Defeating Script Injection Attacks with Browser Enforced Embedded Policies

dc.contributor.authorTrevor, Jim
dc.contributor.authorSwamy, Nikhil
dc.contributor.authorHicks, Michael
dc.date.accessioned2006-11-28T20:32:42Z
dc.date.available2006-11-28T20:32:42Z
dc.date.issued2006-11-02
dc.description.abstractWeb sites that accept and display content such as wiki articles or comments typically filter the content to prevent injected script code from running in browsers that view the site. The diversity of browser rendering algorithms and the desire to allow rich content makes filtering quite difficult, however, and attacks such as the Samy and Yamanner worms have exploited filtering weaknesses. To solve this problem, this paper proposes a simple mechanism called Browser-Enforced Embedded Policies (BEEP). The idea is that a web site can embed a policy inside its pages that specifies which scripts are allowed to run. The browser, which knows exactly when it will run a script, can enforce this policy perfectly. We have added BEEP support to several browsers, and built tools to simplify adding policies to web applications. We found that supporting BEEP in browsers requires only small and localized modifications, modifying web applications requires minimal effort, and enforcing policies is generally lightweight.en
dc.format.extent209764 bytes
dc.format.mimetypeapplication/pdf
dc.identifier.urihttp://hdl.handle.net/1903/4008
dc.language.isoen_USen
dc.relation.ispartofseriesUM Computer Science Departmenten
dc.relation.ispartofseriesCS-TR-4835en
dc.titleDefeating Script Injection Attacks with Browser Enforced Embedded Policiesen
dc.typeTechnical Reporten

Files

Original bundle

Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
paper.pdf
Size:
204.85 KB
Format:
Adobe Portable Document Format