An Architecture for Enforcing JavaScript Randomization in Web2.0 Applications
نویسندگان
چکیده
Instruction Set Randomization (ISR) is a promising technique for preventing code-injection attacks. In this paper we present a complete randomization framework for JavaScript aiming at detecting and preventing Cross-Site Scripting (XSS) attacks. RaJa randomizes JavaScript source without changing the code structure. Only JavaScript identifiers are carefully modified and the randomized code can be mixed with many other programming languages. Thus, RaJa can be practically deployed in existing web applications, which intermix server-side, client-side and markup languages.
منابع مشابه
Enforcing secure information flow in client-side Web applications. (Vers l'établissement du flux d'information sûr dans les applications Web côté client)
During the last decade, Web applications have evolved from static pages presented by Web servers which centralised all computations to multi-tier applications in which computations are shared between the client and the server. In addition to this, current client-side Web applications often combine code dynamically loaded from different origins to create new functionalities. As it happens, this ...
متن کاملA Two-Tier Sandbox Architecture to Enforce Modular Fine-Grained Security Policies for Untrusted JavaScript
Existing approaches to providing security for untrusted JavaScript include isolation of capabilities – a.k.a. sandboxing. Features of the JavaScript language conspire to make this nontrivial, and isolation normally requires complex filtering, transforming and wrapping untrusted code to restrict the code to a manageable subset. The latest JavaScript specification (ECMAScript 5) has been modified...
متن کاملHCI 2.0?: usability meets web 2.0
The web has already dramatically changed society, but the web itself is changing. Web2.0 sites mean that users have become the producers of content and the designers of each others' viewing experience. Technologies such as AJAX combined with public Javascript libraries have allowed applications to be deployed that once would have required extensive programming. Open APIs and mashups make it dif...
متن کاملRewriting-based Dynamic Information Flow for JavaScript
JavaScript web applications often dynamically load third-party code, which in some cases can steal or corrupt important client information. In this paper, we present a rewriting-based approach for enforcing confidentiality and integrity policies that respectively specify what information can flow into and from untrusted thirdparty code. We have implemented our approach in the Chrome browser, an...
متن کاملIntegration of XVSM Spaces with the Web to Meet the Challenging Interaction Demands in Pervasive Scenarios
The current Internet is based on the REST (representational state transfer) architectural style to guarantee scalability and to decrease complexity. All interactions are stateless and the communication between client and server is carried out in a synchronous request/response way. However, applications are evolving towards more and more dynamics. In emerging Web2.0 scenarios, our devices will n...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2010