In recent years, the security landscape has changed, with Web applications vulnerabilities becoming more prominent that vulnerabilities stemming from the lack of type safety, such as buffer overruns. Many reports point to code injection attacks such as cross-site scripting and RSS injection as being the most common attacks against Web applications to date. With Web 2.0 existing security problems are further exacerbated by the advent of Ajax technology that allows one to create and compose HTML content from different sources within the browser at runtime, as exemplified by customizable mashup pages like My Yahoo! or Live.com. This paper proposes a simple to support, yet a powerful scheme for eliminating a wide range of script injection vulnerabilities in applications built on top of popular Ajax development frameworks such as the Dojo Toolkit, prototype.js, and AJAX.NET. Unlike other client-side runtime enforcement proposals, the approach we are advocating requires only minor browser modifications. This is because our proposal can be viewed as a natural finer-grained extension of the same-origin policy for JavaScript already supported by the majority of mainstream browsers, in which we treat individual user interface widgets as belonging to separate domains. Fortunately, in many cases no changes to the development process need to take place: for applications that are built on top of frameworks described above, a slight framework modification will result in appropriate changes in the generated HTML, completely obviating the need for manual code annotation. In this paper we demonstrate how these changes can prevent cross-site scripting and RSS injection attacks using the Dojo Toolkit, a popular Ajax library, as an example. |