The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.09 - Sept. (2011 vol.44)
pp: 29-36
Hossein Saiedian , University of Kansas
Dan S. Broyles , Sprint Nextel
ABSTRACT
The same-origin policy, a fundamental security mechanism within Web browsers, overly restricts Web application development while creating an ever-growing list of security holes, reinforcing the argument that the SOP is not an appropriate security model.
INDEX TERMS
Security, Web browsers, Web applications, Same-origin policy (SOP), Cross-site request forgery (CSRF), Cross-site scripting (XSS)
CITATION
Hossein Saiedian, Dan S. Broyles, "Security Vulnerabilities in the Same-Origin Policy: Implications and Alternatives", Computer, vol.44, no. 9, pp. 29-36, Sept. 2011, doi:10.1109/MC.2011.226
REFERENCES
1. A. Rubin and D. Geer, "A Survey of Web Security," Computer, Sept. 1998, pp. 34-41.
2. J. Mischel, "Browser Applications and the Same Origin Policy," informIT,6 Aug. 2010; www.informit.com/guidescontent.aspx?g=dotnet&seqNum=809 .
3. J. Grossman, "Cross-Site Request Forgery: The Sleeping Giant," WhiteHat Security, July 2007; www.whitehatsec.com/home/assetsWPCSRF072307.pdf .
4. A. Barth, C. Jackson, and J.C. Mitchell, "Robust Defenses for Cross-Site Request Forgery," Proc. 15th ACM Conf. Computer and Communications Security (CCS 08), ACM Press, 2008, pp. 75-87.
5. K. Jayaraman et al., "ESCUDO: A Fine-grained Protection Model for Web Browsers," Proc. IEEE 30th Int'l Conf. Distributed Computing Systems (ICDCS 10), IEEE CS Press, 2010, pp. 231-240.
6. J. Grossman, "Cross-Site Scripting Worms and Viruses: The Impending Threat and the Best Defense," WhiteHat Security, Apr. 2006; http://net-security.org/dl/articlesWHXSSThreats.pdf .
7. C. Karlof et al., "Dynamic Pharming Attacks and Locked Same-Origin Policies for Web Browsers," Proc. 14th ACM Conf. Computer and Communications Security (CCS 07), ACM Press, 2007, pp. 58-71.
8. M. Curphey and R. Arawo, "Web Application Security Assessment Tools," IEEE Security & Privacy, July/Aug. 2006, pp. 32-41.
9. S. Crites, F. Hsu, and H. Chen, "OMash: Enabling Secure Web Mashups via Object Abstractions," Proc. 15th ACM Conf. Computer and Communications Security (CCS 08), ACM Press, 2008, pp. 99-107.
10. T. Schreiber, "Session Riding: A Widespread Vulnerability in Today's Web Applications," SecureNet GmbH, Dec. 2004; www.securenet.de/papersSession_Riding.pdf .
560 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool