Defeating Script Injection Attacks with Browser-Enforced
Embedded Policies
Trevor Jim
AT&T Labs Research
Nikhil Swamy
University of Maryland,
College Park
Michael Hicks
University of Maryland,
College Park
ABSTRACT
Web sites that accept and display content such as wiki ar-
ticles or comments typically filter the content to prevent
injected script code from running in browsers that view the
site. The diversity of browser rendering algorithms and
the desire to allow rich content make filtering quite diffi-
cult, however, and attacks such as the Samy and Yaman-
ner worms have exploited filtering weaknesses. This pa-
per proposes a simple alternative mechanism for preventing
script injection called Browser-Enforced Embedded Policies
(BEEP). The idea is that a web site can embed a policy in
its pages that specifies which scripts are allowed to run. The
browser, which knows exactly when it will run a script, can
enforce this policy perfectly. We have added BEEP support
to several browsers, and built tools to simplify adding poli-
cies to web applications. We found that supporting BEEP
in browsers requires only small and localized modifications,
modifying web applications requires minimal effort, and en-
forcing policies is generally lightweight.
Categories and Subject Descriptors
K.6.5 [Management of Computing and Information
Systems]: Security and Protection—unauthorized access,
invasive software
General Terms
Security
Keywords
Script injection, cross-site scripting, web application secu-
rity
1.
INTRODUCTION
Many web sites republish content supplied by their user
communities, or by third parties such as advertising net-
works and search engines. If this republished content con-
tains scripts, then visitors to the site can be exposed to
attacks such as cross-site scripting (XSS) [2], and can them-
selves become participants in attacks on the web site and on
others [16]. The standard defense is for the web site to filter
or transform any content that does not originate from the
Copyright is held by the International Wo