• DocumentCode
    3023171
  • Title

    Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves

  • Author

    Barth, Adam ; Caballero, Juan ; Song, Dawn

  • Author_Institution
    UC Berkeley, Berkeley, CA, USA
  • fYear
    2009
  • fDate
    17-20 May 2009
  • Firstpage
    360
  • Lastpage
    371
  • Abstract
    Cross-site scripting defenses often focus on HTML documents, neglecting attacks involving the browser´s content-sniffing algorithm, which can treat non-HTML content as HTML. Web applications, such as the one that manages this conference, must defend themselves against these attacks or risk authors uploading malicious papers that automatically submit stellar self-reviews. In this paper, we formulate content-sniffing XSS attacks and defenses. We study content-sniffing XSS attacks systematically by constructing high-fidelity models of the content-sniffing algorithms used by four major browsers. We compare these models with Web site content filtering policies to construct attacks. To defend against these attacks, we propose and implement a principled content-sniffing algorithm that provides security while maintaining compatibility. Our principles have been adopted, in part, by Internet Explorer 8 and, in full, by Google Chrome and the HTML 5 working group.
  • Keywords
    hypermedia markup languages; online front-ends; security of data; Google Chrome; HTML 5 working group; HTML documents; Internet Explorer 8; Web browsers; Web site content filtering policies; content-sniffing XSS attacks; cross-site scripting defenses; secure content sniffing; Algorithm design and analysis; Conference management; HTML; Information filtering; Internet; Page description languages; Privacy; Risk management; Security; Wikipedia; Content-Sniffing; Cross-Site Scripting; MIME; Security; Web;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Security and Privacy, 2009 30th IEEE Symposium on
  • Conference_Location
    Berkeley, CA
  • ISSN
    1081-6011
  • Print_ISBN
    978-0-7695-3633-0
  • Type

    conf

  • DOI
    10.1109/SP.2009.3
  • Filename
    5207656