Skip to main content
SpringerLink
Log in
Book cover

Primer on Client-Side Web Security pp 83–94Cite as

Attacks on the Client-Side Context

  • Chapter
  • First Online:

  • 1126 Accesses

Part of the book series: SpringerBriefs in Computer Science ((BRIEFSCOMPUTER))

Abstract

Using attacks on the client-side context, the attacker can gain control over the target application running in the user’s browser. This allows him to steal the user’s sensitive information and manipulate the user’s actions. From the Web application’s point of view, these actions are indistinguishable from legitimate user actions. In this chapter, we investigate three ways of attacking the client-side context. The first is cross-site scripting (XSS), a very common and well-known attack, where the attacker injects JavaScript into the target application’s context. Second, we discuss scriptless attacks, which take the idea behind XSS, but use non-scripting technology to extract data or modify the application’s behavior. Finally, we investigate the dangers of remote script inclusions, which are ubiquitous on the Web, but prone to compromise.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Agten, P., Van Acker, S., Brondsema,Y., Phung, P.H., Desmet, L., Piessens, F.: JSand: complete client-side sandboxing of third-party JavaScript without browser modifications. In: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC), pp. 1–10 (2012)

    Google Scholar 

  2. Alcorn, W.: Browser exploitation framework (BeEF). http://beefproject.com (2013)

  3. Barth, A., Veditz, D., West, M.: Content security policy level 2. W3C Working Draft (2014)

    Google Scholar 

  4. Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side xss filters. In: Proceedings of the 19th International Conference on World wide W (WWW), pp. 91–100 (2010)

    Google Scholar 

  5. Berjon, R., Faulkner, S., Leithead, T., Navara, E.D., O’Connor, E., Pfeiffer, S., Hickson, I.: HTML 5.1 specification — the sandbox attribute. W3C Working Draft (2014)

    Google Scholar 

  6. Center, I.E.D.: Making HTML safer: details for toStaticHTML (Windows Store apps using JavaScript and HTML). http://msdn.microsoft.com/en-us/library/ie/hh465388.aspx (2012)

  7. Chen, P., Nikiforakis, N., Desmet, L., Huygens, C.: A dangerous mix: large-scale analysis of mixed-content websites. In: Proceedings of the 16th Information Security Conference (ISC) (2013)

    Google Scholar 

  8. De Ryck, P., Desmet, L., Philippaerts, P., Piessens, F.: A security analysis of next generation web standards. Tech. rep., European Network and Information Security Agency (ENISA) (2011)

    Google Scholar 

  9. Fergal Glynn, V.: Static code analysis. http://www.veracode.com/security/static-code-analysis (2013)

  10. Guarnieri, S., Livshits, V.B.: GATEKEEPER: mostly static enforcement of security and reliability policies for JavaScript code. In: Proceedings of the 18th USENIX Security Symposium, pp. 151–168 (2009)

    Google Scholar 

  11. Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks: stealing the pie without touching the sill. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (CSS), pp. 760–771 (2012)

    Google Scholar 

  12. Hickson, I.: Web storage. W3C Recommendation (2013)

    Google Scholar 

  13. Ichnowski, J., Manico, J.: Owasp’s java xml templates. http://code.google.com/p/owasp-jxt/ (2013)

  14. Ichnowski, J., Manico, J., Long, J.: Owasp java encoder project. https://www.owasp.org/ index.php/OWASP_Java_Encoder_Project (2013)

  15. Ingram, L., Walfish, M.: Treehouse: Javascript sandboxes to help web developers help themselves. In: Proceedings of the USENIX Annual Technical Conference (ATC) (2012)

    Google Scholar 

  16. Jacobs, F.: How reuters got compromised by the syrian electronic army. https://medium.com/@FredericJacobs/the-reuters-compromise-by-the-syrian-electronic-army-6bf570e1a85b (2014)

  17. Kirk, J.: Yahoo’s malware-pushing ads linked to larger malware scheme. http://www.pcworld.com/article/2086700/yahoo-malvertising-attack-linked-to-larger-malware-scheme.html (2014)

  18. Lekies, S., Johns, M.: Lightweight integrity protection for web storage-driven content caching. Web 2.0 Security and Privacy (W2SP) (2012)

    Google Scholar 

  19. Lekies, S., Stock, B., Johns, M.: 25 million flows later: large-scale detection of dom-based xss. In: Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), pp. 1193–1204 (2013)

    Google Scholar 

  20. Magazinius, J., Phung, P.H., Sands, D.: Safe wrappers and sane policies for self protecting javascript. In: Proceedings of the 15th Nordic Conference on Secure IT Systems (NordSec), pp. 239–255 (2010)

    Google Scholar 

  21. Maone, G.: NoScript - JavaScript/Java/Flash blocker for a safer Firefox experience! http://noscript.net/ (2013)

  22. Martin, B., Brown, M., Paller, A., Kirby, D.: Cwe/sans top 25 most dangerous programming errors. http://cwe.mitre.org/top25/ (2011)

  23. Meyerovich, L., Livshits, B.: ConScript: specifying and enforcing fine-grained security policies for Javascript in the browser. In: Proceedings of the 31st IEEE Symposium on Security and Privacy (SP), pp. 481–496 (2010)

    Google Scholar 

  24. Mickens, J.: Pivot: fast, synchronous mashup isolation using generator chains. In: Proceedings of the 35th IEEE Symposium on Security and Privacy (SP), pp. 261–275 (2014)

    Google Scholar 

  25. Miller, M.S.: Secure EcmaScript 5. http://code.google.com/p/es-lab/wiki/SecureEcmaScript (2011)

  26. Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja: safe active content in sanitized javascript. http://google-caja.googlecode.com/files/caja-spec-2008-01-15.pdf (2008)

  27. Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote javascript inclusions. In: Proceedings of the 19th ACM Conference on Computer and Communications security, pp. 736–747 (2012)

    Google Scholar 

  28. Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting Javascript. In: Proceedings of the 4th ACM Symposium on Information, Computer and Communications Security (ASIACCS), pp. 47–60 (2009)

    Google Scholar 

  29. Rapid7: Metasploit. http://www.metasploit.com/ (2013)

  30. Ross, D.: IE 8 XSS Filter Architecture / Implementation. http://blogs.technet.com/b/srd/archive/2008/08/19/ie-8-xss-filter-architecture-implementation.aspx (2008)

  31. Samuel, M., Saxena, P., Song, D.: Context-sensitive auto-sanitization in web templating languages using type qualifiers. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS), pp. 587–600 (2011)

    Google Scholar 

  32. Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: Proceedings of the 31st IEEE Symposium on Security and Privacy (SP), pp. 513–528 (2010)

    Google Scholar 

  33. Saxena, P., Molnar, D., Livshits, B.: SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy Web applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS), pp. 601–614 (2011)

    Google Scholar 

  34. Security, H.E.: HP fortify static code analyzer (SCA). http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-fortify-static-code-analyzer (2013)

  35. Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World wide web (WWW), pp. 921–930 (2010)

    Google Scholar 

  36. Sterne, B., Barth, A.: Content security policy 1.0. W3C Candidate Recommendation (2012)

    Google Scholar 

  37. Stock, B., Lekies, S., Mueller, T., Spiegel, P., Johns, M.: Precise client-side protection against dom-based cross-site scripting. In: Proceedings of the 23rd USENIX Security Symposium, pp. 655–670 (2014)

    Google Scholar 

  38. Ter Louw, M., Ganesh, K.T., Venkatakrishnan, V.: AdJail: practical enforcement of confidentiality and integrity policies on Web advertisements. In: Proceedings of the 19th USENIX Security Symposium, pp. 371–388 (2010)

    Google Scholar 

  39. Van Acker, S., De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: WebJail: least-privilege integration of third-party components in web mashups. In: Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC), pp. 307–316 (2011)

    Google Scholar 

  40. Weinberger, J., Barth, A., Song, D.: Towards client-side html security policies. In: Proceedings of the 6th USENIX Workshop on Hot Topics on Security (HotSec) (2011)

    Google Scholar 

  41. West, M.: Mixed content. W3C Working Draft (2014)

    Google Scholar 

  42. Wichers, D.: Owasp top 10. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_ Project (2013)

  43. XSSed: XSS Archive. http://www.xssed.com/archive/ (2014)

  44. Yang, E.Z.: HTML Purifier. http://htmlpurifier.org/ (2013)

  45. Zalewski, M.: Postcards from the post-xss world. http://lcamtuf.coredump.cx/postxss/ (2011)

  46. Zalewski, M.: The Tangled Web: A Guide to Securing Modern Web Applications. San Francisco, No Starch Press (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. iMinds-DistriNet, KU Leuven, Heverlee, Belgium

    Philippe De Ryck, Lieven Desmet & Frank Piessens

  2. SAP Research, Karlsruhe, Germany

    Martin Johns

Authors
  1. Philippe De Ryck
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lieven Desmet
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Frank Piessens
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Martin Johns
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Philippe De Ryck .

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Philippe De Ryck, Lieven Desmet, Frank Piessens, Martin Johns

About this chapter

Cite this chapter

Ryck, P., Desmet, L., Piessens, F., Johns, M. (2014). Attacks on the Client-Side Context. In: Primer on Client-Side Web Security. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-12226-7_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-12226-7_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-12225-0

  • Online ISBN: 978-3-319-12226-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation