Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense

Date Added: May 2009
Format: PDF

This paper identifies a class of Web browser implementation vulnerabilities, cross-origin JavaScript capability leaks, which occur when the browser leaks a JavaScript pointer from one security origin to another. The paper devises an algorithm for detecting these vulnerabilities by monitoring the "Points-to" relation of the JavaScript heap. The algorithm finds a number of new vulnerabilities in the opensource WebKit browser engine used by Safari. The paper proposes an approach to mitigate this class of vulnerabilities by adding access control checks to browser JavaScript engines. These access control checks are backwards-compatible because they do not alter semantics of the Web platform. Through an application of the inline cache, the author implements these checks with an overhead of 1 - 2% on industry-standard benchmarks.