Searching for just a few words should be enough to get started. If you need to make more complex queries, use the tips below to guide you.
Issue title: Web Application Security – Web @ 25
Guest editors: Lieven DesmetGuest Editor, Martin JohnsGuest Editor, Benjamin LivshitsGuest Editor and Andrei SabelfeldGuest Editor
Article type: Research Article
Authors: Heiderich, M.; * | Niemietz, M. | Schuster, F. | Holz, T. | Schwenk, J.
Affiliations: Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Bochum, Germany
Correspondence: [*] Corresponding author. E-mail: [email protected].
Abstract: Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the members of security community worldwide. In the same way, a plethora of more or less effective defense techniques have been proposed, addressing both causes and effects of XSS vulnerabilities. As a result, an adversary often can no longer inject or even execute arbitrary scripting code in several real-life scenarios. In this article, we examine an attack surface that remains after XSS and similar scripting attacks are supposedly mitigated by preventing an attacker from executing JavaScript code. We address the question of whether an attacker really needs to execute JavaScript or similar functionality to perform attacks aiming for information theft. The surprising result is that an attacker can abuse Cascading Style Sheets (CSS) in combination with other Web techniques like plain HTML, inactive SVG images, or font files. Having employed several case studies, we discuss so called scriptless attacks and demonstrate that an adversary might not need to execute code to preserve his ability to extract sensitive information from well-protected websites. More precisely, we show that an attacker can use seemingly benign features to build side-channel attacks that measure and exfiltrate almost arbitrary data displayed on a given webpage. We conclude this article with a discussion of potential mitigation techniques against this class of attacks. In addition, we have implemented a browser patch that enables a website to make a vital determination as to being loaded in a detached view or a pop-up window. This approach proves useful for prevention of certain types of attacks we here discuss.
Keywords: Web security, cross-site scripting, information leakage, browser security, cake and pastries, scriptless attacks
DOI: 10.3233/JCS-130494
Journal: Journal of Computer Security, vol. 22, no. 4, pp. 567-599, 2014
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
USA
Tel: +1 703 830 6300
Fax: +1 703 830 2300
[email protected]
For editorial issues, like the status of your submitted paper or proposals, write to [email protected]
IOS Press
Nieuwe Hemweg 6B
1013 BG Amsterdam
The Netherlands
Tel: +31 20 688 3355
Fax: +31 20 687 0091
[email protected]
For editorial issues, permissions, book requests, submissions and proceedings, contact the Amsterdam office [email protected]
Inspirees International (China Office)
Ciyunsi Beili 207(CapitaLand), Bld 1, 7-901
100025, Beijing
China
Free service line: 400 661 8717
Fax: +86 10 8446 7947
[email protected]
For editorial issues, like the status of your submitted paper or proposals, write to [email protected]
如果您在出版方面需要帮助或有任何建, 件至: [email protected]