Injecting CSP for Fun and Security
Christoph Kerschbaumer, Sid Stamm, Stefan Brunthaler
2016
Abstract
Content Security Policy (CSP) defends against Cross Site Scripting (XSS) by restricting execution of JavaScript to a set of trusted sources listed in the CSP header. A high percentage (90%) of sites among the Alexa top 1,000 that deploy CSP use the keyword unsafe-inline, which permits all inline scripts to run—including attacker–injected scripts—making CSP ineffective against XSS attacks. We present a system that constructs a CSP policy for web sites by whitelisting only expected content scripts on a site. When deployed, this auto-generated CSP policy can effectively protect a site’s visitors from XSS attacks by blocking injected (non-whitelisted) scripts from being executed. While by no means perfect, our system can provide significantly improved resistance to XSS for sites not yet using CSP.
DownloadPaper Citation
in Harvard Style
Kerschbaumer C., Stamm S. and Brunthaler S. (2016). Injecting CSP for Fun and Security . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 15-25. DOI: 10.5220/0005650100150025
in Bibtex Style
@conference{icissp16,
author={Christoph Kerschbaumer and Sid Stamm and Stefan Brunthaler},
title={Injecting CSP for Fun and Security},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={15-25},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005650100150025},
isbn={978-989-758-167-0},
}
in EndNote Style
TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Injecting CSP for Fun and Security
SN - 978-989-758-167-0
AU - Kerschbaumer C.
AU - Stamm S.
AU - Brunthaler S.
PY - 2016
SP - 15
EP - 25
DO - 10.5220/0005650100150025