Moving target defense against cross-site scripting

摘要

A method, in a server, implementing a moving target defense against cross-site scripting includes receiving a request for a web page, wherein the server has N versions of the web page each with a mutated version of JavaScript; selecting a web page of the N versions; and sending an indication of the mutated version of JavaScript associated with the web page in response to the request. Another method, in a client device, using a moving target defense against cross-site scripting includes requesting a web page; receiving an indication of a mutated version of JavaScript for the web page; and adjusting a JavaScript interpreter based on the mutated version of JavaScript for the web page.

主权项

1. A method, in a server, implementing a moving target defense against cross-site scripting, the method comprising:
creating N versions of a web page, mutated off-line to avoid run time penalties by changing only one or more lexical tokens that are a left parenthesis and assignment operator which are used to manipulate behavior or state within JavaScript to provide a mutated version of JavaScript, with the one or more lexical tokens selected based on use in malicious JavaScript attacks; receiving a request for the web page, wherein the server has the N versions of the web page each with a mutated version of JavaScript; selecting one web page of the N versions, wherein the web page is randomly reselected and replaced every M minutes; sending an indication of the mutated version of JavaScript associated with the web page in response to the request; and receiving an indication of a violation including JavaScript not conforming to the mutated version of JavaScript associated with the selected web page, wherein the indication includes a page on which the violation occurred, the page's referrer, a resource that violated the page's policy, and a specific directive of the violation.