skip to main content
10.1145/1455770.1455783acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

SOMA: mutual approval for included content in web pages

Published: 27 October 2008 Publication History

Abstract

Unrestricted information flows are a key security weakness of current web design. Cross-site scripting, cross-site request forgery, and other attacks typically require that information be sent or retrieved from arbitrary, often malicious, web servers. In this paper we propose Same Origin Mutual Approval (SOMA), a new policy for controlling information flows that prevents common web vulnerabilities. By requiring site operators to specify approved external domains for sending or receiving information, and by requiring those external domains to also approve interactions, we prevent page content from being retrieved from malicious servers and sensitive information from being communicated to an attacker. SOMA is compatible with current web applications and is incrementally deployable, providing immediate benefits for clients and servers that implement it. SOMA has an overhead of one additional HTTP request per domain accessed and can be implemented with minimal effort by application and web browser developers. To evaluate our proposal, we have developed a Firefox SOMA add-on.

References

[1]
Adobe Systems Incorporated. External data not accessible outside a Macromedia Flash movie's domain. Technical Report tn_14213, Adobe Systems Incorporated, Feb 2006.
[2]
Alexa top 500 sites. Web page (viewed 14 Apr 2008). http://www.alexa.com/site/ds/top_sites?ts_mode=global?=none.
[3]
R. Auger. The cross-site request forgery (CSRF/XSRF) FAQ. Web page, Jan 2007. http://www.cgisecurity.com/articles/csrf-faq.shtml.
[4]
R. Berends. Bandwidth stealing. Web page, Apr 2001. http://www.website-awards.net/articles/article39.htm.
[5]
CERT advisory CA-2000-02 malicious HTML tags embedded in client web requests. Web page, Feb 2000. http://www.cert.org/advisories/CA-2000-02.html.
[6]
The cross site scripting (XSS) FAQ. Web page, Aug 2003. http://www.cgisecurity.com/articles/xss-faq.shtml.
[7]
R. S. Cox, J. G. Hansen, S. D. Gribble, and H. M. Levy. A safety-oriented platform for web applications. In Proc. IEEE Symposium on Security and Privacy, pages 350--364, 2006.
[8]
D. Dean, E. Felten, and D. Wallach. Java security: From HotJava to Netscape and beyond. In Proc. IEEE Symposium on Security and Privacy, pages 190--200, 1996.
[9]
S. DeDeo. Pagestats extension. Web page, May 2006. http://www.cs.wpi.edu/~cew/pagestats/.
[10]
D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(2):236--243, 1976.
[11]
E. W. Felten and M. A. Schneider. Timing attacks on web privacy. In Proc. 7th ACM CCS, pages 25--32, 2000.
[12]
I. Goldberg, D. Wagner, R. Thomas, and E. Brewer. A secure environment for untrusted helper applications (confining the wily hacker). In Proc. 6th USENIX Security Symposium, 1996.
[13]
J. Grossman and T. Niedzialkowski. Hacking intranet websites from the outside --- JavaScript malware just got a lot more dangerous. In Blackhat USA, Aug 2006.
[14]
J. Howell, C. Jackson, H. Wang, and X. Fan. MashupOS: Operating system abstractions for client mashups. In Proc. Workshop on Hot Topics in Operating Systems, May 2007.
[15]
C. Jackson, A. Barth, A. Bortz, W. Shao, and D. Boneh. Protecting browsers from DNS rebinding attacks. In Proc. 14th ACM CCS, 2007.
[16]
C. Jackson and H. J. Wang. Subspace: secure cross-domain communication for web mashups. In Proc. 16th International World Wide Web Conference, pages 611--620, 2007.
[17]
N. Jovanovic, E. Kirda, and C. Kruegel. Preventing cross site request forgery attacks. In Proc. 2nd IEEE Conference on Security and Privacy in Communication Networks (SecureComm), Aug 2006.
[18]
K. Keahey, K. Doering, and I. Foster. From sandbox to playground: Dynamic virtual environments in the grid. In Proc. 5th IEEE/ACM International Workshop on Grid Computing, pages 34--42, 2004.
[19]
E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A client-side solution for mitigating cross site scripting attacks. In Proc. 21st ACM Symposium on Applied Computing, Apr. 2006.
[20]
J. Kyrnin. Are you invading your customers' privacy? Web page (viewed 14 Apr 2008). http://webdesign.about.com/od/privacy/a/aa112601a.htm.
[21]
V. T. Lam, S. Antonatos, P. Akritidis, and K. G. Anagnostakis. Puppetnets: misusing web browsers as a distributed attack infrastructure. In Proc. 13th ACM CCS, pages 221--234, 2006.
[22]
G. Maone. NoScript -- JavaScript/Java/Flash blocker for a safer Firefox experience! Web page (viewed 14 Apr 2008). http://noscript.net/.
[23]
Microsoft. Mitigating cross-site scripting with HTTP-only cookies. Web page (viewed 18 Jul 2008). http://msdn.microsoft.com/en-us/library/ms533046.aspx.
[24]
A. D. Miglio. "Referer" field used in the battle against online fraud. Web page, Jan 2008. http://www.symantec.com/enterprise/security_response/weblog/2008/01/referer_field_used_in_the_batt.html.
[25]
T. Oda, G. Wurster, P. van Oorschot, and A. Somayaji. SOMA: Mutual approval for included content in web pages. Technical Report TR-08-07, School of Computer Science, Carleton University, Apr 2008.
[26]
N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In Proc. 17th USENIX Security Symposium, Aug 2008.
[27]
N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser: Analysis of web-based malware. In Proc. HotBots '07, 2007.
[28]
J. Reimer. Microsoft apologizes for serving malware. Ars Technica, Feb 2007.
[29]
C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In Proc. IEEE Symposium on Security and Privacy, May 2006.
[30]
A. Rubin and D. Geer. Mobile code security. IEEE Journal on Internet Computing, 2(6):30--34, 1998.
[31]
J. Ruderman. The same origin policy. Web page, Aug 2001. http://www.mozilla.org/projects/security/components/same-origin.html.
[32]
B. Schiffman. Rogue anti-virus slimeballs hide malware in ads. Wired, Nov 2007.
[33]
J. Schuh. Same-origin policy part 2: Server-provided policies? Web page, Feb 2007. http://taossa.com/index.php/2007/02/17/same-origin-proposal/.
[34]
T. Scott. Smarter image hotlinking prevention. A List Apart, Apr 2004.
[35]
R. Sekar, C. R. Ramakrishnan, I. V. Ramakrishnan, and S. A. Smolka. Model-carrying code (MCC): a new paradigm for mobile-code security. In Proc. 2001 NSPW, pages 23--30, Sep 2001.
[36]
B. Sterne. Site security policy draft (version 0.2). Web Page, Jul 2008. http://people.mozilla.org/~bsterne/site-security--policy/details.html.
[37]
L. Tauscher and S. Greenberg. How people revisit web pages: empirical findings and implications for the design of history systems. In International Journal of Human Computer Studies, 1997.
[38]
P. Vogt, F. Nentwich, N. Jovanovic, C. Kruegel, E. Kirda, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In Proc. 14th NDSS Symposium, Feb 2007.
[39]
R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software--based fault isolation. SIGOPS Operating System Review, 27(5):203--216, 1993.
[40]
H. J. Wang, X. Fan, C. Jackson, and J. Howell. Protection and communication abstractions for web browsers in MashupOS. In 21st ACM SOSP, Oct 2007.
[41]
WordPress.org. Enable sending referrers. Web page (viewed 14 Apr 2008). http://codex.wordpress.org/Enable_Sending_Referrers.

Cited By

View all
  • (2021)If It's Not Secure, It Should Not CompileProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00123(1360-1372)Online publication date: 22-May-2021
  • (2021)Adopting Trusted Types in ProductionWeb Frameworks to Prevent DOM-Based Cross-Site Scripting: A Case Study2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW54576.2021.00013(60-73)Online publication date: Sep-2021
  • (2021)Web and Browser SecurityComputer Security and the Internet10.1007/978-3-030-83411-1_9(245-279)Online publication date: 14-Oct-2021
  • Show More Cited By

Index Terms

  1. SOMA: mutual approval for included content in web pages

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      CCS '08: Proceedings of the 15th ACM conference on Computer and communications security
      October 2008
      590 pages
      ISBN:9781595938107
      DOI:10.1145/1455770
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 27 October 2008

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. cross-site request forgery (XSRF)
      2. cross-site scripting (XSS)
      3. javascript
      4. same origin policy
      5. web security

      Qualifiers

      • Research-article

      Conference

      CCS08
      Sponsor:

      Acceptance Rates

      CCS '08 Paper Acceptance Rate 51 of 280 submissions, 18%;
      Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

      Upcoming Conference

      CCS '25

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)14
      • Downloads (Last 6 weeks)0
      Reflects downloads up to 17 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2021)If It's Not Secure, It Should Not CompileProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00123(1360-1372)Online publication date: 22-May-2021
      • (2021)Adopting Trusted Types in ProductionWeb Frameworks to Prevent DOM-Based Cross-Site Scripting: A Case Study2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW54576.2021.00013(60-73)Online publication date: Sep-2021
      • (2021)Web and Browser SecurityComputer Security and the Internet10.1007/978-3-030-83411-1_9(245-279)Online publication date: 14-Oct-2021
      • (2020)JSCSP: a Novel Policy-Based XSS Defense Mechanism for BrowsersIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.3009472(1-1)Online publication date: 2020
      • (2019)Defending Against Web Application AttacksIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2017.266562016:2(188-203)Online publication date: 1-Mar-2019
      • (2018)Large-Scale Analysis of Style Injection by Relative Path OverwriteProceedings of the 2018 World Wide Web Conference10.1145/3178876.3186090(237-246)Online publication date: 10-Apr-2018
      • (2018)Evaluation and monitoring of XSS defensive solutions: a survey, open research issues and future directionsJournal of Ambient Intelligence and Humanized Computing10.1007/s12652-018-1118-310:11(4377-4405)Online publication date: 8-Nov-2018
      • (2017)Code-Reuse Attacks for the WebProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security10.1145/3133956.3134091(1709-1723)Online publication date: 30-Oct-2017
      • (2017)Surviving the WebACM Computing Surveys10.1145/303892350:1(1-34)Online publication date: 6-Mar-2017
      • (2017)Modelling and Mitigation of Cross-Origin Request Attacks on Federated Identity Management Using Cross Origin Request PolicyInformation Systems Security10.1007/978-3-319-72598-7_16(263-282)Online publication date: 2-Dec-2017
      • Show More Cited By

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media