CISPA
Browse
- No file added yet -

Assessing the Impact of Script Gadgets on CSP at Scale

Download (705.75 kB)
conference contribution
posted on 2023-11-29, 18:12 authored by Sebastian Roth, Michael BackesMichael Backes, Ben StockBen Stock
The Web, as one of the core technologies of modern society, has profoundly changed the way we interact with people and data through social networks or full-fledged office Web applications. One of the worst attacks on the Web is Cross-Site Scripting (XSS), in which an attacker is able to inject their malicious JavaScript code into a Web application, giving this code full access to the victimized site. To mitigate the impact of markup injection flaws that cause XSS, support for the Content Security Policy (CSP) is nowadays shipped in all browsers. Deploying such a policy enables a Web developer to whitelist from where script code can be loaded, essentially constraining the capabilities of the attacker to only be able to execute injected code from said whitelist. As recently shown by Lekies et al., injecting script markup is not a necessary prerequisite for a successful attack in the presence of so-called script gadgets. These small snippets of benign JavaScript code transform non-script markup contained in a page into executable JavaScript, opening the door for bypasses of a deployed CSP. Especially in combination with CSP’s logic in handling redirected resources, script gadgets enable attackers to bypass an otherwise secure policy. In this paper, we therefore ask the question: is deploying CSP in a secure fashion even possible without a priori knowledge of all files hosted on even a partially trusted origin?To answer this question, we investigate the severity of the findings of Lekies et al., showing real-world Web sites on which, even in the presence of CSP and without code containing such gadgets being added by the developer, an attacker can sideload libraries with known script gadgets, as long as the hosting site is whitelisted in the CSP. In combination with the aforementioned redirect logic, this enables us to bypass 10% of otherwise secure CSPs in the wild. To further answer our main research question, we conduct a hypothetical what-if analysis. Doing so, we automatically generate sensible CSPs for all of the Top 10,000 sites and show that around one-third of all sites would still be susceptible to a bypass through script gadget sideloading due to heavy reliance on third parties which also host such libraries.

History

Preferred Citation

Sebastian Roth, Michael Backes and Ben Stock. Assessing the Impact of Script Gadgets on CSP at Scale. In: ACM ASIA Conference on Computer and Communications Security (AsiaCCS). 2020.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

ACM ASIA Conference on Computer and Communications Security (AsiaCCS)

Legacy Posted Date

2019-11-17

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_2987, title = "Assessing the Impact of Script Gadgets on CSP at Scale", author = "Roth, Sebastian and Backes, Michael and Stock, Ben", booktitle="{ACM ASIA Conference on Computer and Communications Security (AsiaCCS)}", year="2020", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC