Securing Third-party Web Resources Using Subresource Integrity Automation

Ronak N. Shah, Kailas R. Patil

Abstract


Using Content Delivery Networks (CDNs) to host files such as scripts and stylesheets that are shared among multiple sites can improve site performance and conserve bandwidth. However, using CDNs also comes with a risk, in that if an attacker gains control of a CDN, the attacker can inject arbitrary malicious content into files on the CDN and thus can
also potentially attack all sites that fetch files from that CDN. Internet security and its awareness is an often discussed topic these days. The diversity and the potential of current web browser applications has highly increased in the last years. With this, the way of how security of such web pages is rated to the users has changed as well. In order to avoid cross scripting attacks we need to authenticate resources that we are fetching from CDN.
This work especially address these cross scripting attacks and measures to avoid it. The Subresource Integrity feature that is announced as W3C recommendation on the 23rd of June 2016 is not still implemented by major portion of user. This work makes it easier for even novice user to use SRI mechanism to protect himself/herself from different kinds of security breaches.

Full Text:

PDF

References


W3C SRI working draft, [Online]. Available:https://www.w3.org/TR/SRI/.

Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad Jovanovic,Noxes: A Client-Side Solution for Mitigating Cross-Site Scripting Attacks, Proceedings of the 2006 ACM symposioum on Applied Computing,pp.330337, 2006.

Collin Jackson, Adam barth, ForceHTTPS: Protecting High-Security WebSites from Network Attacks.

Matthew Van Gundy, and Hao Chen, Noncespaces: Using randomizationto defeat cross-site scripting attacks, ScienceDirect Computers & Security,Vol. 31, No. 4, pp.612628, 2012.

Shashank gupta, and B.B gupta, Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art.

Mike Ter Louw, and V.N. Venkatakrishnan, BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers.

Sid Stamm, Brandon Sterne, and Gervase Markham, Reining in the Web with Content Security Policy.

Amit Levy, Henry Corrigan-Gibbs, and Dan Boneh, Stickler: Defending against Malicious Content Distribution Networks in an Unmodified Browser, IEEE Security & Privacy, Vol. 14, No. 2, pp.2228, 2016.

Yaoqi Jia a, Yue Chen b, Xinshu Dong c, Prateek Saxena a, Jian Mao b,Zhenkai Liang, Man-in-the-browser-cache: Persisting HTTPS attacks vie browser cache poisoning.

Chaitrali Amrutkar and Patrick Traynor, Paul C. van Oorschot, An Empirical Evaluation of Security Indicators in Mobile Web Browsers.

Enrico Budianto, Yaoqi JiaYou, Prateek Saxena, Cant Be Me: Enabling Trusted Paths and User Sub-Origins in Web Browser.

Mozilla Developer Network (Same Origin Policy), https://developer.mozilla.org/en US/docs/Web/Security/Same origin policy

Information about CDN (CDN), https://www.cdnetworks.com/blog/20 cdn web performance stats worth noting

https://developer.mozilla.org/en US/docs/Web/HTTP/CSP




 

Copyright © IJETT, International Journal on Emerging Trends in Technology