A Protection Mechanism against Malicious HTML and JavaScript Code in Vulnerable Web Applications

The high-profile attacks of malicious HTML and JavaScript code have seen a dramatic increase in both awareness and exploitation in recent years. Unfortunately, exiting security mechanisms provide no enough protection. We propose a new protection mechanism named PMHJ based on the support of both web applications and web browsers against malicious HTML and JavaScript code in vulnerable web applications. PMHJ prevents the injection attack of HTML elements with a random attribute value and the node-split attack by an attribute with the hash value of the HTML element. PMHJ ensures the content security in web pages by verifying HTML elements, confining the insecure HTML usages which can be exploited by attackers, and disabling the JavaScript APIs which may incur injection vulnerabilities. PMHJ provides a flexible way to rein the high-risk JavaScript APIs with powerful ability according to the principle of least authority. The PMHJ policy is easy to be deployed into real-world web applications. The test results show that PMHJ has little influence on the run time and code size of web pages.

[1]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[2]  P. Saxena,et al.  The Emperor ’ s New APIs : On the ( In ) Secure Usage of New Client-side Primitives , 2010 .

[3]  Tobias Lauinger,et al.  Why Is CSP Failing? Trends and Challenges in CSP Adoption , 2014, RAID.

[4]  Dawn Xiaodong Song,et al.  A Systematic Analysis of XSS Sanitization in Web Application Frameworks , 2011, ESORICS.

[5]  Martin Johns Script-templates for the Content Security Policy , 2014, J. Inf. Secur. Appl..

[6]  David Flanagan,et al.  JavaScript: The Definitive Guide , 1996 .

[7]  Engin Kirda,et al.  Have things changed now? An empirical study on input validation vulnerabilities in web applications , 2012, Comput. Secur..

[8]  Sid Stamm,et al.  Reining in the web with content security policy , 2010, WWW '10.

[9]  Dawn Xiaodong Song,et al.  Towards Client-side HTML Security Policies , 2011, HotSec.

[10]  Adam Barth,et al.  Preventing Capability Leaks in Secure JavaScript Subsets , 2010, NDSS.

[11]  Zhenkai Liang,et al.  Towards Fine-Grained Access Control in JavaScript Contexts , 2011, 2011 31st International Conference on Distributed Computing Systems.

[12]  Hao Chen,et al.  Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks , 2009, NDSS.

[13]  Dawn Xiaodong Song,et al.  Data-Confined HTML5 Applications , 2013, ESORICS.

[14]  Wenliang Du,et al.  Contego: Capability-based access control for web browsers (Short paper) , 2011, TRUST 2011.

[15]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[16]  Kailas Patil,et al.  A Measurement Study of the Content Security Policy on Real-World Applications , 2016, Int. J. Netw. Secur..

[17]  Ankur Taly,et al.  Isolating JavaScript with Filters, Rewriting, and Wrappers , 2009, ESORICS.

[18]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[19]  Devdatta Akhawe,et al.  Towards High Assurance HTML5 Applications , 2014 .

[20]  Ashar Javed CSP AiDer : An Automated Recommendation of Content Security Policy for Web Applications , 2011 .

[21]  Mohammad Zulkernine,et al.  Effective detection of vulnerable and malicious browser extensions , 2014, Comput. Secur..

[22]  Paul C. van Oorschot,et al.  SOMA: mutual approval for included content in web pages , 2008, CCS.

[23]  Novia Admodisastro,et al.  Current state of research on cross-site scripting (XSS) - A systematic literature review , 2015, Inf. Softw. Technol..

[24]  Gianluca Stringhini,et al.  The Dark Alleys of Madison Avenue: Understanding Malicious Advertisements , 2014, Internet Measurement Conference.

[25]  Joe Gibbs Politz,et al.  ADsafety: Type-Based Verification of JavaScript Sandboxing , 2011, USENIX Security Symposium.

[26]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.

[27]  Haining Wang,et al.  Characterizing insecure javascript practices on the web , 2009, WWW '09.

[28]  Michael Walfish,et al.  Treehouse: Javascript Sandboxes to Help Web Developers Help Themselves , 2012, USENIX Annual Technical Conference.

[29]  Brij Bhooshan Gupta,et al.  Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art , 2017, Int. J. Syst. Assur. Eng. Manag..

[30]  Ping Chen,et al.  Security Analysis of the Chinese Web: How well is it protected? , 2014, SafeConfig '14.

[31]  Xiaowei Li,et al.  A survey on server-side approaches to securing web applications , 2014, ACM Comput. Surv..

[32]  Helena Handschuh,et al.  Security Analysis of SHA-256 and Sisters , 2003, Selected Areas in Cryptography.

[33]  Benjamin Livshits,et al.  Fast and Precise Sanitizer Analysis with BEK , 2011, USENIX Security Symposium.