Towards client-side HTML security policies

HotSec 2011 - 6th USENIX Workshop on Hot Topics in Security

Volumn , Issue , 2011, Pages

  Weinberger, Joel ^a   Barth, Adam ^b   Song, Dawn ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b GOOGLE INC   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

COPYRIGHTS; HTML;

CLIENT SIDES; CONTENT SECURITY; CROSS SITE SCRIPTING; EMPIRICAL EVALUATIONS; REAL APPLICATIONS; RESEARCH NEEDS; SECURITY POLICY; WEB APPLICATION;

SECURITY SYSTEMS;

EID: 84951815610     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (28)

1. Bugzilla. http://www.bugzilla,org/.
2. HotCRP. http://www.cs.ucla.edu/.kohler/hotcrp/index.html/.
3. OWASP: Top 10 2007. http://www.owasp.org/index.php/ Top_10_2007.
4. E. Athanasopoulos, V. Pappas, and E. Markatos. Code injection attacks in browsers supporting policies. In Proceedings of Web 2.0 Security and Privacy 2009, 2009.
5. P. Bisht and V. N. Venkatakrishnan. Xss-guard: Precise dynamic prevention of cross-site scripting attacks. In Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA'08, pages 23-43, Berlin, Heidelberg, 2008. Springer-Verlag.
6. F. Buclin. Bugzilla usage world wide. http://lpsolit.wordpress.com/bugzilla- usage- worldwide/.
7. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th international conference on World Wide Web, WWW '04, pages 40-52, New York, NY, USA, 2004. ACM.
8. T. Jim, N. Swamy, and M. Hicks. Beep: Browser-enforced embedded policies. 16th International World World Web Conference, 2007.
9. B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the Usenix Security Symposium, 2005.
10. B. Livshits, M. Martin, and M. S. Lam. SecuriFly: Runtime protection and recovery from Web application vulnerabilities. Technical report, Stanford University, Sept. 2006.
11. B. Livshits and Úlfar Erlingsson. Using web application construction frameworks to protect against code injection attacks. In Proceedings of the 2007 workshop on Programming languages and analysis for security.
12. L. Meyerovich and B. Livshits. ConScript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In IEEE Symposium on Security and Privacy, May 2010.
13. Y. Nadji, P. Saxena, and D. Song. Document structure integrity: A robust basis for cross-site scripting defense. Proceedings of the 16th Network and Distributed System Security Symposium, 2009.
14. P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP'10, pages 513-528, Washington, DC, USA, 2010. IEEE Computer Society.
15. P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications. In Network & Distributed System Security Symposium, (NDSS), 2010.
16. P. Saxena, D. Molnar, and B. Livshits. Scriptgard: Preventing script injection attacks in legacy web applications with automatic sanitization. Technical report, Microsoft Research, September 2010.
17. S. Stamm. Content security policy, 2009.
18. S. Stamm, B. Sterne, and G. Markham. Reining in the web with content security policy. In Proceedings of the 19th international conference on World wide web, WWW'10, pages 921-930, New York, NY, USA, 2010. ACM.
19. Z. Su and G. Wassermann. The essence of command injection attacks in web applications. 2006.
20. Template Toolkit. http://template-toolkit.org.
21. Ter Louw, Mike and V.N. Venkatakrishnan. BluePrint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In Proceedings of the IEEE Symposium on Security and Privacy, 2009.
22. TNW: The Next Web. YouTube hacked, Justin Bieber videos targeted. http://thenextweb.com/socialmedia/2010/07/04/youtube-hacked-justin-bieber-videos-targeted/.
23. G. Wassermann and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. In Proceedings of the ACM SIGPLAN conference on Programming language design and implementation, pages 32-41, New York, NY, USA, 2007. ACM.
24. G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, and Z. Su. Dynamic test input generation for web applications. In Proceedings of the International symposium on Software testing and analysis, 2008.
25. J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song. A systematic analysis of xss sanitization in web application frameworks. In Proceedings of 16th European Symposium on Research in Computer Security (ESORICS), 2011.
26. WhiteHat Security. WhiteHat Webinar: Fall 2010 Website Statistics Report. http://www.whitehatsec.com/home/resource/presentation.html.
27. Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the Usenix Security Symposium, 2006.
28. W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In Proceedings of the 15th USENIX Security Symposium, pages 121-136, 2006.