DeDacota: Toward preventing server-side XSS via automatic code and data separation

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2013, Pages 1205-1216

  Doupé, Adam ^a   Cui, Weidong ^b   Jakubowski, Mariusz H ^b   Peinado, Marcus ^b   Kruegel, Christopher ^a   Vigna, Giovanni ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b MICROSOFT RESEARCH   (United States)

Author keywords

code and data separation; content security policy; cross site scripting; csp; xss

Indexed keywords

CONTENT SECURITY; CROSS SITE SCRIPTING; CSP; DATA SEPARATION; XSS;

ACCESS CONTROL; APPLICATIONS; COPYRIGHTS; SECURITY SYSTEMS; SEMANTICS; TOOLS; WORLD WIDE WEB;

SEPARATION;

EID: 84889019764     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2508859.2516708     Document Type: Conference Paper

References (50)

1. AKHAWE, D., SAXENA, P., AND SONG, D. Privilege Separation in HTML5 Applications. In Proceedings of the USENIX Security Symposium (USENIX) (2012).
2. ATHANASOPOULOS, E., PAPPAS, V., AND MARKATOS, E. P. Code-Injection Attacks in Browsers Supporting Policies. In Proceedings of the Workshop on Web 2.0 Security and Privacy (W2SP) (2009).
3. BALZAROTTI, D., COVA, M., FELMETSGER, V., JOVANOVIC, N., KIRDA, E., KRUEGEL, C., AND VIGNA, G. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA, 2008).
4. BISHT, P., AND VENKATAKRISHNAN, V. XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks. In Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA) (Paris, France, 2008).
5. blogengine.net - an innovative open source blogging platform. http://www.dotnetblogengine.net, 2013.
6. BlogSA.NET. http://www.blogsa.net/, 2013.
7. BugTracker.NET - Free Bug Tracking. http://ifdefined.com/bugtrackernet. html, 2013.
8. Top in Frameworks - Week beginning Jun 24th 2013. http://trends. builtwith.com/framework, 2013.
9. Chronozoom - A Brief History of the World. http: //chronozoom.cloudapp. net/firstgeneration.aspx, 2013.
10. CUI, W., PEINADO, M., XU, Z., AND CHAN, E. Tracking Rootkit Footprints with a Practical Memory Analysis System. In Proceedings of the USENIX Security Symposium (USENIX) (Bellevue, WA, 2012).
11. CVE DETAILS. Vulnerabilities by Type. http://www.cvedetails.com/ vulnerabilities-by-types.php, 2013.
12. Django. http://djangoproject.com, 2013.
13. GOOGLE. Google AutoEscape for CTemplate. http://code.google.com/p/ ctemplate/.
14. GUNDY, M. V., AND CHEN, H. Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks. In Network and Distributed System Security Symposium (NDSS) (2009).
15. HALLARAKER, O., AND VIGNA, G. Detecting Malicious JavaScript Code in Mozilla. In Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems (ICECCS) (Shanghai, China, 2005).
16. HEIDERICH, M., NIEMIETZ, M., SCHUSTER, F., HOLZ, T., AND SCHWENK, J. Scriptless Attacks: Stealing the Pie Without Touching the Sill. In Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2012).
17. Hoff, J. WebGoat.NET. https://github.com/jerryhoff/WebGoat.NET, 2013.
18. HOOIMEIJER, P., LIVSHITS, B., MOLNAR, D., SAXENA, P., AND VEANES, M. Fast and Precise Sanitizer Analysis with Bek. In Proceedings of the USENIX Security Symposium (USENIX) (2011).
19. HOWARD, M., AND LEBLANC, D. Writing Secure Code, second ed. Microsoft Press, 2003.
20. JIM, T., SWAMY, N., AND HICKS, M. Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In Proceedings of the International World Wide Web Conference (WWW) (2007).
21. JOHNS, M., AND BEYERLEIN, C. SMask: Preventing Injection Attacks in Web Applications by Approximating Automatic Data/Code Separation. In Proceedings of the ACM Symposium on Applied Computing (SAC) (2007).
22. JOVANOVIC, N., KRUEGEL, C., AND KIRDA, E. Precise Alias Analysis for Static Detection of Web Application Vulnerabilities. In Proceedings of the Workshop on Programming Languages and Analysis for Security (PLAS) (2006).
23. KIRDA, E., KRUEGEL, C., VIGNA, G., AND JOVANOVIC, N. Noxes: A Client-Side Solution for Mitigating Cross-Site Scripting Attacks. In Proceedings of the ACM Symposium on Applied Computing (SAC) (2006).
24. KLEIN, A. DOM Based Cross Site Scripting or XSS of the Third Kind. http://www.webappsec.org/projects/articles/071105.shtml, 2005.
25. LIVSHITS, B., AND CHONG, S. Towards Fully Automatic Placement of Security Sanitizers and Declassifiers. In Proceedings of the Symposium on Principles of Programming Languages (POPL) (2013).
26. LIVSHITS, B., AND ERLINGSSON, U. Using Web Application Construction Frameworks to Protect Against Code Injection Attacks. In Proceedings of the Workshop on Programming Languages and Analysis for Security (PLAS) (2007).
27. LIVSHITS, V. B., AND LAM, M. S. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of the USENIX Security Symposium (USENIX) (2005).
28. LOUW, M. T., AND VENKATAKRISHNAN, V. BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In Proceedings of the IEEE Symposium on Security and Privacy (2009).
29. MARTIN, M., AND LAM, M. S. Automatic Generation of XSS and SQL Injection Attacks with Goal-Directed Model Checking. In Proceedings of the USENIX Security Symposium (USENIX) (2008).
30. MEYEROVICH, L., AND LIVSHITS, B. ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser. In Proceedings of the IEEE Symposium on Security and Privacy (2010).
31. MICROSOFT. ASP.NET. http://www.asp.net/.
32. MICROSOFT RESEARCH. Common Compiler Infrastructure. http://research. microsoft.com/en-us/projects/cci/, 2013.
33. NADJI, Y., SAXENA, P., AND SONG, D. Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense. In Proceeding of the Network and Distributed System Security Symposium (NDSS) (2008).
34. NGUYEN-TUONG, A., GUARNIERI, S., GREENE, D., AND EVANS, D. Automatically Hardening Web Applications Using Precise Tainting. In Proceedings of the IFIP International Information Security Conference (2005).
35. PIETRASZEK, T., AND BERGHE, C. V. Defending against Injection Attacks through Context-Sensitive String Evaluations. In Proceedings of the Symposium on Recent Advances in Intrusion Detection (RAID) (2005).
36. ROBERTSON, W., AND VIGNA, G. Static Enforcement of Web Application Integrity Through Strong Typing. In Proceedings of the USENIX Security Symposium (USENIX) (Montreal, Quebec CA, 2009).
37. Ruby on Rails. http://rubyonrails.org/, 2013.
38. SAMUEL, M., SAXENA, P., AND SONG, D. Context-Sensitive Auto-Sanitization in Web Templating Languages Using Type Qualifiers. In Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2011).
39. SAXENA, P., AKHAWE, D., HANNA, S., MAO, F., MCCAMANT, S., AND SONG, D. A Symbolic Execution Framework for JavaScript. In Proceedings of the IEEE Symposium on Security and Privacy (2010).
40. SAXENA, P., MOLNAR, D., AND LIVSHITS, B. SCRIPTGARD: Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications. In Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2011).
41. ScrewTurn Wiki. http://www.screwturn.eu/, 2013.
42. STAMM, S., STERNE, B., AND MARKHAM, G. Reining in the Web with Content Security Policy. In Proceedings of the International World Wide Web Conference (WWW) (2010).
43. SU, Z., AND WASSERMANN, G. The Essence of Command Injection Attacks in Web Applications. In Proceedings of the Symposium on Principles of Programming Languages (POPL) (2006).
44. TRIPP, O., PISTOIA, M., FINK, S. J., SRIDHARAN, M., AND WEISMAN, O. TAJ: Effective Taint Analysis of Web Applications. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (2009).
45. VOGT, P., NENTWICH, F., JOVANOVIC, N., KIRDA, E., KRUEGEL, C., AND VIGNA, G. Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In Proceeding of the Network and Distributed System Security Symposium (NDSS) (2007).
46. WASSERMANN, G., AND SU, Z. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (2007).
47. WEINBERGER, J., BARTH, A., AND SONG, D. Towards Client-side HTML Security Policies. In Proceedings of the USENIX Workshop on Hot Topics in Security (2011).
48. WEINBERGER, J., SAXENA, P., AKHAWE, D., FINIFTER, M., SHIN, R., AND SONG, D. A Systematic Analysis of XSS Sanitization in Web Application Frameworks. In Proceedings of the European Symposium on Research in Computer Security (ESORICS) (Leuven, Belgium, 2011).
49. XIE, Y., AND AIKEN, A. Static Detection of Security Vulnerabilities in Scripting Languages. In Proceedings of the USENIX Security Symposium (USENIX) (2006).
50. YU, F., ALKHALAF, M., AND BULTAN, T. STRANGER: An Automata-based String Analysis Tool for PHP. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS) (2010).