Abstract
While most research on XSS defense has focused on techniques for securing existing applications and re-architecting browser mechanisms, sanitization remains the industry-standard defense mechanism. By streamlining and automating XSS sanitization, web application frameworks stand in a good position to stop XSS but have received little research attention. In order to drive research on web frameworks, we systematically study the security of the XSS sanitization abstractions frameworks provide. We develop a novel model of the web browser and characterize the challenges of XSS sanitization. Based on the model, we systematically evaluate the XSS abstractions in 14 major commercially-used web frameworks. We find that frameworks often do not address critical parts of the XSS conundrum. We perform an empirical analysis of 8 large web applications to extract the requirements of sanitization primitives from the perspective of real-world applications. Our study shows that there is a wide gap between the abstractions provided by frameworks and the requirements of applications.
Chapter PDF
Similar content being viewed by others
Keywords
- USENIX Security Symposium
- Context Expressiveness
- Nest Context
- Distribute System Security Symposium
- Script Attack
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
jQuery, http://jquery.com/
Aas, G.: CPAN: URI::Escape, http://search.cpan.org/~gaas/URI-1.56/URI/Escape.pm
Adsafe : Making javascript safe for advertising, http://www.adsafe.org/
How To: Prevent Cross-Site Scripting in ASP.NET, http://msdn.microsoft.com/en-us/library/ff649310.aspx
Microsoft ASP.NET: Request Validation – Preventing Script Attacks, http://www.asp.net/LEARN/whitepapers/request-validation
Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E., Karagiannis, T.: xJS: practical XSS prevention for web application development. In: Proceedings of the 2010 USENIX Conference on Web Application Development (2010)
Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA (2008)
Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: Vex: Vetting browser extensions for security vulnerabilities (2010)
Baron, D.: Mozilla’s quirks mode, https://developer.mozilla.org/en/mozilla's_quirks_mode
Barth, A., Caballero, J., Song, D.: Secure content sniffing for web browsers or how to stop papers from reviewing themselves. In: Proceedings of the 30th IEEE Symposium on Security and Privacy, Oakland, CA (May 2009)
Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities (2009)
Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side xss filters. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, pp. 91–100. ACM, New York (2010)
Bisht, P., Venkatakrishnan, V.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 23–43 (2008)
Google-caja: A source-to-source translator for securing javascript-based web content, http://code.google.com/p/google-caja/
CakePHP: Sanitize Class Info, http://api.cakephp.org/class/sanitize
Chin, E., Wagner, D.: Efficient character-level taint tracking for java. In: Proceedings of the 2009 ACM Workshop on Secure Web Services, SWS 2009, pp. 3–12. ACM, New York (2009)
Chong, S., Liu, J., Myers, A.C., Qi, X., Vikram, K., Zheng, L., Zheng, X.: Secure web applications via automatic partitioning. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, pp. 31–44. ACM, New York (2007)
ClearSilver: Template Filters, http://www.clearsilver.net/docs/man_filters.hdf
CodeIgniter/system/libraries/Security.php, http://bitbucket.org/ellislab/codeigniter/src/tip/system/libraries/Security.php
CodeIgniter User Guide Version 1.7.2: Input Class, http://codeigniter.com/user_guide/libraries/input.html
Ctemplate: Guide to Using Auto Escape, http://google-ctemplate.googlecode.com/svn/trunk/doc/auto_escape.html
django: Built-in template tags and filters, http://docs.djangoproject.com/en/dev/ref/templates/builtins
Django sites : Websites powered by django, http://www.djangosites.org/
The Django Book: Security, http://www.djangobook.com/en/2.0/chapter20/
Finifter, M., Wagner, D.: Exploring the Relationship Between Web Application Development Tools and Security. In: Proceedings of the 2nd USENIX Conference on Web Application Development. USENIX (June 2011)
Finifter, M., Weinberger, J., Barth, A.: Preventing capability leaks in secure javascript subsets. In: Proc. of Network and Distributed System Security Symposium (2010)
Guha, A., Krishnamurthi, S., Jim, T.: Using static analysis for ajax intrusion detection. In: Proceedings of the 18th International Conference on World Wide Web, WWW 2009, pp. 561–570. ACM, New York (2009)
Google Web Toolkit: Developer’s Guide – SafeHtml, http://code.google.com/webtoolkit/doc/latest/DevGuideSecuritySafeHtml.html
Hansen, R.: XSS cheat sheet (2008)
Hickson, I.: HTML 5 : A vocabulary and associated apis for html and xhtml, http://www.w3.org/TR/html5/
HTML Purifier Team: Css quoting full disclosure (2010), http://htmlpurifier.org/security/2010/css-quoting
HTML Purifier : Standards-Compliant HTML Filtering, http://htmlpurifier.org/
Huang, Y.W., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th International Conference on World Wide Web, WWW 2004, pp. 40–52. ACM, New York (2004)
Jean, J.: Facebook CSRF and XSS vulnerabilities: Destructive worms on a social network, http://seclists.org/fulldisclosure/2010/Oct/35
JiftyManual, http://jifty.org/view/JiftyManual
Jovanovic, N., Krügel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In: IEEE Symposium on Security and Privacy (2006)
Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: Proceedings of the 2006 ACM Symposium on Applied Computing, pp. 330–337. ACM, New York (2006)
KSES Developer Team: Kses php html/xhtml filter, http://sourceforge.net/projects/kses/
Livshits, B., Lam, M.S.: Finding security errors in Java programs with static analysis. In: Proceedings of the Usenix Security Symposium (2005)
Livshits, B., Martin, M., Lam, M.S.: SecuriFly: Runtime protection and recovery from Web application vulnerabilities. Tech. rep., Stanford University (September 2006)
Martin, M., Lam, M.S.: Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In: 17th USENIX Security Symposium (2008)
The Mason Book: Escaping Substitutions, http://www.masonbook.com/book/chapter-2.mhtml
Nadji, Y., Saxena, P., Song, D.: Document structure integrity: A robust basis for cross-site scripting defense. In: NDSS (2009)
Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: 20th IFIP International Information Security Conference (2005)
XSS Prevention Cheat Sheet, http://www.owasp.org/index.php/XSS_Cross_Site_Scripting_Prevention_Cheat_Sheet
Pullicino, J.: Google XSS Flaw in Website Optimizer Explained (December 2010), http://www.acunetix.com/blog/web-security-zone/articles/google-xss-website-optimizer-scripts/
Robertson, W., Vigna, G.: Static enforcement of web application integrity through strong typing. In: Proceedings of the 18th Conference on USENIX Security Symposium, SSYM 2009, pp. 283–298. USENIX Association, Berkeley (2009)
Ruby on Rails Security Guide, http://guides.rubyonrails.org/security.html
Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for javascript. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP 2010, pp. 513–528. IEEE Computer Society, Washington, DC, USA (2010)
Saxena, P., Hanna, S., Poosankam, P., Song, D.: FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications. In: 17th Annual Network & Distributed System Security Symposium NDSS (2010)
Saxena, P., Molnar, D., Livshits, B.: Scriptgard: Preventing script injection attacks in legacy web applications with automatic sanitization. Tech. rep., Microsoft Research (September 2010)
Schmidt, B.: Google Analytics XSS Vulnerability, http://spareclockcycles.org/2011/02/03/google-analytics-xss-vulnerability/
Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP 2010, pp. 317–331. IEEE Computer Society, Washington, DC, USA (2010)
Seo, J., Lam, M.S.: Invisitype: Object-oriented security policies (2010)
Smarty Template Engine: escape, http://www.smarty.net/manual/en/language.modifier.escape.php
Stamm, S.: Content security policy (2009), https://wiki.mozilla.org/Security/CSP/Spec
Swamy, N., Corcoran, B., Hicks, M.: Fable: A language for enforcing user-defined security policies. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2008)
Template::Manual::Filters, http://template-toolkit.org/docs/manual/Filters.html
Mike, T.L., Venkatakrishnan, V.N.: BluePrint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In: Proceedings of the IEEE Symposium on Security and Privacy (2009)
TwitPwn: DOM based XSS in Twitterfall (2009), http://www.twitpwn.com/2009/07/motb-08-dom-based-xss-in-twitterfall.html
Twitter: All about the “onMouseOver” incident, http://blog.twitter.com/2010/09/all-about-onmouseover-incident.html
UTF-7 XSS Cheat Sheet, http://openmya.hacker.jp/hasegawa/security/utf7cs.html
Venema, W.: Taint support for PHP (2007), ftp://ftp.porcupine.org/pub/php/php-5.2.3-taint-20071103.README.html
Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: Proceeding of the Network and Distributed System Security Symposium (NDSS), vol. 42. Citeseer (2007)
Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., Song, D.: An empirical analysis of xss sanitization in web application frameworks. Tech. Rep. UCB/EECS-2011-11, EECS Department, University of California, Berkeley (February 2011)
Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: Proceedings of the Usenix Security Symposium (2006)
xssterminate, http://code.google.com/p/xssterminate/
Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In: Proceedings of the 15th USENIX Security Symposium, pp. 121–136 (2006)
Yii Framework: Security, http://www.yiiframework.com/doc/guide/1.1/en/topics.security
Zalewski, M.: Browser security handbook. Google Code (2010), http://code.google.com/p/browsersec/wiki/Part1
Zend Framework: Zend_Filter, http://framework.zend.com/manual/en/zend.filter.set.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., Song, D. (2011). A Systematic Analysis of XSS Sanitization in Web Application Frameworks. In: Atluri, V., Diaz, C. (eds) Computer Security – ESORICS 2011. ESORICS 2011. Lecture Notes in Computer Science, vol 6879. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23822-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-23822-2_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-23821-5
Online ISBN: 978-3-642-23822-2
eBook Packages: Computer ScienceComputer Science (R0)