MitigatingWeb-borne Security Threats by Enhancing Browser Security Policies

Abstract

The World Wide Web has evolved from a set of simple static pages connected by hyper links to a complex platform, to meet the demands of users and businesses. The modern web is characterised by complex operations such as online social networking, content sharing, electronic payments, single sign-on etc. The evolution of web APIs (Application Programming Interfaces) and open data initiatives encouraged developers to build Mashups, web applications that integrate data from multiple servers. Data has become the currency on the web, due to which the web has turned into a lucrative target for attackers a.k.a cyber criminals. Newer web standards such as HTML5 are evolving and newer versions of browsers are emerging to meet the needs of the modern web. However, the security policies governing the web have not evolved at the same pace. Due to this, the number of vulnerabilities and newer web based attacks are increasing rapidly. Browsers, being the entry points to the web, are heavily targeted by attackers. One good reason is that the time and effort required to compromise a website due to a vulnerability in the application layer is much lesser compared to that of other layers. E.g., to steal certain sensitive data from a web server, it is much easier to inject a small snippet of JavaScript into a vulnerable web page loaded in a browser and exfiltrate the data, than to intercept a connection and break a fairly strong crypto system, or to bypass firewalls and break into the network. This work attempts to understand the core security policies of web browsers that govern the security and privacy of web interactions. It closely examines a series of client side web attacks, their existing defenses and deficiencies. It observes the need for novel application-level security frameworks as well as browser security policies in mitigating them. The outcome of the work is two fold: Firstly, it presents a security abstraction layer (as an API library) called “SafeMash”, which helps developers build safe mashups over the current low-level security APIs in HTML5. Secondly and more importantly, it proposes a novel declarative browser security policy called CORP (Cross Origin Request Policy) to mitigate a set of attacks which we refer to as “Web Infiltration attacks”. CORP enables a server to control which site can access which resource on a cross-origin server, and through which browser event. To evaluate the effectiveness of SafeMash and CORP, several experiments were conducted. The usage of SafeMash was empirically demonstrated by first building an interactive mashup using open APIs from ProgrammableWeb (without using state-of-the-art security echanisms) and then rebuilding it using SafeMash without losing functionality. To clearly understand the security model of web browsers and its limitations, a corpus of web attacks was developed. The formulation, effectiveness and ease of deployment of CORP was demonstrated based on the insights derived from examining the corpus of web attacks. The design of CORP was formally verified by building a light weight model in the Alloy model finder. An implementation of CORP was provided as a browser extension for Chrome and it is evaluated against real-world cross origin attacks on open source web applications. Our initial investigation revealed that most of the popular websites already segregate their resources in a way which makes deployment of CORP easier.