Assessing the Impact of Script Gadgets on CSP at Scale

Authors:

Sebastian Roth,

Michael Backes,

Ben StockAuthors Info & Claims

ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

Pages 420 - 431

https://doi.org/10.1145/3320269.3372201

Published: 05 October 2020 Publication History

Abstract

The Web, as one of the core technologies of modern society, has profoundly changed the way we interact with people and data. One of the worst attacks on the Web is Cross-Site Scripting (XSS), in which an attacker is able to inject their malicious JavaScript code into a Web application, giving this code full access to the victimized site. To mitigate the impact of markup injection flaws that cause XSS, support for the Content Security Policy (CSP) is nowadays shipped in all browsers. Deploying such a policy enables a Web developer to whitelist from where script code can be loaded, essentially constraining the capabilities of the attacker to only be able to execute injected code from the said whitelist. As recently shown by Lekies et al., injecting script markup is not a necessary prerequisite for a successful attack in the presence of so-called script gadgets. These small snippets of benign JavaScript code transform non-script markup contained in a page into executable JavaScript, opening the door for bypasses of a deployed CSP. Especially in combination with CSP's logic in handling redirected resources, script gadgets enable attackers to bypass an otherwise secure policy. In this paper, we, therefore, ask the question: is securely deploying CSP even possible without a priori knowledge of all files hosted on even a partially trusted origin? To answer this question, we investigate the severity of the findings of Lekies et al., showing real-world Web sites on which, even in the presence of CSP and without code containing such gadgets being added by the developer, an attacker can sideload libraries with known script gadgets, as long as the hosting site is whitelisted in the CSP. In combination with CSPs matching logic for redirects, this enables us to bypass 10% of otherwise secure policies in the wild. To further answer our main research question, we conduct a hypothetical what-if analysis. Doing so, we automatically generate sensible CSPs for all of the Top 10,000 sites and show that around one-third of all sites would still be susceptible to a bypass through script gadget sideloading due to heavy reliance on third parties that also host such libraries.

Formats available

You can view the full content in the following formats:

Supplementary Material

MP4 File (3320269.3372201.mp4)

The Web, as one of the core technologies of modern society, has profoundly changed the way we interact with people and data. One of the worst attacks on the Web is XSS, in which an attacker is able to inject their malicious JavaScript code into a Web application, giving this code full access to the victimized site.\r\nTo mitigate the impact of markup injection flaws that cause XSS, support for the CSP is nowadays shipped in all browsers.\r\nHowever, as recently shown injecting script markup is not a necessary prerequisite for a successful attack in the presence of so-called script gadgets.\r\nIn combination with CSPs logic in handling redirected resources, script gadgets enable attackers to bypass an otherwise secure policy. In this paper, we, therefore, ask the question: is securely deploying CSP even possible without a priori knowledge of all files hosted on even a partially trusted origin?

Download
225.63 MB

References

[1]

A. Barth. RFC 6454. Online at https://www.ietf.org/rfc/rfc6454.txt, 2011.

Abstract

Formats available

Supplementary Material

References

Cited By

Index Terms

Recommendations

Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets

CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy

CSP & Co. Can Save Us from a Rogue Cross-Origin Storage Browser Network! But for How Long?

Comments

Affiliations