Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security Policy

Detalhes bibliográficos
Autor(a) principal: Vitor Emanuel Freitas Oliveira Magano
Data de Publicação: 2015
Tipo de documento: Dissertação
Idioma: por
Título da fonte: Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
Texto Completo: https://repositorio-aberto.up.pt/handle/10216/90208
Resumo: This MSc thesis topic focused on security was proposed by the company JScrambler which holds the product with the same name and in turn provides a complete JavaScript protection so- lution. This company, being aware of the progress in this area, found the security mechanism Content Security Policy an interesting tool that worth look into. Broadly speaking this tool li- mits the content to run in a website to the declared through CSP being that the attempt to content injection exceeding what was allowed will be blocked and reported to the server.Following this tool is the great workload required for its configuration and maintenance which requires proper attention to avoid more serious problems, such as downtime, which can be caused by a misconfiguration of policies or poor maintenance. That said, looking forward to solve this problem the creation of a solution was proposed to ease the workload by generating CSP policies through code analysis.On a first stage an analysis of the area that covered several of JavaScript protection methods in which the subject is inserted was made in order to understand their current status and evaluate the feasibility of the proposal. In this analysis a comparison between several existing tools in the areas of protection and code analysis and between tools for generation of CSP and the solution to be developed was conducted.The solution was proposed and planned their future development given all the research per- formed. The great advantage of it over the others tools is the full integration with the project that comes from the analysis of the code that will enable the generation of suitable and appropriate CSP policies. The project planning has taken into account the adoption of agile development metho- dology SCRUM with two week iterations and will be adopted in the next phase of the project, the conception phase of the proposed solution.It is intended that the solution to be developed will be successful and represents a breakthrough in the use of Content Security Policy as an added value in protecting from attacks content injection.
id RCAP_ed4a2fdc9e545737c6bfe511534ba279
oai_identifier_str oai:repositorio-aberto.up.pt:10216/90208
network_acronym_str RCAP
network_name_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository_id_str 7160
spelling Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security PolicyEngenharia electrotécnica, electrónica e informáticaElectrical engineering, Electronic engineering, Information engineeringThis MSc thesis topic focused on security was proposed by the company JScrambler which holds the product with the same name and in turn provides a complete JavaScript protection so- lution. This company, being aware of the progress in this area, found the security mechanism Content Security Policy an interesting tool that worth look into. Broadly speaking this tool li- mits the content to run in a website to the declared through CSP being that the attempt to content injection exceeding what was allowed will be blocked and reported to the server.Following this tool is the great workload required for its configuration and maintenance which requires proper attention to avoid more serious problems, such as downtime, which can be caused by a misconfiguration of policies or poor maintenance. That said, looking forward to solve this problem the creation of a solution was proposed to ease the workload by generating CSP policies through code analysis.On a first stage an analysis of the area that covered several of JavaScript protection methods in which the subject is inserted was made in order to understand their current status and evaluate the feasibility of the proposal. In this analysis a comparison between several existing tools in the areas of protection and code analysis and between tools for generation of CSP and the solution to be developed was conducted.The solution was proposed and planned their future development given all the research per- formed. The great advantage of it over the others tools is the full integration with the project that comes from the analysis of the code that will enable the generation of suitable and appropriate CSP policies. The project planning has taken into account the adoption of agile development metho- dology SCRUM with two week iterations and will be adopted in the next phase of the project, the conception phase of the proposed solution.It is intended that the solution to be developed will be successful and represents a breakthrough in the use of Content Security Policy as an added value in protecting from attacks content injection.2015-07-202015-07-20T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttps://repositorio-aberto.up.pt/handle/10216/90208TID:201322935porVitor Emanuel Freitas Oliveira Maganoinfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2023-11-29T14:05:50Zoai:repositorio-aberto.up.pt:10216/90208Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-19T23:54:40.792727Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse
dc.title.none.fl_str_mv Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security Policy
title Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security Policy
spellingShingle Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security Policy
Vitor Emanuel Freitas Oliveira Magano
Engenharia electrotécnica, electrónica e informática
Electrical engineering, Electronic engineering, Information engineering
title_short Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security Policy
title_full Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security Policy
title_fullStr Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security Policy
title_full_unstemmed Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security Policy
title_sort Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security Policy
author Vitor Emanuel Freitas Oliveira Magano
author_facet Vitor Emanuel Freitas Oliveira Magano
author_role author
dc.contributor.author.fl_str_mv Vitor Emanuel Freitas Oliveira Magano
dc.subject.por.fl_str_mv Engenharia electrotécnica, electrónica e informática
Electrical engineering, Electronic engineering, Information engineering
topic Engenharia electrotécnica, electrónica e informática
Electrical engineering, Electronic engineering, Information engineering
description This MSc thesis topic focused on security was proposed by the company JScrambler which holds the product with the same name and in turn provides a complete JavaScript protection so- lution. This company, being aware of the progress in this area, found the security mechanism Content Security Policy an interesting tool that worth look into. Broadly speaking this tool li- mits the content to run in a website to the declared through CSP being that the attempt to content injection exceeding what was allowed will be blocked and reported to the server.Following this tool is the great workload required for its configuration and maintenance which requires proper attention to avoid more serious problems, such as downtime, which can be caused by a misconfiguration of policies or poor maintenance. That said, looking forward to solve this problem the creation of a solution was proposed to ease the workload by generating CSP policies through code analysis.On a first stage an analysis of the area that covered several of JavaScript protection methods in which the subject is inserted was made in order to understand their current status and evaluate the feasibility of the proposal. In this analysis a comparison between several existing tools in the areas of protection and code analysis and between tools for generation of CSP and the solution to be developed was conducted.The solution was proposed and planned their future development given all the research per- formed. The great advantage of it over the others tools is the full integration with the project that comes from the analysis of the code that will enable the generation of suitable and appropriate CSP policies. The project planning has taken into account the adoption of agile development metho- dology SCRUM with two week iterations and will be adopted in the next phase of the project, the conception phase of the proposed solution.It is intended that the solution to be developed will be successful and represents a breakthrough in the use of Content Security Policy as an added value in protecting from attacks content injection.
publishDate 2015
dc.date.none.fl_str_mv 2015-07-20
2015-07-20T00:00:00Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/masterThesis
format masterThesis
status_str publishedVersion
dc.identifier.uri.fl_str_mv https://repositorio-aberto.up.pt/handle/10216/90208
TID:201322935
url https://repositorio-aberto.up.pt/handle/10216/90208
identifier_str_mv TID:201322935
dc.language.iso.fl_str_mv por
language por
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.source.none.fl_str_mv reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron:RCAAP
instname_str Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron_str RCAAP
institution RCAAP
reponame_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
collection Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository.name.fl_str_mv Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
repository.mail.fl_str_mv
_version_ 1799135867250409472

Registros relacionados