Skip to main content
SpringerLink
Log in
Book cover

International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

DIMVA 2013: Detection of Intrusions and Malware, and Vulnerability Assessment pp 102–121Cite as

PreparedJS: Secure Script-Templates for JavaScript

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7967))

Abstract

Content Security Policies (CSP) provide powerful means to mitigate most XSS exploits. However, CSP’s protection is incomplete. Insecure server-side JavaScript generation and attacker control over script-sources can lead to XSS conditions which cannot be mitigated by CSP. In this paper we propose PreparedJS, an extension to CSP which takes these weaknesses into account. Through the combination of a safe script templating mechanism with a light-weight script checksumming scheme, PreparedJS is able to fill the identified gaps in CSP’s protection capabilities.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Van Acker, S., De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: WebJail: Least-privilege Integration of Third-party Components in Web Mashups. In: Proceedings of the ACSAC 2011 Conference (2011)

    Google Scholar 

  2. Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side XSS filters. In: WWW (2010)

    Google Scholar 

  3. Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  4. CERT/CC. CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests (February 2000), http://www.cert.org/advisories/CA-2000-02.html (January 30, 2006)

  5. Crockford, D.: The application/json Media Type for JavaScript Object Notation (JSON). RFC 4627 (July 2006), http://www.ietf.org/rfc/rfc4627.txt

  6. Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks: stealing the pie without touching the sill. In: ACM Conference on Computer and Communications Security (2012)

    Google Scholar 

  7. Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In: WWW 2007 (May 2007)

    Google Scholar 

  8. Johns, M.: Code Injection Vulnerabilities in Web Applications - Exemplified at Cross-site Scripting. PhD thesis, University of Passau (2009)

    Google Scholar 

  9. Johns, M., Beyerlein, C., Giesecke, R., Posegga, J.: Secure Code Generation for Web Applications. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 96–113. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  10. Klein, A.: DOM Based Cross Site Scripting or XSS of the Third Kind (Sebtember 2005), http://www.webappsec.org/projects/articles/071105.shtml (May 05, 2007)

  11. Louw, M.T., Venkatakrishnan, V.N.: BluePrint: Robust prevention of Cross-site Scripting Attacks for Existing Browsers. In: IEEE Symposium on Security and Privacy, Oakland (May 2009)

    Google Scholar 

  12. Maone, G.: NoScript Firefox Extension (2006) (software) http://www.noscript.net/whats

  13. Meyerovich, L.A., Benjamin Livshits, V.: Conscript: Specifying and enforcing fine-grained security policies for javascript in the browser. In: IEEE Symposium on Security and Privacy, pp. 481–496. IEEE Computer Society (2010)

    Google Scholar 

  14. Nadji, Y., Saxena, P., Song, D.: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In: NDSS 2009 (2009)

    Google Scholar 

  15. Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: Sasaki, R., Qing, S., Okamoto, E., Yoshiura, H. (eds.) Security and Privacy in the Age of Ubiquitous Computing. IFIP AICT, vol. 181, pp. 295–307. Springer, Boston (2005)

    Chapter  Google Scholar 

  16. Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions. In: CCS 2012 (2012)

    Google Scholar 

  17. Nikiforakis, N., Meert, W., Younan, Y., Johns, M., Joosen, W.: SessionShield: Lightweight Protection against Session Hijacking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 87–100. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  18. Open Web Application Project (OWASP). OWASP Top 10 for 2010 (The Top Ten Most Critical Web Application Security Vulnerabilities) (2010), http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

  19. Open Web Application Project (OWASP). XSS (Cross Site Scripting) Prevention Cheat Sheet (2012), https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet (last accessed December 03, 2012)

    Google Scholar 

  20. Pietraszek, T., Berghe, C.V.: Defending against Injection Attacks through Context-Sensitive String Evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  21. Robertson, W., Vigna, G.: Static Enforcement of Web Application Integrity Through Strong Typing. In: Proceedings of the USENIX Security Symposium, Montreal, Canada (August 2009)

    Google Scholar 

  22. Ross, D.: IE 8 XSS Filter Architecture / Implementation (August 2008), http://blogs.technet.com/b/srd/archive/2008/08/19/ie-8-xss-filter-architecture-implementation.aspx (last accessed May 05, 2012)

  23. Ruderman, J.: The Same Origin Policy (August 2001), http://www.mozilla.org/projects/security/components/same-origin.html (January 10, 2006)

  24. Scholte, T., Balzarotti, D., Kirda, E.: Have things changed now? an empirical study on input validation vulnerabilities in web applications. Computers & Security 31(3), 344–356 (2012)

    Article  Google Scholar 

  25. Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: WWW (2010)

    Google Scholar 

  26. The webappsec mailing list. The Cross Site Scripting (XSS) FAQ (May 2002), http://www.cgisecurity.com/articles/xss-faq.shtml

  27. Toews, B.: Abusing Password Managers with XSS (April 2012), http://labs.neohapsis.com/2012/04/25/abusing-password-managers-with-xss/ (last accessed May 05, 2012)

  28. Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: NDSS 2007 (2007)

    Google Scholar 

  29. W3C. Content Security Policy 1.0. W3C Candidate Recommendation (November 2012), http://www.w3.org/TR/2011/WD-CSP-20111129/

  30. W3C. Content Security Policy 1.1. W3C Editor’s Draft 02 (December 2012), https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html

  31. Zalewski, M.: Postcards from the post-XSS world (December 2011), http://lcamtuf.coredump.cx/postxss/

Download references

Author information

Authors and Affiliations

  1. SAP Research, Germany

    Martin Johns

Authors
  1. Martin Johns
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute of Computer Science, Computer Security Group, University of Göttingen, Goldschmidtstr. 7, 37077, Göttingen, Germany

    Konrad Rieck

  2. Telekom Innovation Laboratories, Security in Telecommunications, Technische Universität Berlin, Ernst-Reuter-Platz 7, 10587, Berlin, Germany

    Patrick Stewin  & Jean-Pierre Seifert  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Johns, M. (2013). PreparedJS: Secure Script-Templates for JavaScript. In: Rieck, K., Stewin, P., Seifert, JP. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2013. Lecture Notes in Computer Science, vol 7967. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39235-1_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-39235-1_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-39234-4

  • Online ISBN: 978-3-642-39235-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation