TY - GEN
T1 - AutoCSP
T2 - 37th IEEE/ACM International Conference on Software Engineering, ICSE 2015
AU - Fazzini, Mattia
AU - Saxena, Prateek
AU - Orso, Alessandro
PY - 2015/8/12
Y1 - 2015/8/12
N2 - Web applications often handle sensitive user data, which makes them attractive targets for attacks such as crosssite scripting (XSS). Content security policy (CSP) is a contentrestriction mechanism, now supported by all major browsers, that offers thorough protection against XSS. Unfortunately, simply enabling CSP for a web application would affect the application's behavior and likely disrupt its functionality. To address this issue, we propose AUTOCSP, an automated technique for retrofitting CSP to web applications. AUTOCSP (1) leverages dynamic taint analysis to identify which content should be allowed to load on the dynamically-generated HTML pages of a web application and (2) automatically modifies the serverside code to generate such pages with the right permissions. Our evaluation, performed on a set of real-world web applications, shows that AUTOCSP can retrofit CSP effectively and efficiently.
AB - Web applications often handle sensitive user data, which makes them attractive targets for attacks such as crosssite scripting (XSS). Content security policy (CSP) is a contentrestriction mechanism, now supported by all major browsers, that offers thorough protection against XSS. Unfortunately, simply enabling CSP for a web application would affect the application's behavior and likely disrupt its functionality. To address this issue, we propose AUTOCSP, an automated technique for retrofitting CSP to web applications. AUTOCSP (1) leverages dynamic taint analysis to identify which content should be allowed to load on the dynamically-generated HTML pages of a web application and (2) automatically modifies the serverside code to generate such pages with the right permissions. Our evaluation, performed on a set of real-world web applications, shows that AUTOCSP can retrofit CSP effectively and efficiently.
UR - http://www.scopus.com/inward/record.url?scp=84951841588&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84951841588&partnerID=8YFLogxK
U2 - 10.1109/ICSE.2015.53
DO - 10.1109/ICSE.2015.53
M3 - Conference contribution
AN - SCOPUS:84951841588
T3 - Proceedings - International Conference on Software Engineering
SP - 336
EP - 346
BT - Proceedings - 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, ICSE 2015
PB - IEEE Computer Society
Y2 - 16 May 2015 through 24 May 2015
ER -