Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, Dawn Song
Citation
Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, Dawn Song. "A Systematic Analysis of XSS Sanitization in Web Application Frameworks". Proceedings of the 16th European conference on Research in computer security (ESORICS '11), 2011.
Abstract
While most research on XSS defense has focused on techniques for securing existing applications and re-architecting browser mechanisms, sanitization remains the industry-standard defense mechanism. By streamlining and automating XSS sanitization, web application frameworks stand in a good position to stop XSS but have received little research attention. In order to drive research on web frameworks, we systematically study the security of the XSS sanitization abstractions frameworks provide. We develop a novel model of the web browser and characterize the challenges of XSS sanitization. Based on the model, we systematically evaluate the XSS abstractions in 14 major commercially-used web frameworks. We find that frameworks often do not address critical parts of the XSS conundrum. We perform an empirical analysis of 8 large web applications to extract the requirements of sanitization primitives from the perspective of realworld applications. Our study shows that there is a wide gap between the abstractions provided by frameworks and the requirements of applications.
Electronic downloads
- empirical-webfwks-1.pdf · application/pdf · 240 kbytes
| Citation formats |
- HTML
Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, Dawn Song. <a href="http://www.truststc.org/pubs/853.html" >A Systematic Analysis of XSS Sanitization in Web Application Frameworks</a>, Proceedings of the 16th European conference on Research in computer security (ESORICS '11), 2011.
- Plain text
Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, Dawn Song. "A Systematic Analysis of XSS Sanitization in Web Application Frameworks". Proceedings of the 16th European conference on Research in computer security (ESORICS '11), 2011.
- BibTeX
@inproceedings{WeinbergerSaxenaAkhaweFinifterShinSong11_SystematicAnalysisOfXSSSanitizationInWebApplicationFrameworks, author = {Joel Weinberger and Prateek Saxena and Devdatta Akhawe and Matthew Finifter and Richard Shin and Dawn Song}, title = {A Systematic Analysis of XSS Sanitization in Web Application Frameworks}, booktitle = {Proceedings of the 16th European conference on Research in computer security (ESORICS '11)}, year = {2011}, abstract = {While most research on XSS defense has focused on techniques for securing existing applications and re-architecting browser mechanisms, sanitization remains the industry-standard defense mechanism. By streamlining and automating XSS sanitization, web application frameworks stand in a good position to stop XSS but have received little research attention. In order to drive research on web frameworks, we systematically study the security of the XSS sanitization abstractions frameworks provide. We develop a novel model of the web browser and characterize the challenges of XSS sanitization. Based on the model, we systematically evaluate the XSS abstractions in 14 major commercially-used web frameworks. We find that frameworks often do not address critical parts of the XSS conundrum. We perform an empirical analysis of 8 large web applications to extract the requirements of sanitization primitives from the perspective of realworld applications. Our study shows that there is a wide gap between the abstractions provided by frameworks and the requirements of applications.}, URL = {http://www.truststc.org/pubs/853.html} }
Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the
Publications FAQ or
contact webmaster at www truststc org.
Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.