(2019) ScriptProtect: Mitigating Unsafe Third-Party JavaScript Practices.
|
Text
musch2019scriptprotect.pdf Download (810kB) | Preview |
Abstract
The direct client-side inclusion of cross-origin JavaScript resources in Web applications is a pervasive practice to consume third-party services and to utilize externally provided libraries. The downside of this practice is that such external code runs in the same context and with the same privileges as the first-party code. Thus, all potential security problems in the code directly affect the including site. To explore this problem, we present an empirical study which shows that more than 25% of all sites affected by Client-Side Cross-Site Scripting are only vulnerable due to a flaw in the included third-party code. Motivated by this finding, we propose ScriptProtect, a non-intrusive transparent protective measure to address security issues introduced by external script resources. ScriptProtect automatically strips third-party code from the ability to conduct unsafe string-to-code conversions. Thus, it effectively removes the root-cause of Client-Side XSS without affecting first-party code in this respective. As ScriptProtect is realized through a lightweight JavaScript instrumentation, it does not require changes to the browser and only incurs a low runtime overhead of about 6%. We tested its compatibility on the Alexa Top 5,000 and found that 30% of these sites could benefit from ScriptProtect’s protection today without changes to their application code.
Item Type: | Conference or Workshop Item (A Paper) (Paper) |
---|---|
Divisions: | Ben Stock (Secure Web Applications Group, SWAG) |
Conference: | ASIACCS ACM ASIA Conference on Computer and Communications Security |
Depositing User: | Ben Stock |
Date Deposited: | 23 May 2019 17:58 |
Last Modified: | 11 May 2021 10:33 |
Primary Research Area: | NRA5: Empirical & Behavioral Security |
URI: | https://publications.cispa.saarland/id/eprint/2894 |
Actions
Actions (login required)
View Item |