Waiting for CSP – Securing Legacy Web Applications with JSAgents

  • Mario Heiderich
  • Marcus NiemietzEmail author
  • Jörg Schwenk
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9326)


Markup Injection (MI) attacks, ranging from classical Cross-Site Scripting (XSS) and DOMXSS to Scriptless Attacks, pose a major threat for web applications, browser extensions, and mobile apps. To mitigate MI attacks, we propose JSAgents, a novel and flexible approach to defeat MI attacks using DOM meta-programming. Specifically, we enforce a security policy on the DOM of the browser at a place in the markup processing chain “just before” the rendering of the markup. This approach has many advantages: Obfuscation has already been removed from the markup when it enters the DOM, mXSS attack vectors are visible, and, last but not least, the (client-side) protection can be individually tailored to fit the needs of web applications.

JSAgents policies look similar to CSP policies, and indeed large parts of CSP can be implemented with JSAgents. However, there are three main differences: (1) Contrary to CSP, the source code of legacy web applications needs not be modified; instead, the policy is adapted to the application. (2) Whereas CSP can only apply one policy to a complete HTML document, JSAgents is able, through a novel cascading enforcement, to apply different policies to each element in the DOM; this property is essential in dealing with JavaScript event handlers and URIs. (3) JSAgents enables novel features like coarse-grained access control: e.g. we may block read/write access to HTML form elements for all scripts, but human users can still insert data (which may be interesting for password and PIN fields).


JSAgents Content Security Policy (CSP) Attack Vectors JavaScript Event Handler Markup 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Supplementary material


  1. 1.
    Klein, A.: DOM based cross site scripting or XSS of the third kind (2005).
  2. 2.
    Heiderich, M., Schwenk, J., Frosch, T., Magazinius, J., Yang, E.Z.: mxss attacks: attacking well-secured web-applications by using innerhtml mutations. In: CCS (2013)Google Scholar
  3. 3.
    Heiderich, M., Frosch, T., Jensen, M., Holz, T.: Crouching tiger - hidden payload: security risks of scalable vector graphics. In: Proceedings of the 18th ACM conference on Computer and Communications Security, pp. 239–250. ACM (2011)Google Scholar
  4. 4.
    Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks-stealing the pie without touching the sill. In: ACM Conference on Computer and Communications Security (CCS) (2012)Google Scholar
  5. 5.
    Stone, P.: Pixel perfect timing attacks with html5.
  6. 6.
    Sterne, B., Barth, A.: Content security policy 1.0,” W3C, Candidate Recommendation, November 2012.
  7. 7.
    Barth, A., Veditz, D., West, M.: Content security policy 1.1, w3c editor’s draft 12 November 2013.
  8. 8.
    Barth, A.: HTTP State Management Mechanism, RFC 6265 (Proposed Standard), Internet Engineering Task Force, April 2011.
  9. 9.
    Hickson, I.: Html living standard - last updated 21 february 2014.
  10. 10.
    Ross, D.: IE8 XSS Filter design philosophy in-depth, April 2008.
  11. 11.
    Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side XSS filters. In: Proceedings of the 19th International Conference on World Wide Web, ser. WWW 2010, pp. 91–100. ACM, New York (2010).
  12. 12.
    Zuchlinski, G.: The anatomy of cross site scripting. Hitchhiker’s World 8, November 2003Google Scholar
  13. 13.
    Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Johns, M.: Code injection vulnerabilities in web applications - exemplified at cross-site scripting. Ph.D. dissertation, University of Passau, Passau, July 2009Google Scholar
  15. 15.
    Gebre, M., Lhee, K., Hong, M.: A robust defense against content-sniffing xss attacks. In: 2010 6th International Conference on Digital Content, Multimedia Technology and its Applications (IDC), pp. 315–320. IEEE (2010)Google Scholar
  16. 16.
    Saxena, P., Molnar, D., Livshits, B.: SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications. In: Proceedings of the 18th ACM conference on Computer and communications security, pp. 601–614. ACM (2011)Google Scholar
  17. 17.
    Gourdin, B., Soman, C., Bojinov, H., Bursztein, E.: Toward secure embedded web interfaces. In: Proceedings of the Usenix Security Symposium (2011)Google Scholar
  18. 18.
    Gundy, M.V., Chen, H.: Noncespaces: using randomization to defeat cross-site scripting attacks. Comput. Secur. 31(4), 612–628 (2012)CrossRefGoogle Scholar
  19. 19.
    Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: NDSS. The Internet Society (2009)Google Scholar
  20. 20.
    Louw, M.T., Venkatakrishnan, V.N.: Blueprint: robust prevention of cross-site scripting attacks for existing browsers. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, ser. SP 2009, pp. 331–34. IEEE Computer Society, Washington, DC (2009).
  21. 21.
    Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., Song, D.: A systematic analysis of XSS sanitization in web application frameworks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 150–171. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  22. 22.
    Nava, E.V., Lindsay, D.: Abusing Internet Explorer 8’s XSS Filters.
  23. 23.
    Zalewski, M.: Browser Security Handbook, July 2010.
  24. 24.
    Zalewski, M.: The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, San Francisco (2011)Google Scholar
  25. 25.
    Bug 29278: XSSAuditor bypasses from
  26. 26.
    Heiderich, M.: Towards Elimination of XSS Attacks with a Trusted and Capability Controlled DOM (2012).
  27. 27.
    Hooimeijer, P., Livshits, B., Molnar, D., Saxena, P., Veanes, M.: Fast and precise sanitizer analysis with bek. In: Proceedings of the 20th USENIX Conference On Security, ser. SEC 2011, p. 1. USENIX Association, Berkeley (2011).
  28. 28.
    Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-Cloaking internet malware. In: Proceedings IEEE Symposium on Security & Privacy (2012)Google Scholar
  29. 29.
    Nava, E.V.: ACS - active content signatures. PST\_WEBZINE\_0X04, no. 4, December 2006Google Scholar
  30. 30.
    Di Paola, S.: Preventing xss with data binding.
  31. 31.
    Heiderich, M., Frosch, T., Holz, T.: IceShield: detection and mitigation of malicious websites with a frozen DOM. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 281–300. Springer, Heidelberg (2011) CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Open Access This chapter is licensed under the terms of the Creative Commons Attribution-NonCommercial 2.5 International License (, which permits any noncommercial use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Authors and Affiliations

  • Mario Heiderich
    • 1
  • Marcus Niemietz
    • 1
    Email author
  • Jörg Schwenk
    • 1
  1. 1.Horst Görtz Institute for IT-SecurityRuhr-University BochumBochumGermany

Personalised recommendations