AutoCSP: Automatically Retrofitting CSP to Web Applications

Author

Fazzini, Mattia ; Saxena, Prateek ; Orso, Alessandro

Author_Institution

Georgia Inst. of Technol., Atlanta, GA, USA

Volume

1

fYear

2015

Firstpage

336

Lastpage

346

Abstract

Web applications often handle sensitive user data, which makes them attractive targets for attacks such as cross-site scripting (XSS). Content security policy (CSP) is a content-restriction mechanism, now supported by all major browsers, that offers thorough protection against XSS. Unfortunately, simply enabling CSP for a web application would affect the application´s behavior and likely disrupt its functionality. To address this issue, we propose AutoCSP, an automated technique for retrofitting CSP to web applications. AutoCSP (1) leverages dynamic taint analysis to identify which content should be allowed to load on the dynamically-generated HTML pages of a web application and (2) automatically modifies the server-side code to generate such pages with the right permissions. Our evaluation, performed on a set of real-world web applications, shows that AutoCSP can retrofit CSP effectively and efficiently.

Keywords

Internet; security of data; AutoCSP policy; CSP content-restriction mechanism; CSP retrofitting; Web applications; XSS protection; content security policy; cross-site scripting; dynamic taint analysis; dynamically-generated HTML pages; server-side code modification; Algorithm design and analysis; Browsers; HTML; Heuristic algorithms; Security; Servers; Web pages; Content security policy; cross-site scripting;

fLanguage

English

Publisher

ieee

Conference_Titel

Software Engineering (ICSE), 2015 IEEE/ACM 37th IEEE International Conference on

Conference_Location

Florence

Type

conf

DOI

10.1109/ICSE.2015.53

Filename

7194586