Thursday, May 31, 2012

Towards Elimination of XSS Attacks with a Trusted and Capability Controlled DOM

 awesome paper written by Mario Heiderich

Abstract 

The Internet has developed to an exchange medium for a wide range of transactions involving personal and sensitive data - while still relying on simple plain-text protocols such as the Hyper Text Transfer Protocol (HTTP). The user agents and browsers capable of requesting and rendering information and transaction results gained complexity, extended the list of provided features to gratify the needs of their users and slowly morphed from simple document renderers into complex operation system like information brokers.
 
With complexity comes complication and complication often yields security problems and con icts of interest. The Internet - because of its essential role in various use cases became a highly anticipated playground for criminals, helping them to generate illegitimate profit and damage with good chances for anonymity and timely delivery of their malicious intents. Attacks are carried out in numerous ways and almost arbitrary extent, including compromised servers and networks, attacks against website users and their browsers, information disclosure, denial of service attacks and Phishing. 

A lot of these activities and attacks occur on a speci c playground: the user agents and browsers. This work dedicates on elaborating on these types of attacks, thoroughly discuss the anatomy and speci cs of client-side attacks delivered via Internet and similar media. Furthermore, this work discusses existing mitigation and attack prevention techniques and outline obvious as well as less obvious weaknesses and bypass strategies.Ultimately, this thesis introduces a novel way of encountering and approaching web based browser and user agent targeted attacks and provide a lever to thrive towards elimination of scripting web attacks and web malware while being in harmony with latest draft spe -ciation additions to ECMA Script 6 (ES6). This is accomplished by de ning a technique we call pre-flight inspection (PFI) and combine it with ECMA Script 5 (ES5) object sealing to control and limit DOM object capabilities to be able to expose a trusted and attack resilient document interface retaining interoperability with modern Rich Internet  

Download PDF: http://heideri.ch

No comments: