TY - GEN
T1 - DeDacota
T2 - 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013
AU - Doupé, Adam
AU - Cui, Weidong
AU - Jakubowski, Mariusz H.
AU - Peinado, Marcus
AU - Kruegel, Christopher
AU - Vigna, Giovanni
PY - 2013
Y1 - 2013
N2 - Web applications are constantly under attack. They are popular, typically accessible from anywhere on the Internet, and they can be abused as malware delivery systems. Cross-site scripting flaws are one of the most common types of vulnerabilities that are leveraged to compromise a web application and its users. A large set of cross-site scripting vulnerabilities originates from the browser's confusion between data and code. That is, untrusted data input to the web application is sent to the clients' browser, where it is then interpreted as code and executed. While new applications can be designed with code and data separated from the start, legacy web applications do not have that luxury. This paper presents a novel approach to securing legacy web applications by automatically and statically rewriting an application so that the code and data are clearly separated in its web pages. This transformation protects the application and its users from a large range of server-side cross-site scripting attacks. Moreover, the code and data separation can be efficiently enforced at run time via the Content Security Policy enforcement mechanism available in modern browsers. We implemented our approach in a tool, called deDacota, that operates on binary ASP.NET applications. We demonstrate on six real-world applications that our tool is able to automatically separate code and data, while keeping the application's semantics unchanged.
AB - Web applications are constantly under attack. They are popular, typically accessible from anywhere on the Internet, and they can be abused as malware delivery systems. Cross-site scripting flaws are one of the most common types of vulnerabilities that are leveraged to compromise a web application and its users. A large set of cross-site scripting vulnerabilities originates from the browser's confusion between data and code. That is, untrusted data input to the web application is sent to the clients' browser, where it is then interpreted as code and executed. While new applications can be designed with code and data separated from the start, legacy web applications do not have that luxury. This paper presents a novel approach to securing legacy web applications by automatically and statically rewriting an application so that the code and data are clearly separated in its web pages. This transformation protects the application and its users from a large range of server-side cross-site scripting attacks. Moreover, the code and data separation can be efficiently enforced at run time via the Content Security Policy enforcement mechanism available in modern browsers. We implemented our approach in a tool, called deDacota, that operates on binary ASP.NET applications. We demonstrate on six real-world applications that our tool is able to automatically separate code and data, while keeping the application's semantics unchanged.
KW - code and data separation
KW - content security policy
KW - cross-site scripting
KW - csp
KW - xss
UR - http://www.scopus.com/inward/record.url?scp=84889019764&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84889019764&partnerID=8YFLogxK
U2 - 10.1145/2508859.2516708
DO - 10.1145/2508859.2516708
M3 - Conference contribution
AN - SCOPUS:84889019764
SN - 9781450324779
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 1205
EP - 1216
BT - CCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security
Y2 - 4 November 2013 through 8 November 2013
ER -