Cross Site Scripting (XSS) is a widespread web vulnerability that allows an attacker to inject code in a web page, fully compromising it. Content- Security-Policy (CSP) is a security mechanism that limits the effects of XSS attacks. However it is hard to configure and, for this reason, it is not widely adopted. For the same reason, many real policies in the wild are misconfigured. In this thesis we present a Chrome extension for semi-automatically generating and enforcing CSP while navigating the web. We analyze the generated policies to see if the extension does not break the navigation while enforcing the security of users surfing the Web. The extension is useful both for end users and for developers, since it is able to build a policy that can be permanently included in a new website.
CSP Synthesis
Chiarot, Giacomo
2019/2020
Abstract
Cross Site Scripting (XSS) is a widespread web vulnerability that allows an attacker to inject code in a web page, fully compromising it. Content- Security-Policy (CSP) is a security mechanism that limits the effects of XSS attacks. However it is hard to configure and, for this reason, it is not widely adopted. For the same reason, many real policies in the wild are misconfigured. In this thesis we present a Chrome extension for semi-automatically generating and enforcing CSP while navigating the web. We analyze the generated policies to see if the extension does not break the navigation while enforcing the security of users surfing the Web. The extension is useful both for end users and for developers, since it is able to build a policy that can be permanently included in a new website.| File | Dimensione | Formato | |
|---|---|---|---|
|
854893-1230631.pdf
non disponibili
Tipologia:
Altro materiale allegato
Dimensione
5.01 MB
Formato
Adobe PDF
|
5.01 MB | Adobe PDF | Richiedi una copia |
I documenti in UNITESI sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/20.500.14247/1714