AutoCSP: Automatically retrofitting CSP to web applications

Mattia Fazzini, Prateek Saxena, Alessandro Orso

Research output: Chapter in Book/Report/Conference proceedingConference contribution

23 Scopus citations

Abstract

Web applications often handle sensitive user data, which makes them attractive targets for attacks such as crosssite scripting (XSS). Content security policy (CSP) is a contentrestriction mechanism, now supported by all major browsers, that offers thorough protection against XSS. Unfortunately, simply enabling CSP for a web application would affect the application's behavior and likely disrupt its functionality. To address this issue, we propose AUTOCSP, an automated technique for retrofitting CSP to web applications. AUTOCSP (1) leverages dynamic taint analysis to identify which content should be allowed to load on the dynamically-generated HTML pages of a web application and (2) automatically modifies the serverside code to generate such pages with the right permissions. Our evaluation, performed on a set of real-world web applications, shows that AUTOCSP can retrofit CSP effectively and efficiently.

Original languageEnglish (US)
Title of host publicationProceedings - 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, ICSE 2015
PublisherIEEE Computer Society
Pages336-346
Number of pages11
ISBN (Electronic)9781479919345
DOIs
StatePublished - Aug 12 2015
Externally publishedYes
Event37th IEEE/ACM International Conference on Software Engineering, ICSE 2015 - Florence, Italy
Duration: May 16 2015May 24 2015

Publication series

NameProceedings - International Conference on Software Engineering
Volume1
ISSN (Print)0270-5257

Other

Other37th IEEE/ACM International Conference on Software Engineering, ICSE 2015
Country/TerritoryItaly
CityFlorence
Period5/16/155/24/15

Fingerprint

Dive into the research topics of 'AutoCSP: Automatically retrofitting CSP to web applications'. Together they form a unique fingerprint.

Cite this