Towards Client Side HTML Security Policies Joel Weinberger, Adam Barth, Dawn Song.

Slides:



Advertisements
Similar presentations
Ben Livshits and Úlfar Erlingsson Microsoft Research.
Advertisements

Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
An Evaluation of the Google Chrome Extension Security Architecture
Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.
Outline IS400: Development of Business Applications on the Internet Fall 2004 Instructor: Dr. Boris Jukic JavaScript: Introduction to Scripting.
MSc. Publishing on WWW JavaScript. What is JavaScript? A scripting language devised by Netscape Adds functionality to web pages by: Embedding code into.
Kashif Jalal CA-240 (072) Web Development Using ASP.NET CA – 240 Kashif Jalal Welcome to week – 2 of…
1 Software Testing and Quality Assurance Lecture 33 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.
1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.
Satzinger, Jackson, and Burd Object-Orieneted Analysis & Design
DT228/3 Web Development JSP: Directives and Scripting elements.
Website Generator for SoftLab By Yohann SABBAH & Mikael V.H Cohen -Under the supervision of Viktor Kulikov- Final Presentation 7/20/2015.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
UNIT-V The MVC architecture and Struts Framework.
Martin Kruliš by Martin Kruliš (v1.0)1.
Overview of JSP Technology. The need of JSP With servlets, it is easy to – Read form data – Read HTTP request headers – Set HTTP status codes and response.
JavaScript: Control Structures September 27, 2005 Slides modified from Internet & World Wide Web: How to Program (3rd) edition. By Deitel, Deitel,
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholder to insert your own image. WEB.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
Project Proposal Interface Design Website Coding Website Testing & Launching Website Maintenance.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Design Patterns Phil Smith 28 th November Design Patterns There are many ways to produce content via Servlets and JSPs Understanding the good, the.
Krishna Mohan Koyya Glarimy Technology Services
1 Accelerated Web Development Course JavaScript and Client side programming Day 2 Rich Roth On The Net
Introduction to Applets CS 3505 Client Side Scripting with applets.
CMPS 211 JavaScript Topic 1 JavaScript Syntax. 2Outline Goals and Objectives Goals and Objectives Chapter Headlines Chapter Headlines Introduction Introduction.
Isolating JavaScript in Dynamic Code Environments Execution Environments for Cloud Applications – Spring 2011.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
Cross Site Scripting and its Issues By Odion Oisamoje.
ASP (Active Server Pages) by Bülent & Resul. Presentation Outline Introduction What is an ASP file? How does ASP work? What can ASP do? Differences Between.
Internet & World Wide Web How to Program, 5/e © by Pearson Education, Inc. All Rights Reserved.
By Adam Barth, Joel Weinberger and Dawn Song.  Current JavaScript Security Model  Cross-Origin JavaScript Capability Leaks  Capability Leak Detection.
Chapter 3 Creating Dynamic Web Sites Part 1. Large Sites ”complex sites demand compartmentalization of some HTML or PHP code”.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
JavaScript Introduction. Slide 2 Lecture Overview JavaScript background The purpose of JavaScript A first JavaScript example Introduction to getElementById.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 JSP Application Models.
Basic JSP Celsina Bignoli Problems with Servlets Servlets contain –request processing, –business logic –response generation all lumped.
1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.
Securing Angular Apps Brian Noyes
Chapter 3 JSP Overview. The Problem with Servlets processing the request and generating the response are both handled by a single servlet class Java programming.
JavaScript Dynamic Active Web Pages Client Side Scripting.
Chapter 15 Introducing jQuery Part 1. What is JavaScript? A programming language to add dynamic features to a web page. Client side.
Wes Preston DEV 202. Audience: Info Workers, Dev A deeper dive into use-cases where client-side rendering (CSR) and SharePoint’s JS Link property can.
JavaScript Invented 1995 Steve, Tony & Sharon. A Scripting Language (A scripting language is a lightweight programming language that supports the writing.
Vineel Vutukuri. What is SPA? Why SPA? Pros & Cons When to use SPA?
Objective % Select and utilize tools to design and develop websites.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Scripted Page Web App Development (Java Server Pages)
Michael Robertson Yuta Takayama Google Closure Tools.
Haritha Dasari Josue Balandrano Coronel -
BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML
Objective % Select and utilize tools to design and develop websites.
Microsoft FrontPage 2003 Illustrated Complete
Top Reasons to Choose Angular. Angular is well known for developing robust and adaptable Single Page Applications (SPA). The Application structure is.
04 | Web Applications Gerry O’Brien | Technical Content Development Manager Paul Pardi | Senior Content Publishing Manager.
Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter,
Web Development Using ASP .NET
JavaServer Faces: The Fundamentals
Unit 6 part 3 Test Javascript Test.
Web Client Side Technologies Raneem Qaddoura
Cross-Site Scripting Attack (XSS)
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago
Presentation transcript:

Towards Client Side HTML Security Policies Joel Weinberger, Adam Barth, Dawn Song

MySpace

Samy Worm

Content Injection The insertion of untrusted data, structure, or code into an application

Key Points Explicit policies form a compelling, unique point in the content injection protection design space The current trade-offs in explicit policy systems make none of the current systems completely viable Explicit policies are the way forward, but we need new system designs

Content Injection Forum Post #1 This is the content of the post.

Content Injection Forum Post #1 alert(document.cookie);

Policies Forum Post #1 alert(document.cookie); Trusted Untrusted Trusted

Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization is hard Shameless plug for our ESORICS 2011 paper: A Systematic Analysis of XSS Sanitization in Web Application Frameworks

Implicit Policies Browser Web Application Policy

Explicit Policies Browser Web Application Policy

Key Points Explicit policies form a compelling, unique point in the content injection protection design space The current trade-offs in explicit policy systems make none of the current systems completely viable Explicit policies are the way forward, but we need new system designs

Explicit Policy Systems BEEP BLUEPRINT Content Security Policy (CSP)

BEEP Hashes of allowed scripts Performance: good Dynamic scripts are very hard to get right Only XSS

BLUEPRINT Structural description of page, enforced by JavaScript library Performance: poor Does not trust the browser’s parser Very fine grained granularity

Content Security Policy (CSP) Specify allowed behaviors of page Performance: ? Only handles some content injection Coarse grained What is the affect on how applications are written?

Applying CSP to Applications How does CSP affect Web applications? Apply CSP to Bugzilla and HotCRP Measure performance of applications and how the applications were changed

CSP Study Developer effort to retrofit applications to be CSP compatible is large Template variables cannot be used in scripts Need to lookup data through JavaScript Template logic no longer affects scripts

CSP Study PageNo Inline JSAsync JS index.cgi14.8%-3.0% editsettings.cgi6.3%5.1% enter_bug.cgi57.6%44.2% show_bug.cgi51.5%4.0% PageNo Inline JSAsync JS index.php45.3%37.2% search.php52.9%50.4% settings.php23.3%16.1% paper.php61.1%58.5% contacts.php67.8%35.5% Bugzilla HotCRP

Key Points Explicit policies form a compelling, unique point in the content injection protection design space The current trade-offs in explicit policy systems make none of the current systems completely viable Explicit policies are the way forward, but we need new system designs

Explicit Policies: The Good and the Bad Provide a separation policy from application Not doing this makes security hard Simple or complex: you choose Not good at performance and developer usability

Towards the Future Policy systems are useful and should be how we approach content injection CSP has some great properties, but suffers when applied to current applications How can we combine features from these different systems?

Key Points Explicit policies form a compelling, unique point in the content injection protection design space The current trade-offs in explicit policy systems make none of the current systems completely viable Explicit policies are the way forward, but we need new system designs

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.