AutoCSP: Automatically retrofitting CSP to web applications

Mattia Fazzini; Prateek Saxena; Alessandro Orso

doi:10.1109/ICSE.2015.53

AutoCSP: Automatically retrofitting CSP to web applications

Mattia Fazzini, Prateek Saxena, Alessandro Orso

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

21 Scopus citations

Abstract

Web applications often handle sensitive user data, which makes them attractive targets for attacks such as crosssite scripting (XSS). Content security policy (CSP) is a contentrestriction mechanism, now supported by all major browsers, that offers thorough protection against XSS. Unfortunately, simply enabling CSP for a web application would affect the application's behavior and likely disrupt its functionality. To address this issue, we propose AUTOCSP, an automated technique for retrofitting CSP to web applications. AUTOCSP (1) leverages dynamic taint analysis to identify which content should be allowed to load on the dynamically-generated HTML pages of a web application and (2) automatically modifies the serverside code to generate such pages with the right permissions. Our evaluation, performed on a set of real-world web applications, shows that AUTOCSP can retrofit CSP effectively and efficiently.

Original language	English (US)
Title of host publication	Proceedings - 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, ICSE 2015
Publisher	IEEE Computer Society
Pages	336-346
Number of pages	11
ISBN (Electronic)	9781479919345
DOIs	https://doi.org/10.1109/ICSE.2015.53
State	Published - Aug 12 2015
Externally published	Yes
Event	37th IEEE/ACM International Conference on Software Engineering, ICSE 2015 - Florence, Italy Duration: May 16 2015 → May 24 2015

Publication series

Name	Proceedings - International Conference on Software Engineering
Volume	1
ISSN (Print)	0270-5257

Other

Other	37th IEEE/ACM International Conference on Software Engineering, ICSE 2015
Country/Territory	Italy
City	Florence
Period	5/16/15 → 5/24/15

Access

10.1109/ICSE.2015.53

OpenUrl availability

Full text

Cite this

Fazzini, M., Saxena, P., & Orso, A. (2015). AutoCSP: Automatically retrofitting CSP to web applications. In Proceedings - 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, ICSE 2015 (pp. 336-346). Article 7194586 (Proceedings - International Conference on Software Engineering; Vol. 1). IEEE Computer Society. https://doi.org/10.1109/ICSE.2015.53

AutoCSP: Automatically retrofitting CSP to web applications. / Fazzini, Mattia; Saxena, Prateek; Orso, Alessandro.
Proceedings - 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, ICSE 2015. IEEE Computer Society, 2015. p. 336-346 7194586 (Proceedings - International Conference on Software Engineering; Vol. 1).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Fazzini, M, Saxena, P & Orso, A 2015, AutoCSP: Automatically retrofitting CSP to web applications. in Proceedings - 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, ICSE 2015., 7194586, Proceedings - International Conference on Software Engineering, vol. 1, IEEE Computer Society, pp. 336-346, 37th IEEE/ACM International Conference on Software Engineering, ICSE 2015, Florence, Italy, 5/16/15. https://doi.org/10.1109/ICSE.2015.53

@inproceedings{03900fa109d441999396dcd59c524282,

title = "AutoCSP: Automatically retrofitting CSP to web applications",

abstract = "Web applications often handle sensitive user data, which makes them attractive targets for attacks such as crosssite scripting (XSS). Content security policy (CSP) is a contentrestriction mechanism, now supported by all major browsers, that offers thorough protection against XSS. Unfortunately, simply enabling CSP for a web application would affect the application's behavior and likely disrupt its functionality. To address this issue, we propose AUTOCSP, an automated technique for retrofitting CSP to web applications. AUTOCSP (1) leverages dynamic taint analysis to identify which content should be allowed to load on the dynamically-generated HTML pages of a web application and (2) automatically modifies the serverside code to generate such pages with the right permissions. Our evaluation, performed on a set of real-world web applications, shows that AUTOCSP can retrofit CSP effectively and efficiently.",

author = "Mattia Fazzini and Prateek Saxena and Alessandro Orso",

year = "2015",

month = aug,

day = "12",

doi = "10.1109/ICSE.2015.53",

language = "English (US)",

series = "Proceedings - International Conference on Software Engineering",

publisher = "IEEE Computer Society",

pages = "336--346",

booktitle = "Proceedings - 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, ICSE 2015",

note = "37th IEEE/ACM International Conference on Software Engineering, ICSE 2015 ; Conference date: 16-05-2015 Through 24-05-2015",

}

TY - GEN

T1 - AutoCSP

T2 - 37th IEEE/ACM International Conference on Software Engineering, ICSE 2015

AU - Fazzini, Mattia

AU - Saxena, Prateek

AU - Orso, Alessandro

PY - 2015/8/12

Y1 - 2015/8/12

N2 - Web applications often handle sensitive user data, which makes them attractive targets for attacks such as crosssite scripting (XSS). Content security policy (CSP) is a contentrestriction mechanism, now supported by all major browsers, that offers thorough protection against XSS. Unfortunately, simply enabling CSP for a web application would affect the application's behavior and likely disrupt its functionality. To address this issue, we propose AUTOCSP, an automated technique for retrofitting CSP to web applications. AUTOCSP (1) leverages dynamic taint analysis to identify which content should be allowed to load on the dynamically-generated HTML pages of a web application and (2) automatically modifies the serverside code to generate such pages with the right permissions. Our evaluation, performed on a set of real-world web applications, shows that AUTOCSP can retrofit CSP effectively and efficiently.

AB - Web applications often handle sensitive user data, which makes them attractive targets for attacks such as crosssite scripting (XSS). Content security policy (CSP) is a contentrestriction mechanism, now supported by all major browsers, that offers thorough protection against XSS. Unfortunately, simply enabling CSP for a web application would affect the application's behavior and likely disrupt its functionality. To address this issue, we propose AUTOCSP, an automated technique for retrofitting CSP to web applications. AUTOCSP (1) leverages dynamic taint analysis to identify which content should be allowed to load on the dynamically-generated HTML pages of a web application and (2) automatically modifies the serverside code to generate such pages with the right permissions. Our evaluation, performed on a set of real-world web applications, shows that AUTOCSP can retrofit CSP effectively and efficiently.

UR - http://www.scopus.com/inward/record.url?scp=84951841588&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84951841588&partnerID=8YFLogxK

U2 - 10.1109/ICSE.2015.53

DO - 10.1109/ICSE.2015.53

M3 - Conference contribution

AN - SCOPUS:84951841588

T3 - Proceedings - International Conference on Software Engineering

SP - 336

EP - 346

BT - Proceedings - 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, ICSE 2015

PB - IEEE Computer Society

Y2 - 16 May 2015 through 24 May 2015

ER -

AutoCSP: Automatically retrofitting CSP to web applications

Abstract

Publication series

Other

Access

OpenUrl availability

Other files and links

Fingerprint

Cite this