at Google ScholarTitle data
Roth, Sebastian ; Backes, Michael ; Stock, Ben:
Assessing the Impact of Script Gadgets on CSP at Scale.
2020
Event: 15th ACM Asia Conference on Computer and Communications Security (Asia CCS '20)
, 05.-09.10.2020
, Taipei, Taiwan.
(Conference item: Conference
,
Paper
)
DOI: https://doi.org/10.1145/3320269.3372201
Abstract in another language
One of the worst attacks on the Web is XSS, in which an attacker is able to inject their malicious JS code into a Web App, giving this code full access to the victimized site. To mitigate the impact of markup injection flaws that cause XSS, support for the Content Security Policy (CSP) is nowadays shipped in all browsers. Deploying such a policy enables a Web developer to whitelist from where script code can be loaded, essentially constraining the capabilities of the attacker to only be able to execute injected code from the said whitelist. As recently shown by Lekies et al., injecting script markup is not a necessary prerequisite for a successful attack in the presence of so-called script gadgets. These small snippets of benign JavaScript code transform non-script markup contained in a page into exe- cutable JavaScript, opening the door for bypasses of a deployed CSP. Especially in combination with CSP’s logic in handling redirected resources, script gadgets enable attackers to bypass an otherwise se- cure policy. In this paper, we, therefore, ask the question: is securely deploying CSP even possible without a priori knowledge of all files hosted on even a partially trusted origin? To answer this question, we investigate the severity of the findings of Lekies et al., showing real-world Web sites on which, even in the presence of CSP and without code containing such gadgets being added by the developer, an attacker can sideload libraries with known script gadgets, as long as the hosting site is whitelisted in the CSP. In combination with CSPs matching logic for redirects, this enables us to bypass 10% of otherwise secure policies in the wild. To further answer our main research question, we conduct a hypothetical what-if analysis. Doing so, we automatically generate sensible CSPs for all of the Top 10,000 sites and show that around one-third of all sites would still be susceptible to a bypass through script gadget sideloading due to heavy reliance on third parties.
Further data
| Item Type: | Conference item (Paper) |
|---|---|
| Refereed: | Yes |
| Institutions of the University: | Faculties > Faculty of Mathematics, Physics und Computer Science Faculties > Faculty of Mathematics, Physics und Computer Science > Department of Computer Science |
| Result of work at the UBT: | No |
| DDC Subjects: | 000 Computer Science, information, general works 000 Computer Science, information, general works > 004 Computer science |
| Date Deposited: | 20 Jan 2025 11:06 |
| Last Modified: | 20 Jan 2025 11:06 |
| URI: | https://eref.uni-bayreuth.de/id/eprint/91467 |