UPDATE: our paper will appear in WWW 2007 in May 2007.
» Download PDF «BEEP is a simple, novel, and effective method for stopping script injection attacks (cross-site scripting) in web applications.
MotivationMany web applications publish content from untrusted sources, for example, blog comments. The whole purpose of sites like Blogger, MySpace, and Flickr is to republish content provided by anyone at all. If this content contains scripts, then the script will be executed in the browser of anyone who visits the site. This is a script injection attack, and it is currently the #1 class of security vulnerabilities being reported today.
To prevent script injection, many web applications filter user content for scripts. However, due to browser incompatibilities, the desire for browsers to render even malformed web pages, and the desire of web applications to allow rich content (typographic styling, etc.), server-side filtering has been problematic. Attacks like the Samy and Yamanner worms were able to use script injection despite server-side filtering.
Our solutionWe make two observations.
- The web browser performs perfect script detection. By definition, if the browser does not detect a script, it will not be executed when the browser renders the page.
- The web application developer knows exactly what scripts are needed to run the application.
Therefore, our idea is for the web application to tell the browser what scripts are allowed to run, in the form of a policy embedded in each web page, and for the browser to enforce the policy as it detects scripts in the page. We call this BEEP, for Browser-Enforced Embedded Policies.
Our paper describes the difficulties of server-side filtering, BEEP, and our implementation in much greater detail:
Defeating Script Injection Attacks with Browser-Enforced Embedded Policies, by Trevor Jim, Nikhil Swamy, and Michael Hicks. 16th International World Wide Web Conference, May 8-12, 2007. » PDF available from WWW2007 site «
An earlier version of the paper appeared as a technical report:
Defeating Script Injection Attacks with Browser-Enforced Embedded Policies, by Trevor Jim, Nikhil Swamy, and Michael Hicks. Technical Report CS-TR-4835, Department of Computer Science, University of Maryland, November 2, 2006. » Download PDF «
We have also made our browser modifications and test cases available. Get them » here «.