DeDacota

Toward preventing server-side XSS via automatic code and data separation

Adam Doupe, Weidong Cui, Mariusz H. Jakubowski, Marcus Peinado, Christopher Kruegel, Giovanni Vigna

Research output: Chapter in Book/Report/Conference proceedingConference contribution

26 Citations (Scopus)

Abstract

Web applications are constantly under attack. They are popular, typically accessible from anywhere on the Internet, and they can be abused as malware delivery systems. Cross-site scripting flaws are one of the most common types of vulnerabilities that are leveraged to compromise a web application and its users. A large set of cross-site scripting vulnerabilities originates from the browser's confusion between data and code. That is, untrusted data input to the web application is sent to the clients' browser, where it is then interpreted as code and executed. While new applications can be designed with code and data separated from the start, legacy web applications do not have that luxury. This paper presents a novel approach to securing legacy web applications by automatically and statically rewriting an application so that the code and data are clearly separated in its web pages. This transformation protects the application and its users from a large range of server-side cross-site scripting attacks. Moreover, the code and data separation can be efficiently enforced at run time via the Content Security Policy enforcement mechanism available in modern browsers. We implemented our approach in a tool, called deDacota, that operates on binary ASP.NET applications. We demonstrate on six real-world applications that our tool is able to automatically separate code and data, while keeping the application's semantics unchanged.

Original languageEnglish (US)
Title of host publicationProceedings of the ACM Conference on Computer and Communications Security
Pages1205-1216
Number of pages12
DOIs
StatePublished - 2013
Externally publishedYes
Event2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013 - Berlin, Germany
Duration: Nov 4 2013Nov 8 2013

Other

Other2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013
CountryGermany
CityBerlin
Period11/4/1311/8/13

Fingerprint

Servers
Websites
Semantics
Internet
Defects

Keywords

  • code and data separation
  • content security policy
  • cross-site scripting
  • csp
  • xss

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Doupe, A., Cui, W., Jakubowski, M. H., Peinado, M., Kruegel, C., & Vigna, G. (2013). DeDacota: Toward preventing server-side XSS via automatic code and data separation. In Proceedings of the ACM Conference on Computer and Communications Security (pp. 1205-1216) https://doi.org/10.1145/2508859.2516708

DeDacota : Toward preventing server-side XSS via automatic code and data separation. / Doupe, Adam; Cui, Weidong; Jakubowski, Mariusz H.; Peinado, Marcus; Kruegel, Christopher; Vigna, Giovanni.

Proceedings of the ACM Conference on Computer and Communications Security. 2013. p. 1205-1216.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Doupe, A, Cui, W, Jakubowski, MH, Peinado, M, Kruegel, C & Vigna, G 2013, DeDacota: Toward preventing server-side XSS via automatic code and data separation. in Proceedings of the ACM Conference on Computer and Communications Security. pp. 1205-1216, 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, 11/4/13. https://doi.org/10.1145/2508859.2516708
Doupe A, Cui W, Jakubowski MH, Peinado M, Kruegel C, Vigna G. DeDacota: Toward preventing server-side XSS via automatic code and data separation. In Proceedings of the ACM Conference on Computer and Communications Security. 2013. p. 1205-1216 https://doi.org/10.1145/2508859.2516708
Doupe, Adam ; Cui, Weidong ; Jakubowski, Mariusz H. ; Peinado, Marcus ; Kruegel, Christopher ; Vigna, Giovanni. / DeDacota : Toward preventing server-side XSS via automatic code and data separation. Proceedings of the ACM Conference on Computer and Communications Security. 2013. pp. 1205-1216
@inproceedings{e94575c557574492bce1c38e8d1582ad,
title = "DeDacota: Toward preventing server-side XSS via automatic code and data separation",
abstract = "Web applications are constantly under attack. They are popular, typically accessible from anywhere on the Internet, and they can be abused as malware delivery systems. Cross-site scripting flaws are one of the most common types of vulnerabilities that are leveraged to compromise a web application and its users. A large set of cross-site scripting vulnerabilities originates from the browser's confusion between data and code. That is, untrusted data input to the web application is sent to the clients' browser, where it is then interpreted as code and executed. While new applications can be designed with code and data separated from the start, legacy web applications do not have that luxury. This paper presents a novel approach to securing legacy web applications by automatically and statically rewriting an application so that the code and data are clearly separated in its web pages. This transformation protects the application and its users from a large range of server-side cross-site scripting attacks. Moreover, the code and data separation can be efficiently enforced at run time via the Content Security Policy enforcement mechanism available in modern browsers. We implemented our approach in a tool, called deDacota, that operates on binary ASP.NET applications. We demonstrate on six real-world applications that our tool is able to automatically separate code and data, while keeping the application's semantics unchanged.",
keywords = "code and data separation, content security policy, cross-site scripting, csp, xss",
author = "Adam Doupe and Weidong Cui and Jakubowski, {Mariusz H.} and Marcus Peinado and Christopher Kruegel and Giovanni Vigna",
year = "2013",
doi = "10.1145/2508859.2516708",
language = "English (US)",
isbn = "9781450324779",
pages = "1205--1216",
booktitle = "Proceedings of the ACM Conference on Computer and Communications Security",

}

TY - GEN

T1 - DeDacota

T2 - Toward preventing server-side XSS via automatic code and data separation

AU - Doupe, Adam

AU - Cui, Weidong

AU - Jakubowski, Mariusz H.

AU - Peinado, Marcus

AU - Kruegel, Christopher

AU - Vigna, Giovanni

PY - 2013

Y1 - 2013

N2 - Web applications are constantly under attack. They are popular, typically accessible from anywhere on the Internet, and they can be abused as malware delivery systems. Cross-site scripting flaws are one of the most common types of vulnerabilities that are leveraged to compromise a web application and its users. A large set of cross-site scripting vulnerabilities originates from the browser's confusion between data and code. That is, untrusted data input to the web application is sent to the clients' browser, where it is then interpreted as code and executed. While new applications can be designed with code and data separated from the start, legacy web applications do not have that luxury. This paper presents a novel approach to securing legacy web applications by automatically and statically rewriting an application so that the code and data are clearly separated in its web pages. This transformation protects the application and its users from a large range of server-side cross-site scripting attacks. Moreover, the code and data separation can be efficiently enforced at run time via the Content Security Policy enforcement mechanism available in modern browsers. We implemented our approach in a tool, called deDacota, that operates on binary ASP.NET applications. We demonstrate on six real-world applications that our tool is able to automatically separate code and data, while keeping the application's semantics unchanged.

AB - Web applications are constantly under attack. They are popular, typically accessible from anywhere on the Internet, and they can be abused as malware delivery systems. Cross-site scripting flaws are one of the most common types of vulnerabilities that are leveraged to compromise a web application and its users. A large set of cross-site scripting vulnerabilities originates from the browser's confusion between data and code. That is, untrusted data input to the web application is sent to the clients' browser, where it is then interpreted as code and executed. While new applications can be designed with code and data separated from the start, legacy web applications do not have that luxury. This paper presents a novel approach to securing legacy web applications by automatically and statically rewriting an application so that the code and data are clearly separated in its web pages. This transformation protects the application and its users from a large range of server-side cross-site scripting attacks. Moreover, the code and data separation can be efficiently enforced at run time via the Content Security Policy enforcement mechanism available in modern browsers. We implemented our approach in a tool, called deDacota, that operates on binary ASP.NET applications. We demonstrate on six real-world applications that our tool is able to automatically separate code and data, while keeping the application's semantics unchanged.

KW - code and data separation

KW - content security policy

KW - cross-site scripting

KW - csp

KW - xss

UR - http://www.scopus.com/inward/record.url?scp=84889019764&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84889019764&partnerID=8YFLogxK

U2 - 10.1145/2508859.2516708

DO - 10.1145/2508859.2516708

M3 - Conference contribution

SN - 9781450324779

SP - 1205

EP - 1216

BT - Proceedings of the ACM Conference on Computer and Communications Security

ER -