Proceedings of the 16th International Conference on World Wide Web 2007
DOI: 10.1145/1242572.1242654
|View full text |Cite
|
Sign up to set email alerts
|

Defeating script injection attacks with browser-enforced embedded policies

Abstract: Web sites that accept and display content such as wiki articles or comments typically filter the content to prevent injected script code from running in browsers that view the site. The diversity of browser rendering algorithms and the desire to allow rich content make filtering quite difficult, however, and attacks such as the Samy and Yamanner worms have exploited filtering weaknesses. This paper proposes a simple alternative mechanism for preventing script injection called Browser-Enforced Embedded Policies… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
172
0

Year Published

2011
2011
2020
2020

Publication Types

Select...
6
2
1

Relationship

0
9

Authors

Journals

citations
Cited by 201 publications
(172 citation statements)
references
References 17 publications
0
172
0
Order By: Relevance
“…XSS Web Application attack mechanisms can be detected indirectly by comparing posted URL to black-listed sites [36], by identifying typical XSS coding patterns [37]. The detection and prevention of XSS attack are difficult because of incomplete implementations, inherent limitations, the complexity of development frameworks and the requirement for run-time compatibility [38].…”
Section: Fig 1 the Difference Between False Negative And False Posimentioning
confidence: 99%
“…XSS Web Application attack mechanisms can be detected indirectly by comparing posted URL to black-listed sites [36], by identifying typical XSS coding patterns [37]. The detection and prevention of XSS attack are difficult because of incomplete implementations, inherent limitations, the complexity of development frameworks and the requirement for run-time compatibility [38].…”
Section: Fig 1 the Difference Between False Negative And False Posimentioning
confidence: 99%
“…As for JavaScript several techniques have been proposed (Nentwich et al, 2007;Yu et al, 2007;Jim et al, 2007;Dhawan and Ganapathy, 2009;Chudnov and Naumann, 2010;Jang et al, 2010) such as solutions based on client-side or server-side to prevent history sniffing, disable unknown scripts, signed scripts, program instrumentation and dynamic taint propagation and checking. Some of these solutions can be implemented in proxies and other requires the modification of Web browser source code.…”
Section: Privacy Solutions For Application Layermentioning
confidence: 99%
“…Alternative proposals to the analysis and filtering of web content on either serveror client-based proxies, such as [18,26,25], try to eliminate the need for intermediate elements by proposing strategies for the enforcement of the runtime context of the end-point, i.e., the web browser.…”
Section: Runtime Enforcement Of Web Browsersmentioning
confidence: 99%