Advertisement

On the Integrity of Cross-Origin JavaScripts

  • Jukka RuohonenEmail author
  • Joonas Salovaara
  • Ville Leppänen
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 529)

Abstract

The same-origin policy is a fundamental part of the Web. Despite the restrictions imposed by the policy, embedding of third-party JavaScript code is allowed and commonly used. Nothing is guaranteed about the integrity of such code. To tackle this deficiency, solutions such as the subresource integrity standard have been recently introduced. Given this background, this paper presents the first empirical study on the temporal integrity of cross-origin JavaScript code. According to the empirical results based on a ten day polling period of over 35 thousand scripts collected from popular websites, (i) temporal integrity changes are relatively common; (ii) the adoption of the subresource integrity standard is still in its infancy; and (iii) it is possible to statistically predict whether a temporal integrity change is likely to occur. With these results and the accompanying discussion, the paper contributes to the ongoing attempts to better understand security and privacy in the current Web.

Keywords

Same-origin Cross-domain Remote inclusion Subresource integrity 

References

  1. 1.
    Abdelhamid, N.: Multi-label rules for phishing classification. Appl. Comput. Inform. 11(1), 29–46 (2015)CrossRefGoogle Scholar
  2. 2.
    Barth, A.: The Web Origin Concept (RFC 6454) (2011), Internet Engineering Task Force (IETF). Available online in February 2018. https://www.ietf.org/rfc/rfc6454.txt
  3. 3.
    Berners-Lee, T., Fielding, R.T., Irvine, U., Masinter, L.: Uniform Resource Identifiers (URI): Generic Syntax (RFC 2396) (1998), Internet Engineering Task Force (IETF). Available online in June 2017. https://www.ietf.org/rfc/rfc2396.txt
  4. 4.
    Bielova, N.: Survey on JavaScript security policies and their enforcement mechanisms in a web browser. J. Log. Algebr. Program. 82(8), 243–262 (2013)CrossRefGoogle Scholar
  5. 5.
    Bugliesi, M., Calzavara, S., Focardi, R.: Formal methods for web security. J. Log. Algebr. Methods Program. 87, 110–126 (2017)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Catuogno, L., Galdi, C.: Ensuring application integrity: a survey on techniques and tools. In: Proceedings of the 9th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS 2015), pp. 192–199. IEEE, Blumenau (2015)Google Scholar
  7. 7.
    Cheung, W.T., Ryu, S., Kim, S.: Development nature matters: an empirical study of code clones in JavaScript applications. Empir. Softw. Eng. 21(2), 517–564 (2016)CrossRefGoogle Scholar
  8. 8.
    Cisco Systems Inc: Umbrella Popularity List (2018), Available online in January 2018. http://s3-us-west-1.amazonaws.com/umbrella-static/index.html
  9. 9.
    Conti, M., Dragoni, N., Lesyk, V.: A survey of man in the middle attacks. IEEE Commun. Surv. Tutor. 18(3), 2027–2051 (2016)CrossRefGoogle Scholar
  10. 10.
    Cucurull, J., Guasch, S., Galindo, D.: A Javascript voting client for remote online voting. In: Obaidat, M.S. (ed.) ICETE 2016. CCIS, vol. 764, pp. 266–290. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-67876-4_13CrossRefGoogle Scholar
  11. 11.
    De Ryck, P., Decat, M., Desmet, L., Piessens, F., Joosen, W.: Security of web mashups: a survey. In: Aura, T., Järvinen, K., Nyberg, K. (eds.) NordSec 2010. LNCS, vol. 7127, pp. 223–238. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-27937-9_16CrossRefGoogle Scholar
  12. 12.
    Dong, X., Hu, H., Saxena, P., Liang, Z.: A quantitative evaluation of privilege separation in web browser designs. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 75–93. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40203-6_5CrossRefGoogle Scholar
  13. 13.
    Eskandari, S., Leoutsarakos, A., Mursch, T., Clark, J.: A first look at browser-based cryptojacking. In: Proceedings of the 2nd Workshop on Security & Privacy on the Blockchain (IEEE S&B), pp. 1–9. IEEE, London (2018). Available online in March 2018. https://arxiv.org/abs/1803.02887v1
  14. 14.
    Mozilla Foundation, et al.: Same-Origin Policy (2018). Available online in January 2018. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
  15. 15.
    Mozilla Foundation, et al.: Subresource Integrity (2018), Available online in January 2018. https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
  16. 16.
    Geihs, M., Demirel, D., Buchmann, J.: A security analysis of techniques for long-term integrity protection. In: Proceedings of the 14th Annual Conference on Privacy, Security and Trust (PST 2016), pp. 449–456. IEEE, Auckland (2016)Google Scholar
  17. 17.
    Jayaraman, K., Lewandowski, G., Talaga, P.G., Chapin, S.J.: Enforcing request integrity in web applications. In: Foresti, S., Jajodia, S. (eds.) DBSec 2010. LNCS, vol. 6166, pp. 225–240. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13739-6_15CrossRefGoogle Scholar
  18. 18.
    Jia, Y., Chen, Y., Dong, X., Saxena, P., Mao, J., Liang, Z.: Man-in-the-browser-cache: persisting HTTPS attacks via browser cache poisoning. Comput. Secur. 55, 62–80 (2015)CrossRefGoogle Scholar
  19. 19.
    Korobov, M.: adblockparser (2018). Available online in March 2018. https://github.com/scrapinghub/adblockparser
  20. 20.
    Krueger, T., Rieck, K.: Intelligent defense against malicious JavaScript code. Praxis der Informationsverarbeitung und Kommunikation 35(1), 54–60 (2012)CrossRefGoogle Scholar
  21. 21.
    Kumar, D., et al.: Security challenges in an increasingly tangled web. In: Proceedings of the 26th International Conference on World Wide Web (WWW 2017), pp. 677–684. International World Wide Web Conferences Steering Committee, Perth (2017)Google Scholar
  22. 22.
    Lauinger, T., Chaabane, A., Arshad, S., Robertson, W., Wilson, C., Kirda, E.: Thou shalt not depend on me: analysing the use of outdated javascript libraries on the web. In: Proceedings of the the Network and Distributed System Security Symposium (NDSS 2017). Internet Society, San Diego (2017). Available online in March 2018. http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/ndss2017_02B-1_Lauinger_paper.pdf
  23. 23.
    Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Beyond blacklists: learning to detect malicious web sites from suspicious URLs. In: Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD 2009), pp. 1245–1254. ACM, Paris (2009)Google Scholar
  24. 24.
    Magazinius, J., Hedin, D., Sabelfeld, A.: Architectures for inlining security monitors in web applications. In: Jürjens, J., Piessens, F., Bielova, N. (eds.) ESSoS 2014. LNCS, vol. 8364, pp. 141–160. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-04897-0_10CrossRefGoogle Scholar
  25. 25.
    Mayer, W., Schmiedecker, M.: Turning active TLS scanning to eleven. In: De Capitani di Vimercati, S., Martinelli, F. (eds.) SEC 2017. IAICT, vol. 502, pp. 3–16. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-58469-0_1CrossRefGoogle Scholar
  26. 26.
    Nikiforakis, N., et al.: You are what you include: large-scale evaluation of remote JavaScript inclusions. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS 2012), pp. 736–747. ACM, Raleigh (2012)Google Scholar
  27. 27.
    Pedregosa, F.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)MathSciNetzbMATHGoogle Scholar
  28. 28.
    Petnel, R., et al.: EasyList (2018). Available online in February 2018. https://easylist.to/easylist/easylist.txt
  29. 29.
    Prokhorenko, V., Choo, K.R., Ashman, H.: Web application protection techniques: a taxonomy. J. Netw. Comput. Appl. 60, 95–112 (2016)CrossRefGoogle Scholar
  30. 30.
    Ruohonen, J., Leppänen, V.: Whose hands are in the finnish cookie jar? In: Proceedings of the European Intelligence and Security Informatics Conference (EISIC 2017), pp. 127–130. IEEE, Athens (2017)Google Scholar
  31. 31.
    Ruohonen, J., Salovaara, J., Leppänen, V.: Crossing cross-domain paths in the current web. In: Proceedings of the 16th Annual Conference on Privacy, Security and Trust (PST 2018). IEEE, Belfast (2018)Google Scholar
  32. 32.
    Somé, D.F., Bielova, N., Rezk, T.: Control what you include! Server-side protection against third party web tracking. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds.) ESSoS 2017. LNCS, vol. 10379, pp. 115–132. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-62105-0_8CrossRefGoogle Scholar
  33. 33.
    Varghese, S.: UK Researcher Says One Line of Code Caused Ticketmaster Breach (2018). iTWire, Available in July 2018. https://www.itwire.com/security/83416-uk-researcher-says-one-line-of-code-caused-ticketmaster-breach.html
  34. 34.
    Vasek, M., Moore, T.: Empirical analysis of factors affecting malware URL detection. In: Proceedings of the eCrime Researchers Summit (eCRS 2013), pp. 1–8. IEEE, San Francisco (2013)Google Scholar
  35. 35.
    W3C: Cross-Origin Resource Sharing, W3C Recommendation (2014). World Wide Web Consortium (W3C). Available online in February 2018. https://www.w3.org/TR/cors/
  36. 36.
    W3C: Subresource Integrity, W3C Recommendation (2016). World Wide Web Consortium (W3C). Available online in May 2017. https://www.w3.org/TR/SRI/
  37. 37.
    Zalewski, M.: Browser Security Handbook, Part 2 (2009). Google, Inc., Available online in March 2018. https://code.google.com/archive/p/browsersec/wikis/Part2.wiki

Copyright information

© IFIP International Federation for Information Processing 2018

Authors and Affiliations

  1. 1.Department of Future TechnologiesUniversity of TurkuTurkuFinland

Personalised recommendations