bei Google ScholarTitelangaben
Musch, Marius ; Steffens, Marius ; Roth, Sebastian ; Stock, Ben ; Johns, Martin:
ScriptProtect : Mitigating Unsafe Third-Party JavaScript Practices.
2019
Veranstaltung: ACM Asia Conference on Computer and Communications Security (AsiaCCS '19)
, 09.-12.07.2019
, Auckland, New Zealand.
(Veranstaltungsbeitrag: Kongress/Konferenz/Symposium/Tagung
,
Paper
)
DOI: https://doi.org/10.1145/3321705.3329841
Abstract
The direct client-side inclusion of cross-origin JavaScript resources in Web applications is a pervasive practice to consume third-party services and to utilize externally provided libraries. The downside of this practice is that such external code runs in the same context and with the same privileges as the first-party code. Thus, all potential security problems in the code directly affect the including site. To explore this problem, we present an empirical study which shows that more than 25% of all sites affected by Client-Side Cross-Site Scripting are only vulnerable due to a flaw in the included third- party code. Motivated by this finding, we propose ScriptProtect, a non- intrusive transparent protective measure to address security is- sues introduced by external script resources. ScriptProtect au- tomatically strips third-party code from the ability to conduct un- safe string-to-code conversions. Thus, it effectively removes the root-cause of Client-Side XSS without affecting first-party code in this respective. As ScriptProtect is realized through a light- weight JavaScript instrumentation, it does not require changes to the browser and only incurs a low runtime overhead of about 6%. We tested its compatibility on the Alexa Top 5,000 and found that 30% of these sites could benefit from ScriptProtect’s protection today without changes to their application code.
Weitere Angaben
| Publikationsform: | Veranstaltungsbeitrag (Paper) |
|---|---|
| Begutachteter Beitrag: | Ja |
| Institutionen der Universität: | Fakultäten > Fakultät für Mathematik, Physik und Informatik Fakultäten > Fakultät für Mathematik, Physik und Informatik > Institut für Informatik |
| Titel an der UBT entstanden: | Nein |
| Themengebiete aus DDC: | 000 Informatik,Informationswissenschaft, allgemeine Werke 000 Informatik,Informationswissenschaft, allgemeine Werke > 004 Informatik |
| Eingestellt am: | 20 Jan 2025 12:51 |
| Letzte Änderung: | 20 Jan 2025 12:51 |
| URI: | https://eref.uni-bayreuth.de/id/eprint/91469 |