DOMXSS to Script­less At­tacks, pose a major thre­at for web ap­p­li­ca­ti­ons, brow­ser ex­ten­si­ons, and mo­bi­le apps. To miti­ga­te MI at­tacks, we pro­po­se JSA­gents, a novel and fle­xi­ble ap­proach to de­feat MI at­tacks using DOM me­ta-pro­gramming. Spe­ci­fi­cal­ly, we en­force a se­cu­ri­ty po­li­cy on the DOM of the brow­ser at a place in the mar­kup pro­ces­sing chain “just be­fo­re” the ren­de­ring of the mar­kup. This ap­proach has many ad­van­ta­ges: Ob­fu­s­ca­ti­on has al­re­a­dy been re­mo­ved from the mar­kup when it en­ters the DOM, mXSS at­tack vec­tors are vi­si­ble, and, last but not least, the (cli­ent-si­de) pro­tec­tion can be in­di­vi­dual­ly tailo­red to fit the needs of web ap­p­li­ca­ti­ons.

JSA­gents po­li­cies look si­mi­lar to CSP po­li­cies, and in­deed large parts of CSP can be im­ple­men­ted with JSA­gents. Howe­ver, there are three main dif­fe­ren­ces: (1) Con­tra­ry to CSP, the sour­ce code of le­ga­cy web ap­p­li­ca­ti­ons needs not be mo­di­fied; in­s­tead, the po­li­cy is ad­ap­ted to the ap­p­li­ca­ti­on. (2) Whe­re­as CSP can only apply one po­li­cy to a com­ple­te HTML do­cu­ment, JSA­gents is able, through a novel cas­ca­ding en­force­ment, to apply dif­fe­rent po­li­cies to each ele­ment in the DOM; this pro­per­ty is es­sen­ti­al in dea­ling with Ja­va­Script event hand­lers and URIs. (3) JSA­gents enables novel fea­tures like co­ar­se-grained ac­cess con­trol: e.g. we may block read/write ac­cess to HTML form ele­ments for all scripts, but human users can still in­s­ert data (which may be in­te­res­ting for pass­word and PIN fields).

[ESO­RICS 2015] [PDF file]

Tags: