安全内容嗅探网络浏览器，或如何阻止文件审查自己

2009 30th IEEE Symposium on Security and Privacy Pub Date : 2009-05-17 DOI:10.1109/SP.2009.3

A. Barth, Juan Caballero, D. Song

{"title":"安全内容嗅探网络浏览器，或如何阻止文件审查自己","authors":"A. Barth, Juan Caballero, D. Song","doi":"10.1109/SP.2009.3","DOIUrl":null,"url":null,"abstract":"Cross-site scripting defenses often focus on HTML documents, neglecting attacks involving the browser's content-sniffing algorithm, which can treat non-HTML content as HTML. Web applications, such as the one that manages this conference, must defend themselves against these attacks or risk authors uploading malicious papers that automatically submit stellar self-reviews. In this paper, we formulate content-sniffing XSS attacks and defenses. We study content-sniffing XSS attacks systematically by constructing high-fidelity models of the content-sniffing algorithms used by four major browsers. We compare these models with Web site content filtering policies to construct attacks. To defend against these attacks, we propose and implement a principled content-sniffing algorithm that provides security while maintaining compatibility. Our principles have been adopted, in part, by Internet Explorer 8 and, in full, by Google Chrome and the HTML 5 working group.","PeriodicalId":161757,"journal":{"name":"2009 30th IEEE Symposium on Security and Privacy","volume":"23 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2009-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"118","resultStr":"{\"title\":\"Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves\",\"authors\":\"A. Barth, Juan Caballero, D. Song\",\"doi\":\"10.1109/SP.2009.3\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Cross-site scripting defenses often focus on HTML documents, neglecting attacks involving the browser's content-sniffing algorithm, which can treat non-HTML content as HTML. Web applications, such as the one that manages this conference, must defend themselves against these attacks or risk authors uploading malicious papers that automatically submit stellar self-reviews. In this paper, we formulate content-sniffing XSS attacks and defenses. We study content-sniffing XSS attacks systematically by constructing high-fidelity models of the content-sniffing algorithms used by four major browsers. We compare these models with Web site content filtering policies to construct attacks. To defend against these attacks, we propose and implement a principled content-sniffing algorithm that provides security while maintaining compatibility. Our principles have been adopted, in part, by Internet Explorer 8 and, in full, by Google Chrome and the HTML 5 working group.\",\"PeriodicalId\":161757,\"journal\":{\"name\":\"2009 30th IEEE Symposium on Security and Privacy\",\"volume\":\"23 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2009-05-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"118\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2009 30th IEEE Symposium on Security and Privacy\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/SP.2009.3\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2009 30th IEEE Symposium on Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2009.3","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 118

摘要

跨站点脚本防御通常侧重于HTML文档，而忽略了涉及浏览器内容嗅探算法的攻击，该算法可以将非HTML内容视为HTML。Web应用程序(例如管理本次会议的Web应用程序)必须保护自己免受这些攻击，否则作者可能会上传恶意论文，这些论文会自动提交一流的自我评论。在本文中，我们制定了内容嗅探XSS攻击和防御。我们通过构建四种主要浏览器使用的内容嗅探算法的高保真模型，系统地研究了内容嗅探XSS攻击。我们将这些模型与网站内容过滤策略进行比较，以构建攻击。为了防御这些攻击，我们提出并实现了一种原则性的内容嗅探算法，该算法在保持兼容性的同时提供安全性。我们的原则部分被ie8采纳，全部被b谷歌Chrome和HTML 5工作组采纳。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves

Cross-site scripting defenses often focus on HTML documents, neglecting attacks involving the browser's content-sniffing algorithm, which can treat non-HTML content as HTML. Web applications, such as the one that manages this conference, must defend themselves against these attacks or risk authors uploading malicious papers that automatically submit stellar self-reviews. In this paper, we formulate content-sniffing XSS attacks and defenses. We study content-sniffing XSS attacks systematically by constructing high-fidelity models of the content-sniffing algorithms used by four major browsers. We compare these models with Web site content filtering policies to construct attacks. To defend against these attacks, we propose and implement a principled content-sniffing algorithm that provides security while maintaining compatibility. Our principles have been adopted, in part, by Internet Explorer 8 and, in full, by Google Chrome and the HTML 5 working group.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2009 30th IEEE Symposium on Security and Privacy

自引率

0.00%

发文量

期刊最新文献

A Logic of Secure Systems and its Application to Trusted Computing Noninterference for a Practical DIFC-Based Operating System Pretty-Bad-Proxy: An Overlooked Adversary in Browsers' HTTPS Deployments Formally Certifying the Security of Digital Signature Schemes Password Cracking Using Probabilistic Context-Free Grammars