Defeating script injection attacks with browser-enforced embedded policies

Web sites that accept and display content such as wiki articles or comments typically filter the content to prevent injected script code from running in browsers that view the site. The diversity of browser rendering algorithms and the desire to allow rich content make filtering quite difficult, however, and attacks such as the Samy and Yamanner worms have exploited filtering weaknesses. This paper proposes a simple alternative mechanism for preventing script injection called Browser-Enforced Embedded Policies (BEEP). The idea is that a web site can embed a policy in its pages that specifies which scripts are allowed to run. The browser, which knows exactly when it will run a script, can enforce this policy perfectly. We have added BEEP support to several browsers, and built tools to simplify adding policies to web applications. We found that supporting BEEP in browsers requires only small and localized modifications, modifying web applications requires minimal effort, and enforcing policies is generally lightweight.

[1]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[2]  Dan Boneh,et al.  Protecting browser state from web privacy attacks , 2006, WWW '06.

[3]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[4]  Christopher Krügel,et al.  Precise alias analysis for static detection of web application vulnerabilities , 2006, PLAS '06.

[5]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[6]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[7]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[8]  Somesh Jha,et al.  Formalizing sensitivity in static analysis for intrusion detection , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[9]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[10]  Jesse James Garrett Ajax: A New Approach to Web Applications , 2007 .

[11]  Markus Jakobsson,et al.  Badvertisements: Stealthy Click-Fraud with Unwitting Accessories , 2006, J. Digit. Forensic Pract..

[12]  Periklis Akritidis,et al.  Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure , 2008, TSEC.

[13]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[14]  Philip Wadler,et al.  Links : Linking Theory to Practice for the Web Case for Support , 2005 .

[15]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[16]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[17]  Shriram Krishnamurthi The CONTINUE Server (or, How I Administered PADL 2002 and 2003) , 2003, PADL.

[18]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[19]  Giovanni Vigna,et al.  Detecting malicious JavaScript code in Mozilla , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).