A Systematic Analysis of XSS Sanitization in Web Application Frameworks
In Proc. of the European Symposium on Research in Computer Security (ESORICS), 2011
@Misc{joel11empirical,
author = {Joel Weinberger and Prateek Saxena and Devdatta Akhawe and Matthew Finifter and Richard Shin and Dawn Song},
title = {A Systematic Analysis of XSS Sanitization in Web Application Frameworks },
booktitle = {In Proc. of the European Symposium on Research in Computer Security (ESORICS), 2011},
year = {2011},
}
Abstract
While most research on XSS defense has focused on techniques for
securing existing applications and re-architecting browser mechanisms,
sanitization remains the industry-standard defense mechanism. By
streamlining and automating XSS sanitization, web application
frameworks stand in a good position to stop XSS but have received
little research attention. In order to drive research on web
frameworks, we systematically study the security of the XSS
sanitization abstractions frameworks provide. We develop a novel model
of the web browser and characterize the challenges of XSS
sanitization. Based on the model, we systematically evaluate the XSS
abstractions in 14 major commercially-used web frameworks. We find that
frameworks often do not address critical parts of the XSS
conundrum. We perform an empirical analysis of 8 large web
applications to extract the requirements of sanitization primitives
from the perspective of realworld applications. Our study shows that
there is a wide gap between the abstractions provided by frameworks
and the requirements of applications,