Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu
Friday, August 23 • 3:50pm - 4:20pm
Sandboxing Javascript

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

The inclusion of third-party scripts in web pages is a common practice. In this talk, we report on a large-scale crawl of more than three million pages of the top 10,000 Alexa sites, and identify the trust relationships of these sites with their library providers. The study illustrates that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website. 
Furthermore, we give an overview of current techniques to sandbox third-party JavaScript, and mitigate the risks of including untrusted scripts. The overview ranges from state-of-practice techniques towards novel approaches from academia. As part of the overview, we discuss JavaScript subsets and server-side transformation techniques such as AdSafe and Google CAJA, modified browser environments such as WebJail and ConScript, and client-side security architectures. 
In particular, we focus on JavaScript security architectures on top of the Same-Origin Policy, CSP and sandboxed iframes, and client-side sandboxing techniques such as TreeHouse and JSand. 
JSand is a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox. 
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well. 

avatar for Lieven Desmet (KU Leuven)

Lieven Desmet (KU Leuven)

Senior Research Manager, KU Leuven
Lieven Desmet is a Senior Research Manager on Software Secure at the imec-DistriNet Research Group (KU Leuven, Belgium), where he coaches researchers in (web) application security and participates in dissemination and valorization activities. His interests are in security of middleware... Read More →
avatar for Nick Nikiforakis

Nick Nikiforakis

Nick Nikiforakis is a final-year PhD candidate in the KU Leuven university, in Belgium. Nick’s main interest is the exploration of large-scale web ecosystems, from a security and privacy point of view. In previous work, he has analyzed, among others, referrer-anonymizing services... Read More →

Friday August 23, 2013 3:50pm - 4:20pm CEST
Großer Saal