deDacota: toward preventing server-side XSS via automatic code and data separation
作者: Adam Doupé , Weidong Cui , Mariusz H. Jakubowski , Marcus Peinado , Christopher Kruegel
关键词:
摘要: Web applications are constantly under attack. They popular, typically accessible from anywhere on the Internet, and they can be abused as malware delivery systems.Cross-site scripting flaws one of most common types vulnerabilities that leveraged to compromise a web application its users. A large set cross-site originates browser's confusion between data code. That is, untrusted input is sent clients' browser, where it then interpreted code executed. While new designed with separated start, legacy do not have luxury.This paper presents novel approach securing by automatically statically rewriting an so clearly in pages. This transformation protects users range server-side attacks. Moreover, separation efficiently enforced at run time via Content Security Policy enforcement mechanism available modern browsers.We implemented our tool, called deDacota, operates binary ASP.NET applications. We demonstrate six real-world tool able separate data, while keeping application's semantics unchanged.
acm.org
elsevier.com
adamdoupe.com
ucsb.edu参考文章(36)
Weidong Cui, Marcus Peinado, Ellick Chan, Zhilei Xu, Tracking rootkit footprints with a practical memory analysis system usenix security symposium. pp. 42- 42 ,(2012)
Alex Aiken, Yichen Xie, Static detection of security vulnerabilities in scripting languages usenix security symposium. pp. 13- ,(2006)
Michael Martin, Monica S. Lam, Automatic generation of XSS and SQL injection attacks with goal-directed model checking usenix security symposium. pp. 31- 43 ,(2008)
Joel Weinberger, Dawn Song, Adam Barth, Towards client-side HTML security policies usenix conference on hot topics in security. pp. 8- 8 ,(2011)
Giovanni Vigna, William Robertson, Static enforcement of web application integrity through strong typing usenix security symposium. pp. 283- 298 ,(2009)
Engin Kirda, Christopher Krügel, Nenad Jovanovic, Giovanni Vigna, Philipp Vogt, Florian Nentwich, Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. network and distributed system security symposium. ,(2007)
David Leblanc, Brian Valentine, Michael Howard, Writing Secure Code ,(2001)
Matthew Van Gundy, Hao Chen, Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks. network and distributed system security symposium. ,(2009)
V. Benjamin Livshits, Monica S. Lam, Finding security vulnerabilities in java applications with static analysis usenix security symposium. pp. 18- 18 ,(2005)
Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans, Automatically Hardening Web Applications Using Precise Tainting information security conference. pp. 295- 307 ,(2004) , 10.1007/0-387-25660-1_20