On the Integrity of Cross-Origin JavaScripts

The same-origin policy is a fundamental part of the Web. Despite the restrictions imposed by the policy, embedding of third-party JavaScript code is allowed and commonly used. Nothing is guaranteed about the integrity of such code. To tackle this deficiency, solutions such as the subresource integrity standard have been recently introduced. Given this background, this paper presents the first empirical study on the temporal integrity of cross-origin JavaScript code. According to the empirical results based on a ten day polling period of over 35 thousand scripts collected from popular websites, (i) temporal integrity changes are relatively common; (ii) the adoption of the subresource integrity standard is still in its infancy; and (iii) it is possible to statistically predict whether a temporal integrity change is likely to occur. With these results and the accompanying discussion, the paper contributes to the ongoing attempts to better understand security and privacy in the current Web.

[1]  Martin Schmiedecker,et al.  Turning Active TLS Scanning to Eleven , 2017, SEC.

[2]  Luigi Catuogno,et al.  Ensuring Application Integrity: A Survey on Techniques and Tools , 2015, 2015 9th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing.

[3]  Michele Bugliesi,et al.  Formal methods for web security , 2017, J. Log. Algebraic Methods Program..

[4]  Roy T. Fielding,et al.  Uniform Resource Identifiers (URI): Generic Syntax , 1998, RFC.

[5]  Ville Leppänen,et al.  Crossing Cross-Domain Paths in the Current Web , 2018, 2018 16th Annual Conference on Privacy, Security and Trust (PST).

[6]  Nataliia Bielova Survey on JavaScript security policies and their enforcement mechanisms in a web browser , 2013, J. Log. Algebraic Methods Program..

[7]  Ville Leppänen,et al.  Whose Hands Are in the Finnish Cookie Jar? , 2017, 2017 European Intelligence and Security Informatics Conference (EISIC).

[8]  Kim-Kwang Raymond Choo,et al.  Web application protection techniques: A taxonomy , 2016, J. Netw. Comput. Appl..

[9]  Konrad Rieck,et al.  Intelligent Defense against Malicious JavaScript Code , 2012, PIK Prax. Informationsverarbeitung Kommun..

[10]  Sunghun Kim,et al.  Development nature matters: An empirical study of code clones in JavaScript applications , 2015, Empirical Software Engineering.

[11]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[12]  Neda Abdelhamid,et al.  Multi-label rules for phishing classification , 2015 .

[13]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[14]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[15]  Dolière Francis Somé,et al.  Control What You Include! Server-Side Protection Against Third Party Web Tracking , 2017, ESSoS 2017.

[16]  Zhenkai Liang,et al.  Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning , 2015, Computers & security.

[17]  Jonas Magazinius,et al.  Architectures for Inlining Security Monitors in Web Applications , 2014, ESSoS.

[18]  David Galindo,et al.  A Javascript Voting Client for Remote Online Voting , 2016, ICETE.

[19]  Zhenkai Liang,et al.  A Quantitative Evaluation of Privilege Separation in Web Browser Designs , 2013, ESORICS.

[20]  Tyler Moore,et al.  Empirical analysis of factors affecting malware URL detection , 2013, 2013 APWG eCrime Researchers Summit.

[21]  Grzegorz Lewandowski,et al.  Enforcing Request Integrity in Web Applications , 2010, DBSec.

[22]  Deepak Kumar,et al.  Security Challenges in an Increasingly Tangled Web , 2017, WWW.

[23]  Wouter Joosen,et al.  Security of Web Mashups: A Survey , 2010, NordSec.

[24]  Tobias Lauinger,et al.  Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web , 2018, NDSS.

[25]  Mauro Conti,et al.  A Survey of Man In The Middle Attacks , 2016, IEEE Communications Surveys & Tutorials.

[26]  Jeremy Clark,et al.  A First Look at Browser-Based Cryptojacking , 2018, 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[27]  Lawrence K. Saul,et al.  Beyond blacklists: learning to detect malicious web sites from suspicious URLs , 2009, KDD.

[28]  Denise Demirel,et al.  A security analysis of techniques for long-term integrity protection , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).