ERef Bayreuth

Anmelden

Literatur vom gleichen Autor/der gleichen Autor*in

bei Google Scholar

Bibliografische Daten exportieren

To hash or not to hash : A security assessment of CSP's unsafe-hashes expression

Titelangaben

Stolz, Peter ; Roth, Sebastian ; Stock, Ben:
To hash or not to hash : A security assessment of CSP's unsafe-hashes expression.
2022
Veranstaltung: 2022 SecWeb Workshop co-located with IEEE Security and Privacy workshops (SPW) , 23.-26.05.2022 , San Francisco, CA.
(Veranstaltungsbeitrag: Workshop , Paper )
DOI: https://doi.org/10.1109/SPW54247.2022.9833888

Abstract

To mitigate the effect of XSS attacks, the usage of the Content Security Policy (CSP) is increasing. Such a policy allows developers to control the content that should be allowed on their Web applications precisely. Because this content includes JavaScript (via the script-src directive), it can also be an effective tool to mitigate the damage of markup injections such as XSS. Developers can specify fine-grained policies for scripts to only allow trusted third parties and disallow the usage of functions like eval and its derivatives that directly execute strings as code. As the whole Web is still evolving, so is CSP. The experimental source-expression unsafe-hashes aims to ease the adoption of secure CSPs, by allowing trusted scripts to be used as inline event handlers for HTML tags, which is currently only possible by blindly allowing all inline scripts to be executed. Our goal is to analyze if this expression is able to improve the security of a Web application or if it mainly provides a false sense of security because it still enables attackers to bypass the CSP. We built an automatic crawler utilizing dynamic JavaScript analysis using taint tracking and forced execution to detect security vulnerabilities of inline event handlers. This crawler visited 753,715 unique URLs from the Alexa Top 1,000 domains up to a maximum of 500 URLs per domain. We collected 735,105 individual event handlers, where 443 of those had attribute values that flow into a dangerous JavaScript sink. Our manual analysis of the event handlers revealed that 370 of those handlers on 34 different domains are still vulnerable in presence of a CSP that contains the unsafe-hashes expression. We show that attackers can exploit these flows with only partial injections, such as adding new attributes to existing tags in most cases and discuss the impact of our findings on the future of the CSP standard.

Weitere Angaben

Publikationsform:	Veranstaltungsbeitrag (Paper)
Begutachteter Beitrag:	Ja
Institutionen der Universität:	Fakultäten > Fakultät für Mathematik, Physik und Informatik Fakultäten > Fakultät für Mathematik, Physik und Informatik > Institut für Informatik
Titel an der UBT entstanden:	Nein
Themengebiete aus DDC:	000 Informatik,Informationswissenschaft, allgemeine Werke 000 Informatik,Informationswissenschaft, allgemeine Werke > 004 Informatik
Eingestellt am:	20 Jan 2025 09:24
Letzte Änderung:	20 Jan 2025 09:24
URI:	https://eref.uni-bayreuth.de/id/eprint/91464