You are what you include
作者: Nick Nikiforakis , Luca Invernizzi , Alexandros Kapravelos , Steven Van Acker , Wouter Joosen
关键词: Web page 、 Web application 、 Unobtrusive JavaScript 、 Computer science 、 JavaScript 、 Dynamic web page 、 Rich Internet application 、 World Wide Web 、 Computer security 、 The Internet 、 Scripting language 、 Interactivity
摘要: JavaScript is used by web developers to enhance the interactivity of their sites, offload work users' browsers and improve sites' responsiveness user-friendliness, making pages feel behave like traditional desktop applications. An important feature JavaScript, ability combine multiple libraries from local remote sources into same page, under namespace. While this enables creation more advanced applications, it also allows for a malicious provider steal data other scripts page itself. Today, when include libraries, they trust that providers will not abuse power bestowed upon them.In paper, we report on large-scale crawl than three million top 10,000 Alexa identify relationships these sites with library providers. We show evolution inclusions over time develop set metrics in order assess maintenance-quality each provider, showing some cases, Internet could be successfully compromised determined attackers subsequently serve JavaScript. In process, four, previously unknown, types vulnerabilities use attack popular sites. Lastly, review proposed ways protecting application them may as effective thought.
acm.org
ucsb.edu
securitee.org 
kuleuven.be 参考文章(20)
Mike Ter Louw, V. N. Venkatakrishnan, Karthik Thotta Ganesh, AdJail: practical enforcement of confidentiality and integrity policies on web advertisements usenix security symposium. pp. 24- 24 ,(2010)
Paruj Ratanaworabhan, Benjamin Livshits, Benjamin G. Zorn, JSMeter: comparing the behavior of JavaScript benchmarks with real web applications usenix conference on web application development. pp. 3- 3 ,(2010)
Chad Verbowski, Jeffrey Wang, Yi-Min Wang, Doug Beck, Brad Daniels, Strider typo-patrol: discovery and analysis of systematic typo-squatting conference on steps to reducing unwanted traffic on internet. pp. 5- 5 ,(2006)
Christian Hammer, Jan Vitek, Brian Burg, Gregor Richards, The eval that men do: A large-scale study of the use of eval in javascript applications european conference on object-oriented programming. pp. 52- 78 ,(2011) , 10.5555/2032497.2032503
Jonas Magazinius, Phu H. Phung, David Sands, Safe wrappers and sane policies for self protecting javascript nordic conference on secure it systems. ,vol. 7127, pp. 239- 255 ,(2010) , 10.1007/978-3-642-27937-9_17
Sid Stamm, Brandon Sterne, Gervase Markham, Reining in the web with content security policy the web conference. pp. 921- 930 ,(2010) , 10.1145/1772690.1772784
Willem De Groef, Dominique Devriese, Nick Nikiforakis, Frank Piessens, FlowFox Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12. pp. 748- 759 ,(2012) , 10.1145/2382196.2382275
Gregor Richards, Sylvain Lebresne, Brian Burg, Jan Vitek, An analysis of the dynamic behavior of JavaScript programs Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation - PLDI '10. ,vol. 45, pp. 1- 12 ,(2010) , 10.1145/1806596.1806598
Opher Dubrovsky, Saher Esmeir, John Dunagan, Helen J. Wang, Charles Reis, BrowserShield: vulnerability-driven filtering of dynamic HTML operating systems design and implementation. pp. 61- 74 ,(2006) , 10.5555/1298455.1298462
Dominique Devriese, Frank Piessens, Noninterference through Secure Multi-execution ieee symposium on security and privacy. pp. 109- 124 ,(2010) , 10.1109/SP.2010.15