Title: Isolating malicious content scripts of browser extensions

Authors: Kailas Patil

Addresses: Department of Computer Engineering, Vishwakarma Institute of Information Technology (VIIT), Pune, India

Abstract: In recent years, browser extensions gain great popularity among users, as they significantly enhance functionality and improve the usability of web browsers. Browser extensions can have high privileges to access web page content, thus recent browsers, such as Chrome, controls their capabilities with permissions. However, permission control is not effective to control the behaviours of content scripts injected into web sessions. Once injected into victim web sessions, malicious content scripts can perform all sorts of actions in a web application without user's knowledge. Therefore, content scripts pose serious threats to the confidentiality and integrity of web application data. To address this problem, we propose a mechanism, SessionGuard, which isolates content scripts in an isolated environment, called the shadow DOM. With the shadow DOM, SessionGuard provides content scripts an encrypted view of web application data, and controls their access to the original DOM. We have developed a proof-of-concept prototype in the Google Chrome web browser with little effect on normal browsing experience. Our experiments with real-world browser extensions demonstrate the effectiveness of the SessionGuard in protecting the confidentiality and integrity of web application data against malicious content scripts.

Keywords: browser extensions; malicious content scripts; web application integrity; shadow DOM; injection attacks; information privacy; security; integrity.

DOI: 10.1504/IJIPSI.2017.086794

International Journal of Information Privacy, Security and Integrity, 2017 Vol.3 No.1, pp.18 - 37

Received: 14 Dec 2016
Accepted: 15 Mar 2017

Published online: 26 Sep 2017 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article