Data Exfiltration in the Face of CSP

Acker, Steven Van; Hausknecht, Daniel; Sabelfeld, Andrei

doi:10.1145/2897845.2897899

Cited by 13 publications

(12 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…2) Other Work on CSP: Van Acker et al studied the inability of CSP to prevent data leaks and proposed mitigation techniques against specific attack vectors [44]. Hausknecht et al observed that browser extensions may force Web pages into requesting resources which are not whitelisted by their CSP and proposed an endorsement mechanism to solve possible compatibility issues [15].…”

Section: Related Workmentioning

confidence: 99%

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies

Roth

Barron

Calzavara

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Section: Related Workmentioning

confidence: 99%

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies

Roth

Barron

Calzavara

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

“…Van Acker, Hausknecht and Sabelfeld [26] studied the current inability of CSP at preventing data exfiltration attacks. The paper provides empirical evidence that no major web browser implements defenses against data exfiltration in presence of DNS and resource prefetching, even when the strongest content security policy is put in place, and proposes mitigation techniques.…”

Section: Other Work On Cspmentioning

confidence: 99%

Semantics-Based Analysis of Content Security Policy Deployment

2018

View full text Add to dashboard Cite

Content Security Policy (CSP) is a recent W3C standard introduced to prevent and mitigate the impact of content injection vulnerabilities on websites. In this paper we introduce a formal semantics for the latest stable version of the standard, CSP Level 2. We then perform a systematic, large-scale analysis of the effectiveness of the current CSP deployment, using the formal semantics to substantiate our methodology and to assess the impact of the detected issues. We focus on four key aspects that affect the effectiveness of CSP: browser support, website adoption, correct configuration and constant maintenance. Our analysis shows that browser support for CSP is largely satisfactory, with the exception of few notable issues, but unfortunately there are several shortcomings relative to the other three aspects. CSP appears to have a rather limited deployment as yet and, more crucially, existing policies exhibit a number of weaknesses and misconfiguration errors. Moreover, content security policies are not regularly updated to ban insecure practices and remove unintended security violations. We argue that many of these problems can be fixed by better exploiting the monitoring facilities of CSP, while other issues deserve additional research, being more rooted into the CSP design.

show abstract

“…shown that data exfiltration is possible in the face of CSP [49]. The usage of forms and links to exfiltrate data has also been studied [65].…”

Section: Data Exfiltration and Communication Previous Research Hasmentioning

confidence: 99%

AutoNav: Evaluation and Automatization of Web Navigation Policies

Eriksson

Sabelfeld

2020

Proceedings of the Web Conference 2020

Self Cite

View full text Add to dashboard Cite

Undesired navigation in browsers powers a significant class of attacks on web applications. In a move to mitigate risks associated with undesired navigation, the security community has proposed a standard that gives control to web pages to restrict navigation. The standard draft introduces a new navigate-to directive of the Content Security Policy (CSP). The directive is currently being implemented by mainstream browsers. This paper is a first evaluation of navigate-to, focusing on security, performance, and automatization of navigation policies. We present new vulnerabilities introduced by the directive into the web ecosystem, opening up for attacks such as probing to detect if users are logged in to other websites or have active shopping carts, bypassing third-party cookie blocking, exfiltrating secrets, as well as leaking browsing history. Unfortunately, the directive triggers vulnerabilities even in websites that do not use the directive in their policies. We identify both specificationand implementation-level vulnerabilities and propose countermeasures to mitigate both. To aid developers in configuring navigation policies, we develop and implement AutoNav 1 , an automated blackbox mechanism to infer navigation policies. AutoNav leverages the benefits of origin-wide policies in order to improve security without degrading performance. We evaluate the viability of navigate-to and AutoNav by an empirical study on Alexa's top 10,000 websites.

show abstract

Data Exfiltration in the Face of CSP

Cited by 13 publications

References 16 publications

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies

Semantics-Based Analysis of Content Security Policy Deployment

AutoNav: Evaluation and Automatization of Web Navigation Policies

Contact Info

Product

Resources

About