Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security Policy
Autor(a) principal: | |
---|---|
Data de Publicação: | 2015 |
Tipo de documento: | Dissertação |
Idioma: | por |
Título da fonte: | Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
Texto Completo: | https://repositorio-aberto.up.pt/handle/10216/90208 |
Resumo: | This MSc thesis topic focused on security was proposed by the company JScrambler which holds the product with the same name and in turn provides a complete JavaScript protection so- lution. This company, being aware of the progress in this area, found the security mechanism Content Security Policy an interesting tool that worth look into. Broadly speaking this tool li- mits the content to run in a website to the declared through CSP being that the attempt to content injection exceeding what was allowed will be blocked and reported to the server.Following this tool is the great workload required for its configuration and maintenance which requires proper attention to avoid more serious problems, such as downtime, which can be caused by a misconfiguration of policies or poor maintenance. That said, looking forward to solve this problem the creation of a solution was proposed to ease the workload by generating CSP policies through code analysis.On a first stage an analysis of the area that covered several of JavaScript protection methods in which the subject is inserted was made in order to understand their current status and evaluate the feasibility of the proposal. In this analysis a comparison between several existing tools in the areas of protection and code analysis and between tools for generation of CSP and the solution to be developed was conducted.The solution was proposed and planned their future development given all the research per- formed. The great advantage of it over the others tools is the full integration with the project that comes from the analysis of the code that will enable the generation of suitable and appropriate CSP policies. The project planning has taken into account the adoption of agile development metho- dology SCRUM with two week iterations and will be adopted in the next phase of the project, the conception phase of the proposed solution.It is intended that the solution to be developed will be successful and represents a breakthrough in the use of Content Security Policy as an added value in protecting from attacks content injection. |
id |
RCAP_ed4a2fdc9e545737c6bfe511534ba279 |
---|---|
oai_identifier_str |
oai:repositorio-aberto.up.pt:10216/90208 |
network_acronym_str |
RCAP |
network_name_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
repository_id_str |
7160 |
spelling |
Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security PolicyEngenharia electrotécnica, electrónica e informáticaElectrical engineering, Electronic engineering, Information engineeringThis MSc thesis topic focused on security was proposed by the company JScrambler which holds the product with the same name and in turn provides a complete JavaScript protection so- lution. This company, being aware of the progress in this area, found the security mechanism Content Security Policy an interesting tool that worth look into. Broadly speaking this tool li- mits the content to run in a website to the declared through CSP being that the attempt to content injection exceeding what was allowed will be blocked and reported to the server.Following this tool is the great workload required for its configuration and maintenance which requires proper attention to avoid more serious problems, such as downtime, which can be caused by a misconfiguration of policies or poor maintenance. That said, looking forward to solve this problem the creation of a solution was proposed to ease the workload by generating CSP policies through code analysis.On a first stage an analysis of the area that covered several of JavaScript protection methods in which the subject is inserted was made in order to understand their current status and evaluate the feasibility of the proposal. In this analysis a comparison between several existing tools in the areas of protection and code analysis and between tools for generation of CSP and the solution to be developed was conducted.The solution was proposed and planned their future development given all the research per- formed. The great advantage of it over the others tools is the full integration with the project that comes from the analysis of the code that will enable the generation of suitable and appropriate CSP policies. The project planning has taken into account the adoption of agile development metho- dology SCRUM with two week iterations and will be adopted in the next phase of the project, the conception phase of the proposed solution.It is intended that the solution to be developed will be successful and represents a breakthrough in the use of Content Security Policy as an added value in protecting from attacks content injection.2015-07-202015-07-20T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttps://repositorio-aberto.up.pt/handle/10216/90208TID:201322935porVitor Emanuel Freitas Oliveira Maganoinfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2023-11-29T14:05:50Zoai:repositorio-aberto.up.pt:10216/90208Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-19T23:54:40.792727Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse |
dc.title.none.fl_str_mv |
Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security Policy |
title |
Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security Policy |
spellingShingle |
Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security Policy Vitor Emanuel Freitas Oliveira Magano Engenharia electrotécnica, electrónica e informática Electrical engineering, Electronic engineering, Information engineering |
title_short |
Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security Policy |
title_full |
Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security Policy |
title_fullStr |
Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security Policy |
title_full_unstemmed |
Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security Policy |
title_sort |
Escudo para Aplicações Web contra injeção de Conteúdo através de Content Security Policy |
author |
Vitor Emanuel Freitas Oliveira Magano |
author_facet |
Vitor Emanuel Freitas Oliveira Magano |
author_role |
author |
dc.contributor.author.fl_str_mv |
Vitor Emanuel Freitas Oliveira Magano |
dc.subject.por.fl_str_mv |
Engenharia electrotécnica, electrónica e informática Electrical engineering, Electronic engineering, Information engineering |
topic |
Engenharia electrotécnica, electrónica e informática Electrical engineering, Electronic engineering, Information engineering |
description |
This MSc thesis topic focused on security was proposed by the company JScrambler which holds the product with the same name and in turn provides a complete JavaScript protection so- lution. This company, being aware of the progress in this area, found the security mechanism Content Security Policy an interesting tool that worth look into. Broadly speaking this tool li- mits the content to run in a website to the declared through CSP being that the attempt to content injection exceeding what was allowed will be blocked and reported to the server.Following this tool is the great workload required for its configuration and maintenance which requires proper attention to avoid more serious problems, such as downtime, which can be caused by a misconfiguration of policies or poor maintenance. That said, looking forward to solve this problem the creation of a solution was proposed to ease the workload by generating CSP policies through code analysis.On a first stage an analysis of the area that covered several of JavaScript protection methods in which the subject is inserted was made in order to understand their current status and evaluate the feasibility of the proposal. In this analysis a comparison between several existing tools in the areas of protection and code analysis and between tools for generation of CSP and the solution to be developed was conducted.The solution was proposed and planned their future development given all the research per- formed. The great advantage of it over the others tools is the full integration with the project that comes from the analysis of the code that will enable the generation of suitable and appropriate CSP policies. The project planning has taken into account the adoption of agile development metho- dology SCRUM with two week iterations and will be adopted in the next phase of the project, the conception phase of the proposed solution.It is intended that the solution to be developed will be successful and represents a breakthrough in the use of Content Security Policy as an added value in protecting from attacks content injection. |
publishDate |
2015 |
dc.date.none.fl_str_mv |
2015-07-20 2015-07-20T00:00:00Z |
dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
dc.type.driver.fl_str_mv |
info:eu-repo/semantics/masterThesis |
format |
masterThesis |
status_str |
publishedVersion |
dc.identifier.uri.fl_str_mv |
https://repositorio-aberto.up.pt/handle/10216/90208 TID:201322935 |
url |
https://repositorio-aberto.up.pt/handle/10216/90208 |
identifier_str_mv |
TID:201322935 |
dc.language.iso.fl_str_mv |
por |
language |
por |
dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
eu_rights_str_mv |
openAccess |
dc.format.none.fl_str_mv |
application/pdf |
dc.source.none.fl_str_mv |
reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação instacron:RCAAP |
instname_str |
Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
instacron_str |
RCAAP |
institution |
RCAAP |
reponame_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
collection |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
repository.name.fl_str_mv |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
repository.mail.fl_str_mv |
|
_version_ |
1799135867250409472 |