JSSignature: eliminating third‑party‑hosted JavaScript infection threats using digital signatures

摘要

Today, third-party JavaScript resources are an indispensable part of the web platform. More than 88% of the world’stop websites include at least one JavaScript resource from a remote host. However, there is a great security risk behindusing a third-party JavaScript resource, if an attacker can infect one of these remote JavaScript resources all websitesthose have included the script would be at risk. In this paper, we present JSSignature, an entirely at the client-side pureJavaScript framework in order to validate third-party JavaScript resources using a digital signature. Therefore, all includedJavaScript resources are checked against the integrity, authentication and non-repudiation risks before the execution. Incontrary to existing methods, JSSignature protects web pages regardless of third-party resource infection nature whileit does not set any restrictions on trusted JavaScript providers. This approach has an acceptable one-time performanceoverhead and is an easily deployable add-in. We have validated the proposed solution by applying tests on an implementedversion (https ://iasbs .ac.ir/～ansar i/jssig natur e/demo.html). A pre-published version of this paper is available atarXiv website (https ://arxiv .org/pdf/1812.03939 .pdf ).