skip to main content
10.1145/2046707.2046777acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Fortifying web-based applications automatically

Published: 17 October 2011 Publication History

Abstract

Browser designers create security mechanisms to help web developers protect web applications, but web developers are usually slow to use these features in web-based applications (web apps). In this paper we introduce Zan, a browser-based system for applying new browser security mechanisms to legacy web apps automatically. Our key insight is that web apps often contain enough information, via web developer source-code patterns or key properties of web-app objects, to allow the browser to infer opportunities for applying new security mechanisms to existing web apps. We apply this new concept to protect authentication cookies, prevent web apps from being framed unwittingly, and perform JavaScript object deserialization safely. We evaluate Zan on up to the 1000 most popular websites for each of the three cases. We find that Zan can provide complimentary protection for the majority of potentially applicable websites automatically without requiring additional code from the web developers and with negligible incompatibility impact.

References

[1]
JSON in JavaScript. http://www.json.org/js.html.
[2]
Mitigating cross-site scripting with HTTP-only cookies. http://msdn.microsoft.com/en-us/library/ms533046.aspx.
[3]
Qt - A Cross-platform application and UI. http://qt.nokia.com/.
[4]
Symantec internet security threat report april 2010. http://www.symantec.com/business/theme.jsp?themeid=threatreport.
[5]
The WebKit Open Source Project. http://webkit.org/.
[6]
Alexa. Alexa top 500 global sites. http://www.alexa.com/topsites.
[7]
M. Balduzzi, M. Egele, E. Kirda, D. Balzarotti, and C. Kruegel. A solution for the automated detection of clickjacking attacks. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS '10, pages 135--144, New York, NY, USA, 2010. ACM.
[8]
R. Barnett. Helping protect cookies with httponly flag. http://blog.modsecurity.org/2008/12/helping-protect-cookies-with-httpon%ly-flag.html, 2008.
[9]
A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 75--88, 2008.
[10]
A. Barth, C. Jackson, C. Reis, and The Google Chrome Team. The security architecture of the chromium browser, 2008. http://crypto.stanford.edu/websec/chromium/chromium-security-architectu%re.pdf.
[11]
BBC. Facebook "clickjacking" spreads across site, June 2010. http://www.bbc.co.uk/news/10224434.
[12]
Google Inc. Chromium. http://www.chromium.org/chromium-os.
[13]
Google Inc. Google Caja. http://code.google.com/p/google-caja/.
[14]
C. Grier, S. Tang, and S. T. King. Secure web browsing with the OP web browser. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, pages 402--416, May 2008.
[15]
C. Grier, S. Tang, and S. T. King. Designing and implementing the OP and OP2 web browsers. ACM Trans. Web, 5:11:1--11:35, May 2011.
[16]
M. V. Gundy and H. Chen. Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In Proceedings of the Network and Distributed System Security Symposium, February 2009.
[17]
R. Hansen and J. Grossman. Clickjacking, September 2008. http://www.sectheory.com/clickjacking.htm.
[18]
T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the 16th international conference on World Wide Web, WWW '07, pages 601--610, New York, NY, USA, 2007. ACM.
[19]
R. Kohavi and F. Provost. Glossary of terms. Machine Learning, 30(2):271--274, 1998.
[20]
D. M. Kristol. Http cookies: Standards, privacy, and politics. ACM Trans. Internet Technol., 1:151--198, November 2001.
[21]
E. Lawrence. Combating clickjacking with X-Frame-Options, March 2010. http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickj%acking- with-x-frame-options.aspx.
[22]
G. Maone. NoScript - JavaScript/Java/Flash blocker for a safer Firefox experience!, 2008. http://noscript.net/.
[23]
Y. Nadji, P. Saxen, and D. Song. Document structure integrity: A robust basis for cross-site scripting defense. In Proceedings of the Network and Distributed System Security Symposium, February 2009.
[24]
E. V. Nava and D. Lindsay. Abusing internet explorer 8's xss filters. http://p42.us/ie8xss/Abusing_IE8s_XSS_Filters.pdf, 2010.
[25]
D. Ross. IEBlog : IE8 Security Part IV: The XSS Filter, 2008. http://blogs.msdn.com/ie/archive/2008/07/01/ie8-security-part-iv-the-xs%s-filter.aspx.
[26]
G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson. Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In in IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010), 2010.
[27]
P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In Proceedings of the 17th Network and Distributed System Security Symposium (NDSS), February 2010.
[28]
U. Shankar and C. Karlof. Doppelganger: Better browser privacy without the bother. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS), pages 154--167, 2006.
[29]
C. E. Shannon. A mathematical theory of communication. The Bell System Technical Journal, 27:379--423,623--656, July, October 1948.
[30]
K. Singh, A. Moshchuk, H. J. Wang, and W. Lee. On the incoherencies in web browser access control policies. In Proceedings of the IEEE Symposium on Security and Privacy, May 2010.
[31]
P. Stone. Next generation clickjacking, April 2010. http://www.contextis.co.uk/resources/white-papers/clickjacking/Context-%Clickjacking_white_paper.pdf.
[32]
Symantec Inc. Symantec global Internet security threat report: Trends for 2008, April 2009. http://www.symantec.com/business/theme.jsp?themeid=threatreport.
[33]
S. Tang, C. Grier, O. Aciicmez, and S. T. King. Alhambra: a system for creating, enforcing, and testing browser security policies. In Proceedings of the 19th international conference on World wide web, WWW '10, pages 941--950, New York, NY, USA, 2010. ACM.
[34]
S. Tang, H. Mai, and S. T. King. Trust and protection in the illinois browser operating system. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI'10, Berkeley, CA, USA, 2010. USENIX Association.
[35]
M. Ter Louw and V. Venkatakrishnan. Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In Proceedings IEEE Symposium on Security and Privacy, pages 331--346, May 2009.
[36]
Twitter. Clickjacking blocked, February 2009. http://blog.twitter.com/2009/02/clickjacking-blocked.html.
[37]
P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proceedings of the Network and Distributed System Security Symposium (NDSS), February 2007.
[38]
W3C. HTML 5. http://www.w3.org/TR/html5/.
[39]
W3C. The iframe element. http://www.w3.org/TR/html5/the-iframe-element.html.
[40]
H. J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and communication abstractions for web browsers in MashupOS. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP), October 2007.
[41]
H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal OS construction of the Gazelle web browser. In Proceedings of the 2009 USENIX Security Symposium, August 2009.
[42]
W. Zeller and E. W. Felten. Cross-site request forgeries: Exploitation and prevention. Technical report, Princeton University, October 2008. http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf.

Cited By

View all
  • (2022)Enhancing Web Authentication Security Using Random ForestTENCON 2022 - 2022 IEEE Region 10 Conference (TENCON)10.1109/TENCON55691.2022.9978128(1-6)Online publication date: 1-Nov-2022
  • (2022)Design and Application of Endangered Animal Monitoring System Based on Mobile APPArtificial Intelligence in China10.1007/978-981-16-9423-3_23(180-190)Online publication date: 22-Mar-2022
  • (2021)A preliminary study on the adoption and effectiveness of SameSite cookies as a CSRF defence2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW54576.2021.00012(49-59)Online publication date: Sep-2021
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '11: Proceedings of the 18th ACM conference on Computer and communications security
October 2011
742 pages
ISBN:9781450309486
DOI:10.1145/2046707
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 October 2011

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. client-side defense
  2. cookies
  3. frame busting
  4. json
  5. web security

Qualifiers

  • Research-article

Conference

CCS'11
Sponsor:

Acceptance Rates

CCS '11 Paper Acceptance Rate 60 of 429 submissions, 14%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)12
  • Downloads (Last 6 weeks)0
Reflects downloads up to 14 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2022)Enhancing Web Authentication Security Using Random ForestTENCON 2022 - 2022 IEEE Region 10 Conference (TENCON)10.1109/TENCON55691.2022.9978128(1-6)Online publication date: 1-Nov-2022
  • (2022)Design and Application of Endangered Animal Monitoring System Based on Mobile APPArtificial Intelligence in China10.1007/978-981-16-9423-3_23(180-190)Online publication date: 22-Mar-2022
  • (2021)A preliminary study on the adoption and effectiveness of SameSite cookies as a CSRF defence2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW54576.2021.00012(49-59)Online publication date: Sep-2021
  • (2020)(In-)Security of Cookies in HTTPS: Cookie Theft by Removing Cookie FlagsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2019.293841615(1204-1215)Online publication date: 2020
  • (2020)Language-Based Web Session Integrity2020 IEEE 33rd Computer Security Foundations Symposium (CSF)10.1109/CSF49147.2020.00016(107-122)Online publication date: Jun-2020
  • (2019)Repositioning privacy concernsJournal of Information Security and Applications10.1016/j.jisa.2019.03.01046:C(121-137)Online publication date: 1-Jun-2019
  • (2019)You click, I stealInternational Journal of Information Security10.1007/s10207-018-0423-318:4(481-504)Online publication date: 1-Aug-2019
  • (2019)On one-time cookies protocol based on one-time passwordSoft Computing10.1007/s00500-019-04138-5Online publication date: 20-Jun-2019
  • (2019)Testing for Integrity Flaws in Web SessionsComputer Security – ESORICS 201910.1007/978-3-030-29962-0_29(606-624)Online publication date: 15-Sep-2019
  • (2018)Sub-session hijacking on the web: Root causes and preventionJournal of Computer Security10.3233/JCS-181149(1-25)Online publication date: 23-Oct-2018
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media