Waiting for CSP — Securing Legacy Web Applications with JSAgents
Mario Heiderich, Marcus Niemietz, Jörg Schwenk
Waiting for CSP — Securing Legacy Web Applications with JSAgents, ESORICS 2015, 20th European Symposium on Research in Computer Security
Markup Injection (MI) attacks, ranging from classical Cross-Site Scripting (XSS) and DOMXSS to Scriptless Attacks, pose a major threat for web applications, browser extensions, and mobile apps. To mitigate MI attacks, we propose JSAgents, a novel and flexible approach to defeat MI attacks using DOM meta-programming. Specifically, we enforce a security policy on the DOM of the browser at a place in the markup processing chain “just before” the rendering of the markup. This approach has many advantages: Obfuscation has already been removed from the markup when it enters the DOM, mXSS attack vectors are visible, and, last but not least, the (client-side) protection can be individually tailored to fit the needs of web applications.