Title :
A Protection Scheme against the Attacks Deployed by Hiding the Violation of the Same Origin Policy
Author_Institution :
Dept. Electron. & Inf. Engr., Hosei Univ., Tokyo
Abstract :
As interactive asynchronous Javascript and XML (AJAX) based Web 2.0 applications increase, a new breed of attacks have appeared that deploy their payloads through hiding the violation of the same origin policy (that enforces the scripts and the like downloaded from different web pages to never access each other´s page). This paper presents a scheme for protecting against those attacks. The scheme produces two tokens indicating respectively the origin and target pages of an HTTP request and two checksums of a Web page produced respectively when it has no injected malicious code and when it is received by the browser. A mismatch between the tokens or between the checksums indicates a same origin violation. To reduce the scheme´s performance ovrhead, this matching is performed only when a request originated from a page with no submission form has suspicious keywords. We analyze the protection potential, security, and performance overhead of our scheme.
Keywords :
Internet; Java; XML; hypermedia; security of data; HTTP request; Javascript; Web 2.0; Web page; XML; attack protection; interactive AJAX; violation hiding; Electronic mail; Information security; Java; Payloads; Performance analysis; Protection; Protocols; Web pages; Web server; XML; AJAX; Cross-Site Scripting (XSS); HTTP; HTTP-cookie; hashinh; same origin policy;
Conference_Titel :
Emerging Security Information, Systems and Technologies, 2008. SECURWARE '08. Second International Conference on
Conference_Location :
Cap Esterel
Print_ISBN :
978-0-7695-3329-2
Electronic_ISBN :
978-0-7695-3329-2
DOI :
10.1109/SECURWARE.2008.24
