OWASP AppSec Research 2013

The inclusion of third-party scripts in web pages is a common practice. In this talk, we report on a large-scale crawl of more than three million pages of the top 10,000 Alexa sites, and identify the trust relationships of these sites with their library providers. The study illustrates that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website. 
Furthermore, we give an overview of current techniques to sandbox third-party JavaScript, and mitigate the risks of including untrusted scripts. The overview ranges from state-of-practice techniques towards novel approaches from academia. As part of the overview, we discuss JavaScript subsets and server-side transformation techniques such as AdSafe and Google CAJA, modified browser environments such as WebJail and ConScript, and client-side security architectures. 
In particular, we focus on JavaScript security architectures on top of the Same-Origin Policy, CSP and sandboxed iframes, and client-side sandboxing techniques such as TreeHouse and JSand. 
JSand is a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox. 
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.