SlideShare a Scribd company logo

パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法

I
inet-lab

This document discusses client-side cross-site scripting (XSS) and defenses against it. It covers different types of client-side XSS, including DOM-based XSS. It also introduces Trusted Types as a new JavaScript API for preventing XSS by limiting where untrusted content can be inserted in the DOM. Trusted Types provides policies for generating safe HTML, URLs, and other data types that help prevent injection of malicious scripts.

Internet
1 of 10
Download to read offline
1
2
3
4
5
6
7
8
9
10
• Web ► • Cross Site Scripting (XSS) ► Web ► Web ► 3 • Client-Side XSS 1
XSS Client-Side XSS • Client-Side XSS ( : DOM Based XSS) [1] 2[1]. IPA, “IPA DOM Based XSS ”, https://www.ipa.go.jp/files/000024729.pdf , 2013
XSS 3 Client-Side XSS [2] HTML XSS Content Security PolicyWeb Application Firewall [2]. Sebastian Lekies, Krzysztof Kotowicz, Samuel Groß, Eduardo A. Vela Nava, Martin Johns, “Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets”, The ACM CCS, 2017 XSS JavaScript
Client-Side XSS • Client-Side XSS ► [3] ► [4] ► [5] ► … etc 4 JavaScript Web [3]. Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, Martin Johns, “Precise Client-side Protection against DOM-based Cross-Site Scripting”, 23rd USENIX Security Symposium, 2014 [4]. Inian Parameshwaran, Enrico Budianto, Shweta Shinde, “Auto-Patching DOM-based XSS At Scale”, Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, pp. 272-283, 2015. [5]. Marius Musch, Marius Steffens, Sebastian Roth, Ben Stock, Martin Johns. "Scriptprotect: Mitigating unsafe third-party javascript practices", AsiaCCS, 2019.
Trusted Types • [6] ► Trusted Types 5 $('div').innerHTML = '<img src=/ onerror="alert(10)">' // ERROR const escapePolicy = TrustedTypes.createPolicy('mypolicy', { createHTML: (unsafe) => { return unsafe .replace(/&/g, "&amp;") .replace(/</g, "&lt;") .replace(/>/g, "&gt;") } }) const trustedHTML = escapePolicy.createHTML('<img src=/ onerror="alert(10)">') $('div').innerHTML = trustedHTML // SUCCESS [6]. Krzysztof Kotowicz, Mike West, "Trusted Types", https://wicg.github.io/trusted-types/dist/spec/ Web
Trusted Types • 3 ► ► Web ► DOM • Trusted Types JavaScript ► ► Web Web 6
let trusted = "https://example.co.jp/"; let host = location.host; let hash = location.hash; document.writeln(trusted); // SUCCESS document.writeln(host); // ERROR document.writeln(hash); // ERROR Trusted Types • Trusted Types 2 7 1 Trusted Types let trusted = "https://example.co.jp/"; let host = location.host; let hash = location.hash; document.writeln(trusted); // SUCCESS document.writeln(host); // SUCCESS document.writeln(hash); // ERROR Trusted Types Input Source URL document.location baseURI location.hash documentURI location.search window.location location.href
• OSS JavaScript Web ► V8: 7.7.299.11 ► Chromium: 77.0.3865.90 81 2 let trusted = "https://example.co.jp/"; let host = location.host; let hash = location.hash; document.writeln(trusted); document.writeln(host); document.writeln(hash);
• JavaScript • ► 9 Stock [3] Parameshwaran [4] 1 2 Web × Web Web ( ) 7~17% 5% 1.2% 0.4~1.2% 0.16% - 46.2% 10.9%
• ► Trusted Types • 2 URL ? # 10 2 1269 1.1% )) ( 047 12 4 7 36 36 58

More Related Content

PPTX
Web content security policies
Dhanu Gupta
 
PDF
Protecting Java Microservices: Best Practices and Strategies
Rodrigo Cândido da Silva
 
PDF
CILogon & SciTokens: OIDC/OAuth Federation
jbasney
 
PPTX
Xss attack
Ambuj Kumar
 
PDF
Securing your Movable Type installation
Six Apart KK
 
PPTX
Xss what the heck-!
VodqaBLR
 
PDF
Securing your Node.js App
Dheeraj Joshi
 
PPTX
Cross Site Scripting(XSS)
Nabin Dutta
 
Web content security policies
Dhanu Gupta
 
Protecting Java Microservices: Best Practices and Strategies
Rodrigo Cândido da Silva
 
CILogon & SciTokens: OIDC/OAuth Federation
jbasney
 
Xss attack
Ambuj Kumar
 
Securing your Movable Type installation
Six Apart KK
 
Xss what the heck-!
VodqaBLR
 
Securing your Node.js App
Dheeraj Joshi
 
Cross Site Scripting(XSS)
Nabin Dutta
 

What's hot (20)

PPTX
Cross site scripting
ashutosh rai
 
PDF
Django ws
jvanveen
 
PDF
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
David Johansson
 
PPTX
OWASP Top Ten 2017
chw
 
PDF
[Cluj] CSP (Content Security Policy)
OWASP EEE
 
PDF
Content Security Policy
Ryan LaBouve
 
PDF
Meteor Meets Mallory
Emily Stark
 
PPTX
Ransomware wannacry
rajatpk
 
PPTX
Kenneth simple bitcoinwebsite
Hu Kenneth
 
PDF
Web vulnerabilities
Oleksandr Kovalchuk
 
PDF
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer
 
PDF
Http security response headers
mohammadhosseinrouha
 
PDF
웹 개발을 위해 꼭 알아야하는 보안 공격
선협 이
 
PPTX
Propelling security
Jayant Kumar
 
PPTX
Cyber Security Briefing for Beginners
István Lőrincz
 
PDF
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BSides Delhi
 
PDF
Security Basics For Developers Knowledge
Siva Sankar
 
PPTX
Windows Azure Kick Start - Common Scenarios
Eric D. Boyd
 
PDF
匿名性が気になってZerocashの White Paperを追ってみた #blockchaintokyo
Salvador Masashi Mitsuzawa
 
PDF
Content Security Policy
Austin Gil
 
Cross site scripting
ashutosh rai
 
Django ws
jvanveen
 
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
David Johansson
 
OWASP Top Ten 2017
chw
 
[Cluj] CSP (Content Security Policy)
OWASP EEE
 
Content Security Policy
Ryan LaBouve
 
Meteor Meets Mallory
Emily Stark
 
Ransomware wannacry
rajatpk
 
Kenneth simple bitcoinwebsite
Hu Kenneth
 
Web vulnerabilities
Oleksandr Kovalchuk
 
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer
 
Http security response headers
mohammadhosseinrouha
 
웹 개발을 위해 꼭 알아야하는 보안 공격
선협 이
 
Propelling security
Jayant Kumar
 
Cyber Security Briefing for Beginners
István Lőrincz
 
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BSides Delhi
 
Security Basics For Developers Knowledge
Siva Sankar
 
Windows Azure Kick Start - Common Scenarios
Eric D. Boyd
 
匿名性が気になってZerocashの White Paperを追ってみた #blockchaintokyo
Salvador Masashi Mitsuzawa
 
Content Security Policy
Austin Gil
 
Ad

Similar to パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法 (20)

PDF
Trusted Types @ W3C TPAC 2018
Krzysztof Kotowicz
 
PDF
Trusted Types and the end of DOM XSS
Krzysztof Kotowicz
 
PDF
Appsec XSS Case Study
Mohamed Ridha CHEBBI, CISSP
 
PPTX
Cross Site Scripting (XSS)
Barrel Software
 
PDF
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Krzysztof Kotowicz
 
PPTX
How to React to JavaScript Insecurity
Ksenia Peguero
 
PDF
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
PDF
XSS.pdf
Okan YILDIZ
 
PDF
XSS.pdf
Okan YILDIZ
 
PDF
Secure java script-for-developers
n|u - The Open Security Community
 
PPTX
XSS: From alert(1) to crypto mining malware
Omer Meshar
 
PDF
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
PDF
The Cross Site Scripting Guide
Daisuke_Dan
 
PDF
ClubHack Magazine issue April 2012
ClubHack
 
PPTX
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
DOC
Same Origin Policy Weaknesses
kuza55
 
PPTX
W3 conf hill-html5-security-realities
Brad Hill
 
PDF
XSS Injection Vulnerabilities
Mindfire Solutions
 
PPTX
Web security: Securing untrusted web content at browsers
Phú Phùng
 
PDF
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
 
Trusted Types @ W3C TPAC 2018
Krzysztof Kotowicz
 
Trusted Types and the end of DOM XSS
Krzysztof Kotowicz
 
Appsec XSS Case Study
Mohamed Ridha CHEBBI, CISSP
 
Cross Site Scripting (XSS)
Barrel Software
 
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Krzysztof Kotowicz
 
How to React to JavaScript Insecurity
Ksenia Peguero
 
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
XSS.pdf
Okan YILDIZ
 
XSS.pdf
Okan YILDIZ
 
Secure java script-for-developers
n|u - The Open Security Community
 
XSS: From alert(1) to crypto mining malware
Omer Meshar
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
The Cross Site Scripting Guide
Daisuke_Dan
 
ClubHack Magazine issue April 2012
ClubHack
 
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
Same Origin Policy Weaknesses
kuza55
 
W3 conf hill-html5-security-realities
Brad Hill
 
XSS Injection Vulnerabilities
Mindfire Solutions
 
Web security: Securing untrusted web content at browsers
Phú Phùng
 
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
 
Ad

More from inet-lab (6)

PDF
清掃工場における磁気フィンガープリンティングパスマッチングによる 屋内測位手法の性能評価
inet-lab
 
PDF
2022/02 情報基盤システム学(NAIST)の研究室紹介
inet-lab
 
PDF
運行情報と気象情報の畳み込みによるバス到着時刻予測手法の提案と評価
inet-lab
 
PDF
euclides-c mthesis
inet-lab
 
PPTX
shuji-oh master thesis
inet-lab
 
PDF
情報基盤システム学(NAIST)の研究室紹介
inet-lab
 
清掃工場における磁気フィンガープリンティングパスマッチングによる 屋内測位手法の性能評価
inet-lab
 
2022/02 情報基盤システム学(NAIST)の研究室紹介
inet-lab
 
運行情報と気象情報の畳み込みによるバス到着時刻予測手法の提案と評価
inet-lab
 
euclides-c mthesis
inet-lab
 
shuji-oh master thesis
inet-lab
 
情報基盤システム学(NAIST)の研究室紹介
inet-lab
 

Recently uploaded (20)

PPTX
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PPTX
artificialintelligenceai1-copy-210604123353.pptx
b45r14
 
PDF
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
 
PPTX
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
PPTX
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
PDF
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
PDF
💰 𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓 💰
GRAB
 
PDF
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PPTX
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
PPTX
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
PDF
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
 
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
artificialintelligenceai1-copy-210604123353.pptx
b45r14
 
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
Funds Management Learning Material for Beg
NKKumar16
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
innovation process that make everything different.pptx
SoumyadipPaul18
 
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
💰 𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓 💰
GRAB
 
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
Internet___Basics___Styled_ presentation
poonam62133
 

パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法

  • 1. • Web ► • Cross Site Scripting (XSS) ► Web ► Web ► 3 • Client-Side XSS 1
  • 2. XSS Client-Side XSS • Client-Side XSS ( : DOM Based XSS) [1] 2[1]. IPA, “IPA DOM Based XSS ”, https://www.ipa.go.jp/files/000024729.pdf , 2013
  • 3. XSS 3 Client-Side XSS [2] HTML XSS Content Security PolicyWeb Application Firewall [2]. Sebastian Lekies, Krzysztof Kotowicz, Samuel Groß, Eduardo A. Vela Nava, Martin Johns, “Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets”, The ACM CCS, 2017 XSS JavaScript
  • 4. Client-Side XSS • Client-Side XSS ► [3] ► [4] ► [5] ► … etc 4 JavaScript Web [3]. Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, Martin Johns, “Precise Client-side Protection against DOM-based Cross-Site Scripting”, 23rd USENIX Security Symposium, 2014 [4]. Inian Parameshwaran, Enrico Budianto, Shweta Shinde, “Auto-Patching DOM-based XSS At Scale”, Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, pp. 272-283, 2015. [5]. Marius Musch, Marius Steffens, Sebastian Roth, Ben Stock, Martin Johns. "Scriptprotect: Mitigating unsafe third-party javascript practices", AsiaCCS, 2019.
  • 5. Trusted Types • [6] ► Trusted Types 5 $('div').innerHTML = '<img src=/ onerror="alert(10)">' // ERROR const escapePolicy = TrustedTypes.createPolicy('mypolicy', { createHTML: (unsafe) => { return unsafe .replace(/&/g, "&amp;") .replace(/</g, "&lt;") .replace(/>/g, "&gt;") } }) const trustedHTML = escapePolicy.createHTML('<img src=/ onerror="alert(10)">') $('div').innerHTML = trustedHTML // SUCCESS [6]. Krzysztof Kotowicz, Mike West, "Trusted Types", https://wicg.github.io/trusted-types/dist/spec/ Web
  • 6. Trusted Types • 3 ► ► Web ► DOM • Trusted Types JavaScript ► ► Web Web 6
  • 7. let trusted = "https://example.co.jp/"; let host = location.host; let hash = location.hash; document.writeln(trusted); // SUCCESS document.writeln(host); // ERROR document.writeln(hash); // ERROR Trusted Types • Trusted Types 2 7 1 Trusted Types let trusted = "https://example.co.jp/"; let host = location.host; let hash = location.hash; document.writeln(trusted); // SUCCESS document.writeln(host); // SUCCESS document.writeln(hash); // ERROR Trusted Types Input Source URL document.location baseURI location.hash documentURI location.search window.location location.href
  • 8. • OSS JavaScript Web ► V8: 7.7.299.11 ► Chromium: 77.0.3865.90 81 2 let trusted = "https://example.co.jp/"; let host = location.host; let hash = location.hash; document.writeln(trusted); document.writeln(host); document.writeln(hash);
  • 9. • JavaScript • ► 9 Stock [3] Parameshwaran [4] 1 2 Web × Web Web ( ) 7~17% 5% 1.2% 0.4~1.2% 0.16% - 46.2% 10.9%
  • 10. • ► Trusted Types • 2 URL ? # 10 2 1269 1.1% )) ( 047 12 4 7 36 36 58