A Protection Scheme against the Attacks Deployed by Hiding the Violation of the Same Origin Policy

As interactive asynchronous Javascript and XML (AJAX) based Web 2.0 applications increase, a new breed of attacks have appeared that deploy their payloads through hiding the violation of the same origin policy (that enforces the scripts and the like downloaded from different web pages to never access each other´s page). This paper presents a scheme for protecting against those attacks. The scheme produces two tokens indicating respectively the origin and target pages of an HTTP request and two checksums of a Web page produced respectively when it has no injected malicious code and when it is received by the browser. A mismatch between the tokens or between the checksums indicates a same origin violation. To reduce the scheme´s performance ovrhead, this matching is performed only when a request originated from a page with no submission form has suspicious keywords. We analyze the protection potential, security, and performance overhead of our scheme.