bei Google ScholarTitelangaben
Roth, Sebastian ; Backes, Michael ; Stock, Ben:
Assessing the Impact of Script Gadgets on CSP at Scale.
2020
Veranstaltung: 15th ACM Asia Conference on Computer and Communications Security (Asia CCS '20)
, 05.-09.10.2020
, Taipei, Taiwan.
(Veranstaltungsbeitrag: Kongress/Konferenz/Symposium/Tagung
,
Paper
)
DOI: https://doi.org/10.1145/3320269.3372201
Abstract
One of the worst attacks on the Web is XSS, in which an attacker is able to inject their malicious JS code into a Web App, giving this code full access to the victimized site. To mitigate the impact of markup injection flaws that cause XSS, support for the Content Security Policy (CSP) is nowadays shipped in all browsers. Deploying such a policy enables a Web developer to whitelist from where script code can be loaded, essentially constraining the capabilities of the attacker to only be able to execute injected code from the said whitelist. As recently shown by Lekies et al., injecting script markup is not a necessary prerequisite for a successful attack in the presence of so-called script gadgets. These small snippets of benign JavaScript code transform non-script markup contained in a page into exe- cutable JavaScript, opening the door for bypasses of a deployed CSP. Especially in combination with CSP’s logic in handling redirected resources, script gadgets enable attackers to bypass an otherwise se- cure policy. In this paper, we, therefore, ask the question: is securely deploying CSP even possible without a priori knowledge of all files hosted on even a partially trusted origin? To answer this question, we investigate the severity of the findings of Lekies et al., showing real-world Web sites on which, even in the presence of CSP and without code containing such gadgets being added by the developer, an attacker can sideload libraries with known script gadgets, as long as the hosting site is whitelisted in the CSP. In combination with CSPs matching logic for redirects, this enables us to bypass 10% of otherwise secure policies in the wild. To further answer our main research question, we conduct a hypothetical what-if analysis. Doing so, we automatically generate sensible CSPs for all of the Top 10,000 sites and show that around one-third of all sites would still be susceptible to a bypass through script gadget sideloading due to heavy reliance on third parties.
Weitere Angaben
| Publikationsform: | Veranstaltungsbeitrag (Paper) |
|---|---|
| Begutachteter Beitrag: | Ja |
| Institutionen der Universität: | Fakultäten > Fakultät für Mathematik, Physik und Informatik Fakultäten > Fakultät für Mathematik, Physik und Informatik > Institut für Informatik |
| Titel an der UBT entstanden: | Nein |
| Themengebiete aus DDC: | 000 Informatik,Informationswissenschaft, allgemeine Werke 000 Informatik,Informationswissenschaft, allgemeine Werke > 004 Informatik |
| Eingestellt am: | 20 Jan 2025 11:06 |
| Letzte Änderung: | 20 Jan 2025 11:06 |
| URI: | https://eref.uni-bayreuth.de/id/eprint/91467 |