Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards Client Side HTML Security Policies Joel Weinberger, Adam Barth, Dawn Song.

Published byHollie Simmons Modified over 9 years ago

Similar presentations

Presentation on theme: "Towards Client Side HTML Security Policies Joel Weinberger, Adam Barth, Dawn Song."— Presentation transcript:

1 Towards Client Side HTML Security Policies Joel Weinberger, Adam Barth, Dawn Song

2 MySpace

3 Samy Worm

4 Content Injection The insertion of untrusted data, structure, or code into an application

5 Key Points Explicit policies form a compelling, unique point in the content injection protection design space The current trade-offs in explicit policy systems make none of the current systems completely viable Explicit policies are the way forward, but we need new system designs

6 Content Injection Forum Post #1 This is the content of the post.

7 Content Injection Forum Post #1 alert(document.cookie);

8 Policies Forum Post #1 alert(document.cookie); Trusted Untrusted Trusted

9 Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization is hard Shameless plug for our ESORICS 2011 paper: A Systematic Analysis of XSS Sanitization in Web Application Frameworks

10 Implicit Policies Browser Web Application Policy

11 Explicit Policies Browser Web Application Policy

12 Key Points Explicit policies form a compelling, unique point in the content injection protection design space The current trade-offs in explicit policy systems make none of the current systems completely viable Explicit policies are the way forward, but we need new system designs

13 Explicit Policy Systems BEEP BLUEPRINT Content Security Policy (CSP)

14 BEEP Hashes of allowed scripts Performance: good Dynamic scripts are very hard to get right Only XSS

15 BLUEPRINT Structural description of page, enforced by JavaScript library Performance: poor Does not trust the browser’s parser Very fine grained granularity

16 Content Security Policy (CSP) Specify allowed behaviors of page Performance: ? Only handles some content injection Coarse grained What is the affect on how applications are written?

17 Applying CSP to Applications How does CSP affect Web applications? Apply CSP to Bugzilla and HotCRP Measure performance of applications and how the applications were changed

18 CSP Study Developer effort to retrofit applications to be CSP compatible is large Template variables cannot be used in scripts Need to lookup data through JavaScript Template logic no longer affects scripts

19 CSP Study PageNo Inline JSAsync JS index.cgi14.8%-3.0% editsettings.cgi6.3%5.1% enter_bug.cgi57.6%44.2% show_bug.cgi51.5%4.0% PageNo Inline JSAsync JS index.php45.3%37.2% search.php52.9%50.4% settings.php23.3%16.1% paper.php61.1%58.5% contacts.php67.8%35.5% Bugzilla HotCRP

20 Key Points Explicit policies form a compelling, unique point in the content injection protection design space The current trade-offs in explicit policy systems make none of the current systems completely viable Explicit policies are the way forward, but we need new system designs

21 Explicit Policies: The Good and the Bad Provide a separation policy from application Not doing this makes security hard Simple or complex: you choose Not good at performance and developer usability

22 Towards the Future Policy systems are useful and should be how we approach content injection CSP has some great properties, but suffers when applied to current applications How can we combine features from these different systems?

23 Key Points Explicit policies form a compelling, unique point in the content injection protection design space The current trade-offs in explicit policy systems make none of the current systems completely viable Explicit policies are the way forward, but we need new system designs

Download ppt "Towards Client Side HTML Security Policies Joel Weinberger, Adam Barth, Dawn Song."

Similar presentations

Ben Livshits and Úlfar Erlingsson Microsoft Research.

Ben Livshits and Úlfar Erlingsson Microsoft Research.
Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.

Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.

THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.

0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.

Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.
Outline IS400: Development of Business Applications on the Internet Fall 2004 Instructor: Dr. Boris Jukic JavaScript: Introduction to Scripting.

Outline IS400: Development of Business Applications on the Internet Fall 2004 Instructor: Dr. Boris Jukic JavaScript: Introduction to Scripting.
MSc. Publishing on WWW JavaScript. What is JavaScript? A scripting language devised by Netscape Adds functionality to web pages by: Embedding code into.

MSc. Publishing on WWW JavaScript. What is JavaScript? A scripting language devised by Netscape Adds functionality to web pages by: Embedding code into.
Kashif Jalal CA-240 (072) Web Development Using ASP.NET CA – 240 Kashif Jalal Welcome to week – 2 of…

Kashif Jalal CA-240 (072) Web Development Using ASP.NET CA – 240 Kashif Jalal Welcome to week – 2 of…
1 Software Testing and Quality Assurance Lecture 33 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.

1 Software Testing and Quality Assurance Lecture 33 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.
1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.

1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.
Satzinger, Jackson, and Burd Object-Orieneted Analysis & Design

Satzinger, Jackson, and Burd Object-Orieneted Analysis & Design
DT228/3 Web Development JSP: Directives and Scripting elements.

DT228/3 Web Development JSP: Directives and Scripting elements.
Website Generator for SoftLab By Yohann SABBAH & Mikael V.H Cohen -Under the supervision of Viktor Kulikov- Final Presentation 7/20/2015.

Website Generator for SoftLab By Yohann SABBAH & Mikael V.H Cohen -Under the supervision of Viktor Kulikov- Final Presentation 7/20/2015.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
UNIT-V The MVC architecture and Struts Framework.

UNIT-V The MVC architecture and Struts Framework.

Similar presentations

Ads by Google