Towards Client-side HTML Security Policies
نویسندگان
چکیده
With the proliferation of content rich web applications, content injection has become an increasing problem. Cross site scripting is the most prominent examples of this. Many systems have been designed to mitigate content injection and cross site scripting. Notable examples are BEEP, BLUEPRINT, and Content Security Policy, which can be grouped as HTML security policies. We evaluate these systems, including the first empirical evaluation of Content Security Policy on real applications. We propose that HTML security policies should be the defense of choice in web applications going forward. We argue, however, that current systems are insufficient for the needs of web applications, and research needs to be done to determine the set of properties an HTML security policy system should have. We propose several ideas for research going forward in this area.
منابع مشابه
Practical Issues with TLS Client Certificate Authentication
The most widely used secure Internet communication standard TLS (Transport Layer Security) has an optional client certificate authentication feature that in theory has significant security advantages over HTML form-based password authentication. In this paper we discuss practical security and usability issues related to TLS client certificate authentication stemming from the server side and bro...
متن کاملJavaScript Instrumentation in Practice
JavaScript provides useful client-side computation facilities, enabling richer and more dynamic web applications. Unfortunately, the power and ubiquity of JavaScript has also been exploited to launch various browser-based attacks. Our previous work proposed a theoretical framework applying policy-based code instrumentation to JavaScript. This paper further reports our experience carrying out th...
متن کاملJustified Cross-Site Scripting Attacks Prevention from Client-Side
— Web apps are fetching towards the overriding way to offer access to web services. In parallel, vulnerabilities of web application are being revealed and unveiled at an frightening rate. Web apps frequently make JavaScript code utilization that is entrenched into web pages to defend client-side behavior which is dynamic. This script code is accomplished in the circumstance of the client’s web ...
متن کاملClient-side cross-site scripting protection
Web applications are becoming the dominant way to provide access to online services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is embedded into web pages to support dynamic client-side behavior. This script code is executed in the context of the user’s web browser. To protect ...
متن کاملEvolving a Mainframe Order System into a Multi-Channel Online Brokerage System
This paper describes the online brokerage extension of GEOS (Global Entity Order System), a mainframe-based financial back-office system. The extension is implemented as a satellite system of GEOS utilising CORBA, JAVA, Servlet API and XML. It supports multiple front-ends using different user interfaces. The paper starts with a discussion of the general software requirements and gives an overvi...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2011