| To mitigate XSS(cross-site scripting attacks),the W3C group recommends web service providers to employ a computer security standard called CSP(Content Security Policy).However,less than 3.7%of real-world websites are equipped with CSP according to Google's survey.The low scalability of CSP is incurred by the difficulty of deployment and non-compatibility for state-of-art browsers.To explore the scalability of CSP,in this paper,we propose a novel XSS defense solution named JSCSP(Javascript based CSP),which is able to support most of real-world browsers but also to generate security policies automatically.Specifically,JSCSP offers a novel self-defined security policy which enforces essential confinements to related items,including Javascript functions,DOM elements and data access.Meanwhile,JSCSP has an efficient algorithm to automatically generate the policy directives and enforce them in a cascading way,which is more fine-grained and practical than the functionalities provided by CSP.We have implemented JSCSP on a Chrome extension,and our evaluation shows that the extension is compatible with popular Javascript libraries.Furthermore,our JSCSP extension can detect and block the tested attacking vectors extracted from the prevalent web applications,namely Wordpress,Drupal,TYP02,PrestaShop and Typecho.In addition,we used a separate experiment to test the defense of JSCSP on CSP-Bypass attacks.The results show that JSCSP can significantly inhibit such attacks.Our solution,JSCSP,delivers superior performance to the five other XSS defence solutions.It can relieve site administrator's workload and protect user privacy when web applications is not employed with CSP. |
PDF Full Text Request