Paper Info
Title
Data Exfiltration in the Face of CSP.
Abstract
Cross-site scripting (XSS) attacks keep plaguing the Web. Supported by most modern browsers, Content Security Policy (CSP) prescribes the browser to restrict the features and communication capabilities of code on a web page, mitigating the effects of XSS. This paper puts a spotlight on the problem of data exfiltration in the face of CSP. We bring attention to the unsettling discord in the security community about the very goals of CSP when it comes to preventing data leaks. As consequences of this discord, we report on insecurities in the known protection mechanisms that are based on assumptions about CSP that turn out not to hold in practice. To illustrate the practical impact of the discord, we perform a systematic case study of data exfiltration via DNS prefetching and resource prefetching in the face of CSP. Our study of the popular browsers demonstrates that it is often possible to exfiltrate data by both resource prefetching and DNS prefetching in the face of CSP. Further, we perform a crawl of the top 10,000 Alexa domains to report on the cohabitance of CSP and prefetching in practice. Finally, we discuss directions to control data exfiltration and, for the case study, propose measures ranging from immediate fixes for the clients to prefetching-aware extensions of CSP.
Year
DOI
Venue
2016
10.1145/2897845.2897899
AsiaCCS
Keywords
Field
DocType
content-security-policy, data exfiltration, DNS prefetching, resource prefetching, large-scale study, web browser
World Wide Web,Internet privacy,Web page,Web browser,Computer security,Computer science,Cross-site scripting,restrict,Content Security Policy,Scripting language,Security community
Conference
ISBN
Citations 
PageRank 
978-1-4503-4233-9
6
0.46
References 
Authors
15
3
Name
Order
Citations
PageRank
Steven Van Acker122711.60
Daniel Hausknecht2271.95
Andrei Sabelfeld32692121.16