OWASP BeNeLux 2012: Sandboxing Javascript - Lieven Desmet

'Standard' webpage composition patterns:
  • script tag: full 3rd party integration
  • iframe tag: more robust (+ sandboxed keyword)
Solutions for security:
  • use a secure subset of Javascript (e.g. ADSafe, Facebook JS, etc.)
  • browser sandboxing (e.g. WebJail)
  • Serverside Tranformation of scripts (Google Caja, BrowserShield, etc.)
Risk examples of 3rd party integrations: (research)
  • stale domain names -> re-register & abuse
  • typo squatting: e.g. googlesyndicatio.com (without the 'n') triggered a lot of hits
JSand presentation:
  • prototype
  • aims
    • complete JS mediation
    • backwards compatibility
    • reasonable performance
  • components:
    • policies for 3rd party scripts
    • isolate JS through Google Secure EcmaScript library ("use strict" directive)
    • Proxy wrapper for domain access
    • AST transformations through Uglify lib
    • CORS / UMP headers
    • Serversside JS Proxy
  • nice demo, very early preview.

No comments: