AutoCSP: Automatically Retrofitting CSP to Web Applications
- 1 May 2015
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE) in 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering
- Vol. 1, 336-346
- https://doi.org/10.1109/icse.2015.53
Abstract
Web applications often handle sensitive user data, which makes them attractive targets for attacks such as cross-site scripting (XSS). Content security policy (CSP) is a content-restriction mechanism, now supported by all major browsers, that offers thorough protection against XSS. Unfortunately, simply enabling CSP for a web application would affect the application's behavior and likely disrupt its functionality. To address this issue, we propose AutoCSP, an automated technique for retrofitting CSP to web applications. AutoCSP (1) leverages dynamic taint analysis to identify which content should be allowed to load on the dynamically-generated HTML pages of a web application and (2) automatically modifies the server-side code to generate such pages with the right permissions. Our evaluation, performed on a set of real-world web applications, shows that AutoCSP can retrofit CSP effectively and efficiently.Keywords
This publication has 12 references indexed in Scilit:
- Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysisPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2013
- Remedying the eval that men doPublished by Association for Computing Machinery (ACM) ,2012
- TAJPublished by Association for Computing Machinery (ACM) ,2009
- Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing ThemselvesPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2009
- Automatic creation of SQL Injection and cross-site scripting attacksPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2009
- WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware EvaluationIEEE Transactions on Software Engineering, 2008
- Static detection of cross-site scripting vulnerabilitiesPublished by Association for Computing Machinery (ACM) ,2008
- Defeating script injection attacks with browser-enforced embedded policiesPublished by Association for Computing Machinery (ACM) ,2007
- Precise alias analysis for static detection of web application vulnerabilitiesPublished by Association for Computing Machinery (ACM) ,2006
- Pixy: a static analysis tool for detecting Web application vulnerabilitiesPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2006