SOMA: Mutual approval for included content in web pages

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2008, Pages 89-98

  Oda, Terri ^a   Wurster, Glenn ^a   Van Oorschot, P C ^a   Somayaji, Anil ^a  

^a CARLETON UNIVERSITY   (Canada)

Author keywords

Cross site request forgery (XSRF); Cross site scripting (XSS); JavaScript; Same origin policy; Web security

Indexed keywords

CROSS-SITE REQUEST FORGERY (XSRF); CROSS-SITE SCRIPTING (XSS); JAVASCRIPT; SAME ORIGIN POLICY; WEB SECURITY;

HIGH LEVEL LANGUAGES; JAVA PROGRAMMING LANGUAGE; WORLD WIDE WEB;

WEB BROWSERS;

EID: 70349292390     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1455770.1455783     Document Type: Conference Paper

References (41)

1. Adobe Systems Incorporated. External data not accessible outside a Macromedia Flash movie's domain. Technical Report tn-14213, Adobe Systems Incorporated, Feb 2006.
2. Alexa top 500 sites. Web page (viewed 14 Apr 2008). http://www.alexa.com/ site/ds/top-sites? ts-mode=global&lang=none.
3. R. Auger. The cross-site request forgery (CSRF/XSRF) FAQ. Web page, Jan 2007. http : //www. cgisecurity. com/articles/csrf-faq.shtml.
4. R. Berends. Bandwidth stealing. Web page, Apr 2001. http://www.website- awards.net/articles/ article39.htm.
5. CERT advisory CA-2000-02 malicious HTML tags embedded in client web requests. Web page, Feb 2000. http://www.cert.org/advisories/ CA-2000-02.html.
6. The cross site scripting (XSS) FAQ. Web page, Aug 2003. http : //www. cgi security . com/art ides/ xss-faq.shtml.
7. R. S. Cox, J. G. Hansen, S. D. Gribble, and H. M. Levy. A safety-oriented platform for web applications. In Proc. IEEE Symposium on Security and Privacy, pages 350-364, 2006.
8. D. Dean, E. Felten, and D. Wallach. Java security: From HotJava to Netscape and beyond. In Proc. IEEE Symposium on Security and Privacy, pages 190-200, 1996.
9. S. DeDeo. Pagestats extension. Web page, May 2006. http://www.cs.wpi.edu/ ̃cew/pagestats/.
10. D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(2):236-243, 1976.
11. E. W. Felten and M. A. Schneider. Timing attacks on web privacy. In Proc. 7th ACM CCS, pages 25-32, 2000.
12. I. Goldberg, D. Wagner, R. Thomas, and E. Brewer. A secure environment for untrusted helper applications (confining the wily hacker). In Proc. 6th USENIX Security Symposium, 1996.
13. J. Grossman and T. Niedzialkowski. Hacking intranet websites from the outside - JavaScript malware just got a lot more dangerous. In Blackhat USA, Aug 2006.
14. J. Howell, C. Jackson, H. Wang, and X. Fan. MashupOS: Operating system abstractions for client mashups. In Proc. Workshop on Hot Topics in Operating Systems, May 2007.
15. C. Jackson, A. Barth, A. Bortz, W. Shao, and D. Boneh. Protecting browsers from DNS rebinding attacks. In Proc. 14th ACM CCS, 2007.
16. C. Jackson and H. J. Wang. Subspace: secure cross-domain communication for web mashups. In Proc. 16th International World Wide Web Conference, pages 611-620, 2007.
17. N. Jovanovic, E. Kirda, and C. Kruegel. Preventing cross site request forgery attacks. In Proc. 2nd IEEE Conference on Security and Privacy in Communication Networks (SecureComm), Aug 2006.
18. K. Keahey, K. Doering, and I. Foster. From sandbox to playground: Dynamic virtual environments in the grid. In Proc. 5th IEEE/ACM International Workshop on Grid Computing, pages 34-42, 2004.
19. E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A client-side solution for mitigating cross site scripting attacks. In Proc. 21st ACM Symposium on Applied Computing, Apr 2006.
20. J. Kyrnin. Are you invading your customers' privacy? Web page (viewed 14 Apr 2008). http ://webdesign . about.com/od/privacy/a/aal12601a.htm.
21. V. T. Lam, S. Antonatos, P. Akritidis, and K. G. Anagnostakis. Puppetnets: misusing web browsers as a distributed attack infrastructure. In Proc. 13th ACM CCS, pages 221-234, 2006.
22. G. Maone. NoScript - JavaScript/Java/Flash blocker for a safer Firefox experience! Web page (viewed 14 Apr 2008). http://noscript.net/.
23. Microsoft. Mitigating cross-site scripting with HTTP-only cookies. Web page (viewed 18 Jul 2008). http://msdn.microsoft.com/en-us/library/ ms533046.aspx.
24. A. D. Miglio. "Referer" field used in the battle against online fraud. Web page, Jan 2008. http://www.Symantec.com/enterprise/ security-response/weblog/2008/01/ referer-field-used-in-the-batt.html.
25. T. Oda, G. Wurster, P. van Oorsehot, and A. Somayaji. SOMA: Mutual approval for included content in web pages. Technical Report TR-08-07, School of Computer Science, Carleton University, Apr 2008.
26. N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In Proc. 17th USENIX Security Symposium, Aug 2008.
27. N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser: Analysis of web-based malware. In Proc. HotBots '07, 2007.
28. J. Reimer. Microsoft apologizes for serving malware. Ars Technica, Feb 2007.
29. C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In Proc. IEEE Symposium on Security and Privacy, May 2006.
30. A. Rubin and D. Geer. Mobile code security. IEEE Journal on Internet Computing, 2(6):30-34, 1998.
31. J. Ruderman. The same origin policy. Web page, Aug 2001. http://www.mozilia.org/projects/ security/components/same-origin.html.
32. B. Schiffman. Rogue anti-virus slimeballs hide malware in ads. Wired, Nov 2007.
33. J. Schuh. Same-origin policy part 2: Server-provided policies? Web page, Feb 2007. http://taossa.com/index.php/2007/02/17/ same-origin-proposal/.
34. T. Scott. Smarter image hotlinking prevention. A List Apart, Apr 2004.
35. R. Sekar, C. R. Ramakrishnan, I. V. Ramakrishnan, and S. A. Smolka. Model-carrying code (MCC): a new paradigm for mobile-code security. In Proc. 2001 NSPW, pages 23-30, Sep2001.
36. B. Sterne. Site security policy draft (version 0.2). Web Page, Jul 2008. http://people.mozilla.org/̃bsterne/ site-security-policy/details.html.
37. L. Tauscher and S. Greenberg. How people revisit web pages: empirical findings and implications for the design of history systems. In International Journal of Human Computer Studies, 1997.
38. P. Vogt, F. Nentwich, N. Jovanovic, C. Kruegel, E. Kirda, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In Proc. 14th NDSS Symposium, Feb 2007.
39. R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. SIGOPS Operating System Review, 27(5):203-216, 1993.
40. H. J. Wang, X. Fan, C. Jackson, and J. Howell. Protection and communication abstractions for web browsers in MashupOS. In 21st ACM SOSP, Oct 2007.
41. WordPress.org. Enable sending referrers. Web page (viewed 14 Apr 2008). http : //codex .wordpress.org/Enable-Sending-Referrers.