Automatic generation of content security policy to mitigate cross site scripting
Content Security Policy (CSP) is powerful client-side security layer that helps in mitigating and detecting wide ranges of web attacks including cross-site scripting (XSS). However, utilizing CSP by site administrators is a fallible process and may require significant changes in web application code...
| Main Authors: | , , |
|---|---|
| Format: | Conference or Workshop Item |
| Language: | English |
| Published: |
IEEE
2016
|
| Online Access: | http://psasir.upm.edu.my/id/eprint/56016/1/Automatic%20generation%20of%20content%20security%20policy%20to%20mitigate%20cross%20site%20scripting.pdf |
| _version_ | 1825931332598890496 |
|---|---|
| author | Mhana, Samer Attallah Din, Jamilah Atan, Rodziah |
| author_facet | Mhana, Samer Attallah Din, Jamilah Atan, Rodziah |
| author_sort | Mhana, Samer Attallah |
| collection | UPM |
| description | Content Security Policy (CSP) is powerful client-side security layer that helps in mitigating and detecting wide ranges of web attacks including cross-site scripting (XSS). However, utilizing CSP by site administrators is a fallible process and may require significant changes in web application code. In this paper, we propose an approach to help site administers to overcome these limitations in order to utilize the full benefits of CSP mechanism which leads to more immune sites from XSS. The algorithm is implemented as a plugin. It does not interfere with the web application original code. The plugin can be 'installed' on any other web application with minimum efforts. The algorithm can be implemented as part of Web Server layer, not as part of the business logic layer. It can be extended to support generating CSP for contents that are modified by JavaScript after loading. Current approach inspects the static contents of URLs. |
| first_indexed | 2024-03-06T09:25:08Z |
| format | Conference or Workshop Item |
| id | upm.eprints-56016 |
| institution | Universiti Putra Malaysia |
| language | English |
| last_indexed | 2024-03-06T09:25:08Z |
| publishDate | 2016 |
| publisher | IEEE |
| record_format | dspace |
| spelling | upm.eprints-560162017-07-03T09:28:26Z http://psasir.upm.edu.my/id/eprint/56016/ Automatic generation of content security policy to mitigate cross site scripting Mhana, Samer Attallah Din, Jamilah Atan, Rodziah Content Security Policy (CSP) is powerful client-side security layer that helps in mitigating and detecting wide ranges of web attacks including cross-site scripting (XSS). However, utilizing CSP by site administrators is a fallible process and may require significant changes in web application code. In this paper, we propose an approach to help site administers to overcome these limitations in order to utilize the full benefits of CSP mechanism which leads to more immune sites from XSS. The algorithm is implemented as a plugin. It does not interfere with the web application original code. The plugin can be 'installed' on any other web application with minimum efforts. The algorithm can be implemented as part of Web Server layer, not as part of the business logic layer. It can be extended to support generating CSP for contents that are modified by JavaScript after loading. Current approach inspects the static contents of URLs. IEEE 2016 Conference or Workshop Item PeerReviewed application/pdf en http://psasir.upm.edu.my/id/eprint/56016/1/Automatic%20generation%20of%20content%20security%20policy%20to%20mitigate%20cross%20site%20scripting.pdf Mhana, Samer Attallah and Din, Jamilah and Atan, Rodziah (2016) Automatic generation of content security policy to mitigate cross site scripting. In: 2016 2nd International Conference on Science in Information Technology (ICSITech), 26-27 Oct. 2016, Balikpapan, Indonesia. (pp. 324-328). 10.1109/ICSITech.2016.7852656 |
| spellingShingle | Mhana, Samer Attallah Din, Jamilah Atan, Rodziah Automatic generation of content security policy to mitigate cross site scripting |
| title | Automatic generation of content security policy to mitigate cross site scripting |
| title_full | Automatic generation of content security policy to mitigate cross site scripting |
| title_fullStr | Automatic generation of content security policy to mitigate cross site scripting |
| title_full_unstemmed | Automatic generation of content security policy to mitigate cross site scripting |
| title_short | Automatic generation of content security policy to mitigate cross site scripting |
| title_sort | automatic generation of content security policy to mitigate cross site scripting |
| url | http://psasir.upm.edu.my/id/eprint/56016/1/Automatic%20generation%20of%20content%20security%20policy%20to%20mitigate%20cross%20site%20scripting.pdf |
| work_keys_str_mv | AT mhanasamerattallah automaticgenerationofcontentsecuritypolicytomitigatecrosssitescripting AT dinjamilah automaticgenerationofcontentsecuritypolicytomitigatecrosssitescripting AT atanrodziah automaticgenerationofcontentsecuritypolicytomitigatecrosssitescripting |