Analyzing Information Flow in JavaScript-Based Browser Extensions

Dhawan, Mohan; Ganapathy, Vinod

doi:10.1109/acsac.2009.43

Cited by 104 publications

(68 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In a line of work to secure JavaScript in browser extensions, Dhawan and Ganapathy [8] develop Sabre, a system for tracking the flow of JavaScript objects as they are passed through the browser subsystems. Bandhakavi, et al [2] propose a static analysis tool, VEX, for analyzing Firefox extensions for security vulnerabilities.…”

Section: Resultsmentioning

confidence: 99%

May I? - Content Security Policy Endorsement for Browser Extensions

Hausknecht

Magazinius

Sabelfeld

2015

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

Abstract. Cross-site scripting (XSS) vulnerabilities are among the most prevailing problems on the web. Among the practically deployed countermeasures is a"defense-in-depth" Content Security Policy (CSP) to mitigate the e↵ects of XSS attacks. However, the adoption of CSP has been frustratingly slow. This paper focuses on a particular roadblock for wider adoption of CSP: its interplay with browser extensions. We report on a large-scale empirical study of all free extensions from Google's Chrome web store that uncovers three classes of vulnerabilities arising from the tension between the power of extensions and CSP intended by web pages: third party code inclusion, enabling XSS, and user profiling. We discover extensions with over a million users in each vulnerable category. With the goal to facilitate a wider adoption of CSP, we propose an extension-aware CSP endorsement mechanism between the server and client. A case study with the Rapportive extensions for Firefox and Chrome demonstrates the practicality of the approach.

show abstract

Section: Resultsmentioning

confidence: 99%

May I? - Content Security Policy Endorsement for Browser Extensions

Hausknecht

Magazinius

Sabelfeld

2015

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

show abstract

“…This research has aimed to develop, then to use, flexible and efficient systems that satisfy non-interference properties. For instance, this research effectively supports promising uses of dynamic information-flow control in Web browsers [5,8,12,21]. This research is often clever and intricate-so we do not attempt to give a complete description here, but we focus on some of the intricacies below.…”

Section: Static and Dynamic Language-based Information-flow Controlmentioning

confidence: 99%

A Functional View of Imperative Information Flow

Austin

Flanagan

Abadi

2012

Programming Languages and Systems

View full text Add to dashboard Cite

show abstract

“…Djeric and Goel [19] investigate different classes of privilege-escalation vulnerabilities found in Firefox extensions, and propose a tainting-based system to detect them. Similarly, Dhawan and Ganapathy [20] propose SABRE, a framework for dynamically tracking in-browser information flows to detect when a JavaScript extension attempts to compromise browser security. Guha et al [21] propose IBEX, a framework for extension authors to develop extensions with verifiable access control policies, and for curators to detect policy-violating extensions through static analysis.…”

Section: Related Workmentioning

confidence: 99%