Abstract
Using attacks on the client-side context, the attacker can gain control over the target application running in the user’s browser. This allows him to steal the user’s sensitive information and manipulate the user’s actions. From the Web application’s point of view, these actions are indistinguishable from legitimate user actions. In this chapter, we investigate three ways of attacking the client-side context. The first is cross-site scripting (XSS), a very common and well-known attack, where the attacker injects JavaScript into the target application’s context. Second, we discuss scriptless attacks, which take the idea behind XSS, but use non-scripting technology to extract data or modify the application’s behavior. Finally, we investigate the dangers of remote script inclusions, which are ubiquitous on the Web, but prone to compromise.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Agten, P., Van Acker, S., Brondsema,Y., Phung, P.H., Desmet, L., Piessens, F.: JSand: complete client-side sandboxing of third-party JavaScript without browser modifications. In: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC), pp. 1–10 (2012)
Alcorn, W.: Browser exploitation framework (BeEF). http://beefproject.com (2013)
Barth, A., Veditz, D., West, M.: Content security policy level 2. W3C Working Draft (2014)
Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side xss filters. In: Proceedings of the 19th International Conference on World wide W (WWW), pp. 91–100 (2010)
Berjon, R., Faulkner, S., Leithead, T., Navara, E.D., O’Connor, E., Pfeiffer, S., Hickson, I.: HTML 5.1 specification — the sandbox attribute. W3C Working Draft (2014)
Center, I.E.D.: Making HTML safer: details for toStaticHTML (Windows Store apps using JavaScript and HTML). http://msdn.microsoft.com/en-us/library/ie/hh465388.aspx (2012)
Chen, P., Nikiforakis, N., Desmet, L., Huygens, C.: A dangerous mix: large-scale analysis of mixed-content websites. In: Proceedings of the 16th Information Security Conference (ISC) (2013)
De Ryck, P., Desmet, L., Philippaerts, P., Piessens, F.: A security analysis of next generation web standards. Tech. rep., European Network and Information Security Agency (ENISA) (2011)
Fergal Glynn, V.: Static code analysis. http://www.veracode.com/security/static-code-analysis (2013)
Guarnieri, S., Livshits, V.B.: GATEKEEPER: mostly static enforcement of security and reliability policies for JavaScript code. In: Proceedings of the 18th USENIX Security Symposium, pp. 151–168 (2009)
Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks: stealing the pie without touching the sill. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (CSS), pp. 760–771 (2012)
Hickson, I.: Web storage. W3C Recommendation (2013)
Ichnowski, J., Manico, J.: Owasp’s java xml templates. http://code.google.com/p/owasp-jxt/ (2013)
Ichnowski, J., Manico, J., Long, J.: Owasp java encoder project. https://www.owasp.org/ index.php/OWASP_Java_Encoder_Project (2013)
Ingram, L., Walfish, M.: Treehouse: Javascript sandboxes to help web developers help themselves. In: Proceedings of the USENIX Annual Technical Conference (ATC) (2012)
Jacobs, F.: How reuters got compromised by the syrian electronic army. https://medium.com/@FredericJacobs/the-reuters-compromise-by-the-syrian-electronic-army-6bf570e1a85b (2014)
Kirk, J.: Yahoo’s malware-pushing ads linked to larger malware scheme. http://www.pcworld.com/article/2086700/yahoo-malvertising-attack-linked-to-larger-malware-scheme.html (2014)
Lekies, S., Johns, M.: Lightweight integrity protection for web storage-driven content caching. Web 2.0 Security and Privacy (W2SP) (2012)
Lekies, S., Stock, B., Johns, M.: 25 million flows later: large-scale detection of dom-based xss. In: Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), pp. 1193–1204 (2013)
Magazinius, J., Phung, P.H., Sands, D.: Safe wrappers and sane policies for self protecting javascript. In: Proceedings of the 15th Nordic Conference on Secure IT Systems (NordSec), pp. 239–255 (2010)
Maone, G.: NoScript - JavaScript/Java/Flash blocker for a safer Firefox experience! http://noscript.net/ (2013)
Martin, B., Brown, M., Paller, A., Kirby, D.: Cwe/sans top 25 most dangerous programming errors. http://cwe.mitre.org/top25/ (2011)
Meyerovich, L., Livshits, B.: ConScript: specifying and enforcing fine-grained security policies for Javascript in the browser. In: Proceedings of the 31st IEEE Symposium on Security and Privacy (SP), pp. 481–496 (2010)
Mickens, J.: Pivot: fast, synchronous mashup isolation using generator chains. In: Proceedings of the 35th IEEE Symposium on Security and Privacy (SP), pp. 261–275 (2014)
Miller, M.S.: Secure EcmaScript 5. http://code.google.com/p/es-lab/wiki/SecureEcmaScript (2011)
Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja: safe active content in sanitized javascript. http://google-caja.googlecode.com/files/caja-spec-2008-01-15.pdf (2008)
Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote javascript inclusions. In: Proceedings of the 19th ACM Conference on Computer and Communications security, pp. 736–747 (2012)
Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting Javascript. In: Proceedings of the 4th ACM Symposium on Information, Computer and Communications Security (ASIACCS), pp. 47–60 (2009)
Rapid7: Metasploit. http://www.metasploit.com/ (2013)
Ross, D.: IE 8 XSS Filter Architecture / Implementation. http://blogs.technet.com/b/srd/archive/2008/08/19/ie-8-xss-filter-architecture-implementation.aspx (2008)
Samuel, M., Saxena, P., Song, D.: Context-sensitive auto-sanitization in web templating languages using type qualifiers. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS), pp. 587–600 (2011)
Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: Proceedings of the 31st IEEE Symposium on Security and Privacy (SP), pp. 513–528 (2010)
Saxena, P., Molnar, D., Livshits, B.: SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy Web applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS), pp. 601–614 (2011)
Security, H.E.: HP fortify static code analyzer (SCA). http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-fortify-static-code-analyzer (2013)
Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World wide web (WWW), pp. 921–930 (2010)
Sterne, B., Barth, A.: Content security policy 1.0. W3C Candidate Recommendation (2012)
Stock, B., Lekies, S., Mueller, T., Spiegel, P., Johns, M.: Precise client-side protection against dom-based cross-site scripting. In: Proceedings of the 23rd USENIX Security Symposium, pp. 655–670 (2014)
Ter Louw, M., Ganesh, K.T., Venkatakrishnan, V.: AdJail: practical enforcement of confidentiality and integrity policies on Web advertisements. In: Proceedings of the 19th USENIX Security Symposium, pp. 371–388 (2010)
Van Acker, S., De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: WebJail: least-privilege integration of third-party components in web mashups. In: Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC), pp. 307–316 (2011)
Weinberger, J., Barth, A., Song, D.: Towards client-side html security policies. In: Proceedings of the 6th USENIX Workshop on Hot Topics on Security (HotSec) (2011)
West, M.: Mixed content. W3C Working Draft (2014)
Wichers, D.: Owasp top 10. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_ Project (2013)
XSSed: XSS Archive. http://www.xssed.com/archive/ (2014)
Yang, E.Z.: HTML Purifier. http://htmlpurifier.org/ (2013)
Zalewski, M.: Postcards from the post-xss world. http://lcamtuf.coredump.cx/postxss/ (2011)
Zalewski, M.: The Tangled Web: A Guide to Securing Modern Web Applications. San Francisco, No Starch Press (2012)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2014 Philippe De Ryck, Lieven Desmet, Frank Piessens, Martin Johns
About this chapter
Cite this chapter
Ryck, P., Desmet, L., Piessens, F., Johns, M. (2014). Attacks on the Client-Side Context. In: Primer on Client-Side Web Security. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-12226-7_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-12226-7_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12225-0
Online ISBN: 978-3-319-12226-7
eBook Packages: Computer ScienceComputer Science (R0)