Team for Research in
Ubiquitous Secure Technology

A Systematic Analysis of XSS Sanitization in Web Application Frameworks
Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, Dawn Song

Citation
Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, Dawn Song. "A Systematic Analysis of XSS Sanitization in Web Application Frameworks". Proceedings of the 16th European conference on Research in computer security (ESORICS '11), 2011.

Abstract
While most research on XSS defense has focused on techniques for securing existing applications and re-architecting browser mechanisms, sanitization remains the industry-standard defense mechanism. By streamlining and automating XSS sanitization, web application frameworks stand in a good position to stop XSS but have received little research attention. In order to drive research on web frameworks, we systematically study the security of the XSS sanitization abstractions frameworks provide. We develop a novel model of the web browser and characterize the challenges of XSS sanitization. Based on the model, we systematically evaluate the XSS abstractions in 14 major commercially-used web frameworks. We find that frameworks often do not address critical parts of the XSS conundrum. We perform an empirical analysis of 8 large web applications to extract the requirements of sanitization primitives from the perspective of realworld applications. Our study shows that there is a wide gap between the abstractions provided by frameworks and the requirements of applications.

Electronic downloads

Citation formats  
  • HTML
    Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew
    Finifter, Richard Shin, Dawn Song. <a
    href="http://www.truststc.org/pubs/853.html" >A
    Systematic Analysis of XSS Sanitization in Web Application
    Frameworks</a>, Proceedings of the 16th European
    conference on Research in computer security (ESORICS '11),
    2011.
  • Plain text
    Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew
    Finifter, Richard Shin, Dawn Song. "A Systematic
    Analysis of XSS Sanitization in Web Application
    Frameworks". Proceedings of the 16th European
    conference on Research in computer security (ESORICS '11),
    2011.
  • BibTeX
    @inproceedings{WeinbergerSaxenaAkhaweFinifterShinSong11_SystematicAnalysisOfXSSSanitizationInWebApplicationFrameworks,
        author = {Joel Weinberger and Prateek Saxena and Devdatta
                  Akhawe and Matthew Finifter and Richard Shin and
                  Dawn Song},
        title = {A Systematic Analysis of XSS Sanitization in Web
                  Application Frameworks},
        booktitle = {Proceedings of the 16th European conference on
                  Research in computer security (ESORICS '11)},
        year = {2011},
        abstract = {While most research on XSS defense has focused on
                  techniques for securing existing applications and
                  re-architecting browser mechanisms, sanitization
                  remains the industry-standard defense mechanism.
                  By streamlining and automating XSS sanitization,
                  web application frameworks stand in a good
                  position to stop XSS but have received little
                  research attention. In order to drive research on
                  web frameworks, we systematically study the
                  security of the XSS sanitization abstractions
                  frameworks provide. We develop a novel model of
                  the web browser and characterize the challenges of
                  XSS sanitization. Based on the model, we
                  systematically evaluate the XSS abstractions in 14
                  major commercially-used web frameworks. We find
                  that frameworks often do not address critical
                  parts of the XSS conundrum. We perform an
                  empirical analysis of 8 large web applications to
                  extract the requirements of sanitization
                  primitives from the perspective of realworld
                  applications. Our study shows that there is a wide
                  gap between the abstractions provided by
                  frameworks and the requirements of applications.},
        URL = {http://www.truststc.org/pubs/853.html}
    }
    

Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.