Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu
View analytic
Friday, August 23 • 3:50pm - 4:20pm
Sandboxing Javascript

Sign up or log in to save this to your schedule and see who's attending!

The inclusion of third-party scripts in web pages is a common practice. In this talk, we report on a large-scale crawl of more than three million pages of the top 10,000 Alexa sites, and identify the trust relationships of these sites with their library providers. The study illustrates that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website. 
Furthermore, we give an overview of current techniques to sandbox third-party JavaScript, and mitigate the risks of including untrusted scripts. The overview ranges from state-of-practice techniques towards novel approaches from academia. As part of the overview, we discuss JavaScript subsets and server-side transformation techniques such as AdSafe and Google CAJA, modified browser environments such as WebJail and ConScript, and client-side security architectures. 
In particular, we focus on JavaScript security architectures on top of the Same-Origin Policy, CSP and sandboxed iframes, and client-side sandboxing techniques such as TreeHouse and JSand. 
JSand is a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox. 
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well. 

Speakers
avatar for Lieven Desmet

Lieven Desmet

Research Manager, iMinds-DistriNet-KU Leuven
Lieven Desmet is Research Manager on Software Secure at the iMinds-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.
avatar for Nick Nikiforakis

Nick Nikiforakis

Nick Nikiforakis is a final-year PhD candidate in the KU Leuven university, in Belgium. Nick’s main interest is the exploration of large-scale web ecosystems, from a security and privacy point of view. In previous work, he has analyzed, among others, referrer-anonymizing services [8], file-hosting services [5] and re- mote JavaScript inclusions [6]. Nick has also presented some of his work in Euro- pean hacking conferences (AthCon, Brucon... Read More →


Friday August 23, 2013 3:50pm - 4:20pm
Großer Saal