Using Web Application Construction Frameworks To Protect Against Code Injection Attacks

In recent years, the security landscape has changed, with
Web applications vulnerabilities becoming more prominent
that vulnerabilities stemming from the lack of type safety,
such as buffer overruns. Many reports point to code injection
attacks such as cross-site scripting and RSS injection as
being the most common attacks against Web applications to
date. With Web 2.0 existing security problems are further
exacerbated by the advent of Ajax technology that allows
one to create and compose HTML content from different
sources within the browser at runtime, as exemplified by
customizable mashup pages like My Yahoo! or Live.com.
This paper proposes a simple to support, yet a powerful
scheme for eliminating a wide range of script injection
vulnerabilities in applications built on top of popular
Ajax development frameworks such as the Dojo Toolkit,
prototype.js, and AJAX.NET. Unlike other client-side
runtime enforcement proposals, the approach we are advocating
requires only minor browser modifications. This is because
our proposal can be viewed as a natural finer-grained
extension of the same-origin policy for JavaScript already
supported by the majority of mainstream browsers, in which
we treat individual user interface widgets as belonging to
separate domains.
Fortunately, in many cases no changes to the development
process need to take place: for applications that are built on
top of frameworks described above, a slight framework modification
will result in appropriate changes in the generated
HTML, completely obviating the need for manual code annotation.
In this paper we demonstrate how these changes
can prevent cross-site scripting and RSS injection attacks using
the Dojo Toolkit, a popular Ajax library, as an example.