ABSTRACT
Unrestricted information flows are a key security weakness of current web design. Cross-site scripting, cross-site request forgery, and other attacks typically require that information be sent or retrieved from arbitrary, often malicious, web servers. In this paper we propose Same Origin Mutual Approval (SOMA), a new policy for controlling information flows that prevents common web vulnerabilities. By requiring site operators to specify approved external domains for sending or receiving information, and by requiring those external domains to also approve interactions, we prevent page content from being retrieved from malicious servers and sensitive information from being communicated to an attacker. SOMA is compatible with current web applications and is incrementally deployable, providing immediate benefits for clients and servers that implement it. SOMA has an overhead of one additional HTTP request per domain accessed and can be implemented with minimal effort by application and web browser developers. To evaluate our proposal, we have developed a Firefox SOMA add-on.
- Adobe Systems Incorporated. External data not accessible outside a Macromedia Flash movie's domain. Technical Report tn_14213, Adobe Systems Incorporated, Feb 2006.Google Scholar
- Alexa top 500 sites. Web page (viewed 14 Apr 2008). http://www.alexa.com/site/ds/top_sites?ts_mode=global?=none.Google Scholar
- R. Auger. The cross-site request forgery (CSRF/XSRF) FAQ. Web page, Jan 2007. http://www.cgisecurity.com/articles/csrf-faq.shtml.Google Scholar
- R. Berends. Bandwidth stealing. Web page, Apr 2001. http://www.website-awards.net/articles/article39.htm.Google Scholar
- CERT advisory CA-2000-02 malicious HTML tags embedded in client web requests. Web page, Feb 2000. http://www.cert.org/advisories/CA-2000-02.html.Google Scholar
- The cross site scripting (XSS) FAQ. Web page, Aug 2003. http://www.cgisecurity.com/articles/xss-faq.shtml.Google Scholar
- R. S. Cox, J. G. Hansen, S. D. Gribble, and H. M. Levy. A safety-oriented platform for web applications. In Proc. IEEE Symposium on Security and Privacy, pages 350--364, 2006. Google ScholarDigital Library
- D. Dean, E. Felten, and D. Wallach. Java security: From HotJava to Netscape and beyond. In Proc. IEEE Symposium on Security and Privacy, pages 190--200, 1996. Google ScholarDigital Library
- S. DeDeo. Pagestats extension. Web page, May 2006. http://www.cs.wpi.edu/~cew/pagestats/.Google Scholar
- D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(2):236--243, 1976. Google ScholarDigital Library
- E. W. Felten and M. A. Schneider. Timing attacks on web privacy. In Proc. 7th ACM CCS, pages 25--32, 2000. Google ScholarDigital Library
- I. Goldberg, D. Wagner, R. Thomas, and E. Brewer. A secure environment for untrusted helper applications (confining the wily hacker). In Proc. 6th USENIX Security Symposium, 1996. Google ScholarDigital Library
- J. Grossman and T. Niedzialkowski. Hacking intranet websites from the outside --- JavaScript malware just got a lot more dangerous. In Blackhat USA, Aug 2006.Google Scholar
- J. Howell, C. Jackson, H. Wang, and X. Fan. MashupOS: Operating system abstractions for client mashups. In Proc. Workshop on Hot Topics in Operating Systems, May 2007. Google ScholarDigital Library
- C. Jackson, A. Barth, A. Bortz, W. Shao, and D. Boneh. Protecting browsers from DNS rebinding attacks. In Proc. 14th ACM CCS, 2007. Google ScholarDigital Library
- C. Jackson and H. J. Wang. Subspace: secure cross-domain communication for web mashups. In Proc. 16th International World Wide Web Conference, pages 611--620, 2007. Google ScholarDigital Library
- N. Jovanovic, E. Kirda, and C. Kruegel. Preventing cross site request forgery attacks. In Proc. 2nd IEEE Conference on Security and Privacy in Communication Networks (SecureComm), Aug 2006.Google ScholarCross Ref
- K. Keahey, K. Doering, and I. Foster. From sandbox to playground: Dynamic virtual environments in the grid. In Proc. 5th IEEE/ACM International Workshop on Grid Computing, pages 34--42, 2004. Google ScholarDigital Library
- E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A client-side solution for mitigating cross site scripting attacks. In Proc. 21st ACM Symposium on Applied Computing, Apr. 2006. Google ScholarDigital Library
- J. Kyrnin. Are you invading your customers' privacy? Web page (viewed 14 Apr 2008). http://webdesign.about.com/od/privacy/a/aa112601a.htm.Google Scholar
- V. T. Lam, S. Antonatos, P. Akritidis, and K. G. Anagnostakis. Puppetnets: misusing web browsers as a distributed attack infrastructure. In Proc. 13th ACM CCS, pages 221--234, 2006. Google ScholarDigital Library
- G. Maone. NoScript -- JavaScript/Java/Flash blocker for a safer Firefox experience! Web page (viewed 14 Apr 2008). http://noscript.net/.Google Scholar
- Microsoft. Mitigating cross-site scripting with HTTP-only cookies. Web page (viewed 18 Jul 2008). http://msdn.microsoft.com/en-us/library/ms533046.aspx.Google Scholar
- A. D. Miglio. "Referer" field used in the battle against online fraud. Web page, Jan 2008. http://www.symantec.com/enterprise/security_response/weblog/2008/01/referer_field_used_in_the_batt.html.Google Scholar
- T. Oda, G. Wurster, P. van Oorschot, and A. Somayaji. SOMA: Mutual approval for included content in web pages. Technical Report TR-08-07, School of Computer Science, Carleton University, Apr 2008.Google Scholar
- N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In Proc. 17th USENIX Security Symposium, Aug 2008. Google ScholarDigital Library
- N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser: Analysis of web-based malware. In Proc. HotBots '07, 2007. Google ScholarDigital Library
- J. Reimer. Microsoft apologizes for serving malware. Ars Technica, Feb 2007.Google Scholar
- C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In Proc. IEEE Symposium on Security and Privacy, May 2006.Google Scholar
- A. Rubin and D. Geer. Mobile code security. IEEE Journal on Internet Computing, 2(6):30--34, 1998. Google ScholarDigital Library
- J. Ruderman. The same origin policy. Web page, Aug 2001. http://www.mozilla.org/projects/security/components/same-origin.html.Google Scholar
- B. Schiffman. Rogue anti-virus slimeballs hide malware in ads. Wired, Nov 2007.Google Scholar
- J. Schuh. Same-origin policy part 2: Server-provided policies? Web page, Feb 2007. http://taossa.com/index.php/2007/02/17/same-origin-proposal/.Google Scholar
- T. Scott. Smarter image hotlinking prevention. A List Apart, Apr 2004.Google Scholar
- R. Sekar, C. R. Ramakrishnan, I. V. Ramakrishnan, and S. A. Smolka. Model-carrying code (MCC): a new paradigm for mobile-code security. In Proc. 2001 NSPW, pages 23--30, Sep 2001. Google ScholarDigital Library
- B. Sterne. Site security policy draft (version 0.2). Web Page, Jul 2008. http://people.mozilla.org/~bsterne/site-security--policy/details.html.Google Scholar
- L. Tauscher and S. Greenberg. How people revisit web pages: empirical findings and implications for the design of history systems. In International Journal of Human Computer Studies, 1997. Google ScholarDigital Library
- P. Vogt, F. Nentwich, N. Jovanovic, C. Kruegel, E. Kirda, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In Proc. 14th NDSS Symposium, Feb 2007.Google Scholar
- R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software--based fault isolation. SIGOPS Operating System Review, 27(5):203--216, 1993. Google ScholarDigital Library
- H. J. Wang, X. Fan, C. Jackson, and J. Howell. Protection and communication abstractions for web browsers in MashupOS. In 21st ACM SOSP, Oct 2007. Google ScholarDigital Library
- WordPress.org. Enable sending referrers. Web page (viewed 14 Apr 2008). http://codex.wordpress.org/Enable_Sending_Referrers.Google Scholar
Index Terms
- SOMA: mutual approval for included content in web pages
Recommendations
Client-side cross-site scripting protection
Web applications are becoming the dominant way to provide access to online services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is ...
Detecting Blind Cross-Site Scripting Attacks Using Machine Learning
SPML '18: Proceedings of the 2018 International Conference on Signal Processing and Machine LearningCross-site scripting (XSS) is a scripting attack targeting web applications by injecting malicious scripts into web pages. Blind XSS is a subset of stored XSS, where an attacker blindly deploys malicious payloads in web pages that are stored in a ...
A solution for the automated detection of clickjacking attacks
ASIACCS '10: Proceedings of the 5th ACM Symposium on Information, Computer and Communications SecurityClickjacking is a web-based attack that has recently received a wide media coverage. In a clickjacking attack, a malicious page is constructed such that it tricks victims into clicking on an element of a different page that is only barely (or not at all)...
Comments