European Symposium on Research in Computer Security

Computer Security -- ESORICS 2015 pp 23-42 | Cite as

Waiting for CSP – Securing Legacy Web Applications with JSAgents

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9326)


Markup Injection (MI) attacks, ranging from classical Cross-Site Scripting (XSS) and DOMXSS to Scriptless Attacks, pose a major threat for web applications, browser extensions, and mobile apps. To mitigate MI attacks, we propose JSAgents, a novel and flexible approach to defeat MI attacks using DOM meta-programming. Specifically, we enforce a security policy on the DOM of the browser at a place in the markup processing chain “just before” the rendering of the markup. This approach has many advantages: Obfuscation has already been removed from the markup when it enters the DOM, mXSS attack vectors are visible, and, last but not least, the (client-side) protection can be individually tailored to fit the needs of web applications.

JSAgents policies look similar to CSP policies, and indeed large parts of CSP can be implemented with JSAgents. However, there are three main differences: (1) Contrary to CSP, the source code of legacy web applications needs not be modified; instead, the policy is adapted to the application. (2) Whereas CSP can only apply one policy to a complete HTML document, JSAgents is able, through a novel cascading enforcement, to apply different policies to each element in the DOM; this property is essential in dealing with JavaScript event handlers and URIs. (3) JSAgents enables novel features like coarse-grained access control: e.g. we may block read/write access to HTML form elements for all scripts, but human users can still insert data (which may be interesting for password and PIN fields).


  1. 1.
    Klein, A.: DOM based cross site scripting or XSS of the third kind (2005).
  2. 2.
    Heiderich, M., Schwenk, J., Frosch, T., Magazinius, J., Yang, E.Z.: mxss attacks: attacking well-secured web-applications by using innerhtml mutations. In: CCS (2013)Google Scholar
  3. 3.
    Heiderich, M., Frosch, T., Jensen, M., Holz, T.: Crouching tiger - hidden payload: security risks of scalable vector graphics. In: Proceedings of the 18th ACM conference on Computer and Communications Security, pp. 239–250. ACM (2011)Google Scholar
  4. 4.
    Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks-stealing the pie without touching the sill. In: ACM Conference on Computer and Communications Security (CCS) (2012)Google Scholar
  5. 5.
    Stone, P.: Pixel perfect timing attacks with html5.
  6. 6.
    Sterne, B., Barth, A.: Content security policy 1.0,” W3C, Candidate Recommendation, November 2012.
  7. 7.
    Barth, A., Veditz, D., West, M.: Content security policy 1.1, w3c editor’s draft 12 November 2013.
  8. 8.
    Barth, A.: HTTP State Management Mechanism, RFC 6265 (Proposed Standard), Internet Engineering Task Force, April 2011.
  9. 9.
    Hickson, I.: Html living standard - last updated 21 february 2014.
  10. 10.
    Ross, D.: IE8 XSS Filter design philosophy in-depth, April 2008.
  11. 11.
    Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side XSS filters. In: Proceedings of the 19th International Conference on World Wide Web, ser. WWW 2010, pp. 91–100. ACM, New York (2010).
  12. 12.
    Zuchlinski, G.: The anatomy of cross site scripting. Hitchhiker’s World 8, November 2003Google Scholar
  13. 13.
    Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Johns, M.: Code injection vulnerabilities in web applications - exemplified at cross-site scripting. Ph.D. dissertation, University of Passau, Passau, July 2009Google Scholar
  15. 15.
    Gebre, M., Lhee, K., Hong, M.: A robust defense against content-sniffing xss attacks. In: 2010 6th International Conference on Digital Content, Multimedia Technology and its Applications (IDC), pp. 315–320. IEEE (2010)Google Scholar
  16. 16.
    Saxena, P., Molnar, D., Livshits, B.: SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications. In: Proceedings of the 18th ACM conference on Computer and communications security, pp. 601–614. ACM (2011)Google Scholar
  17. 17.
    Gourdin, B., Soman, C., Bojinov, H., Bursztein, E.: Toward secure embedded web interfaces. In: Proceedings of the Usenix Security Symposium (2011)Google Scholar
  18. 18.
    Gundy, M.V., Chen, H.: Noncespaces: using randomization to defeat cross-site scripting attacks. Comput. Secur. 31(4), 612–628 (2012)CrossRefGoogle Scholar
  19. 19.
    Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: NDSS. The Internet Society (2009)Google Scholar
  20. 20.
    Louw, M.T., Venkatakrishnan, V.N.: Blueprint: robust prevention of cross-site scripting attacks for existing browsers. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, ser. SP 2009, pp. 331–34. IEEE Computer Society, Washington, DC (2009).
  21. 21.
    Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., Song, D.: A systematic analysis of XSS sanitization in web application frameworks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 150–171. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  22. 22.
    Nava, E.V., Lindsay, D.: Abusing Internet Explorer 8’s XSS Filters.
  23. 23.
    Zalewski, M.: Browser Security Handbook, July 2010.
  24. 24.
    Zalewski, M.: The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, San Francisco (2011)Google Scholar
  25. 25.
    Bug 29278: XSSAuditor bypasses from
  26. 26.
    Heiderich, M.: Towards Elimination of XSS Attacks with a Trusted and Capability Controlled DOM (2012).
  27. 27.
    Hooimeijer, P., Livshits, B., Molnar, D., Saxena, P., Veanes, M.: Fast and precise sanitizer analysis with bek. In: Proceedings of the 20th USENIX Conference On Security, ser. SEC 2011, p. 1. USENIX Association, Berkeley (2011).
  28. 28.
    Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-Cloaking internet malware. In: Proceedings IEEE Symposium on Security & Privacy (2012)Google Scholar
  29. 29.
    Nava, E.V.: ACS - active content signatures. PST\_WEBZINE\_0X04, no. 4, December 2006Google Scholar
  30. 30.
    Di Paola, S.: Preventing xss with data binding.
  31. 31.
    Heiderich, M., Frosch, T., Holz, T.: IceShield: detection and mitigation of malicious websites with a frozen DOM. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 281–300. Springer, Heidelberg (2011) CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Mario Heiderich
    • 1
  • Marcus Niemietz
    • 1
  • Jörg Schwenk
    • 1
  1. 1.Horst Görtz Institute for IT-SecurityRuhr-University BochumBochumGermany

Personalised recommendations