Track: Security, Privacy, Reliability and Ethics
Paper Title:
Defeating Script Injection Attacks with Browser-Enforced Embedded Policies
Authors:
Abstract:
Web sites that accept and display content such as wiki articles or
comments typically filter the content to prevent injected script code
from running in browsers that view the site. The diversity of browser
rendering algorithms and the desire to allow rich content makes
filtering quite difficult, however, and attacks such as the Samy and
Yamanner worms have exploited filtering weaknesses. To solve this
problem, this paper proposes a simple mechanism called
Browser-Enforced Embedded Policies (BEEP). The idea is that a web
site can embed a policy inside its pages that specifies which scripts
are allowed to run. The browser, which knows exactly when it will run
a script, can enforce this policy perfectly. We have added BEEP
support to several browsers, and built tools to simplify adding
policies to web applications. We found that supporting BEEP in
browsers requires only small and localized modifications, modifying
web applications requires minimal effort, and enforcing policies is
generally lightweight.
