Cross-Site Script Inclusion: a study of mitigation strategies and current vulnerability prevalence in browsers
Abstract
The Cross-Site Script Inclusion (XSSi) is a little-known vulnerability that exploits the attachment of cookies in cross-origin requests. This work presents an evaluation of the behavior of the SameSite attribute in cookies across recent versions of different browsers and its impact on the exploitation of Cross-Site Script Inclusion. Experiments were conducted to verify the occurrence of cookie attachment in cross-origin requests for various browsers. The main strategy proposed to mitigate the XSSi vulnerability is the correct configuration of the SameSite attribute by the application developer. The results show that this strategy for combating Cross-Site Script Inclusion is effective, as it presents fewer points of failure. Additionally, it was concluded that there is no standard implementation of the same-origin policy and SameSite by current browsers, with divergences in behavior regarding cookie attachment in cross-origin requests.
References
FRANKEN, G., VAN GOETHEM, T., and JOOSEN, W. (2018). Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies. 27th USENIX Security Symposium.
GROSSMAN, J. (2006). Advanced web attack techniques using gmail. [link]. Accesso em: Mai. 2024.
HAILPERIN, V. and RUEF, M. (2016). Cross-site script inclusion a fameless but widespread web vulnerability class. [link]. Accesso em: Mai. 2024.
KERN, C., DASWANI, N., and KESAVAN, A. (2007). Foundations of Security: What Every Programmer Needs to Know. Apress.
KHODAYARI, S. and PELLEGRINO, G. (2022). The State of the SameSite: Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies. IEEE.
Kurose, J. F. and Ross, K. W. (2009). Redes de Computadores e a Internet: uma abordagem top-down. 5ª edição. São Paulo, SP: Pearson Addison Wesley.
LEKIES, S., ENGELS, D., and MITKOV, M. (2021). JSONPS: Secure an inherently insecure practice with this one weird trick! 2021 IEEE European Symposium on Security and Privacy Workshops (EuroSPW).
LEKIES, S., STOCK, B., WENTZEL, M., and JOHNS, M. (2015). The Unexpected Dangers of Dynamic JavaScript. 24th USENIX Security Symposium.
Mozilla (2023a). Cookies HTTP. [link]. Accesso em: Mai. 2024.
Mozilla (2023b). Same-origin policy. [link]. Accesso em: Mai. 2024.
PETTY, D. and THOMPSON, J. (2017). The Not-So-Same-Origin Policy. Independent Security Evaluators Whitepaper.
SULLIVAN, B. and LIU, V. (2011). Web Application Security: A Beginner’s Guide. McGraw Hill.
TERADA, T. and BUSSAN, M. (2015). Identifier based XSSI attacks. MBSD Technical Whitepaper.
WEST, M. and GOODWIN, M. (2016). Internet Draft Same-site Cookies. [link]. Accesso em: Mai. 2024.
