A Systematic Analysis of XSS Sanitization in Web Application Frameworks

  • Joel Weinberger
  • Prateek Saxena
  • Devdatta Akhawe
  • Matthew Finifter
  • Richard Shin
  • Dawn Song
Conference paper

DOI: 10.1007/978-3-642-23822-2_9

Part of the Lecture Notes in Computer Science book series (LNCS, volume 6879)
Cite this paper as:
Weinberger J., Saxena P., Akhawe D., Finifter M., Shin R., Song D. (2011) A Systematic Analysis of XSS Sanitization in Web Application Frameworks. In: Atluri V., Diaz C. (eds) Computer Security – ESORICS 2011. ESORICS 2011. Lecture Notes in Computer Science, vol 6879. Springer, Berlin, Heidelberg

Abstract

While most research on XSS defense has focused on techniques for securing existing applications and re-architecting browser mechanisms, sanitization remains the industry-standard defense mechanism. By streamlining and automating XSS sanitization, web application frameworks stand in a good position to stop XSS but have received little research attention. In order to drive research on web frameworks, we systematically study the security of the XSS sanitization abstractions frameworks provide. We develop a novel model of the web browser and characterize the challenges of XSS sanitization. Based on the model, we systematically evaluate the XSS abstractions in 14 major commercially-used web frameworks. We find that frameworks often do not address critical parts of the XSS conundrum. We perform an empirical analysis of 8 large web applications to extract the requirements of sanitization primitives from the perspective of real-world applications. Our study shows that there is a wide gap between the abstractions provided by frameworks and the requirements of applications.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Joel Weinberger
    • 1
  • Prateek Saxena
    • 1
  • Devdatta Akhawe
    • 1
  • Matthew Finifter
    • 1
  • Richard Shin
    • 1
  • Dawn Song
    • 1
  1. 1.University of CaliforniaBerkeleyUSA

Personalised recommendations