Scripts enable much of the functionality of the modern Web. At the same time, attackers may utilize them in cross-site scripting (XSS), leading to malicious code execution. Content Security Policy (CSP) is a mechanism to prevent XSS attacks by restricting the scripts that can be loaded on a website. Devising an effective CSP policy by hand is a daunting task due to the complexity of modern Web applications. Previous attempts to automate this process are either specific to certain server-side programming languages, require modifications to the Web application’s source code, fall short in mitigating XSS, or require third-party cooperation. To assist Web developers and facilitate the adoption of CSP, we propose a server-side system that crafts a safe CSP configuration and modifies the script content in the server response to comply with the set configuration. EasyCSPeasy overcomes various limitations of previous systems as it is language-agnostic, standalone, and does not require source code modification. We evaluate our system on six open source Web applications (five PHP-based, one Perl-based) and show that all continue to provide their commonly interacted functionalities when integrated with EasyCSPeasy. We quantify the minimal overhead introduced by our system. We deploy known vulnerable versions of three Web applications and demonstrate that the CSP policies automatically generated by EasyCSPeasy block known attacks against these applications.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

EasyCSPeasy: A Server-Side and Language-Agnostic XSS Mitigation by Devising and Ensuring Compliance with CSP

  • Beliz Kaleli,
  • Manuel Egele,
  • Gianluca Stringhini

摘要

Scripts enable much of the functionality of the modern Web. At the same time, attackers may utilize them in cross-site scripting (XSS), leading to malicious code execution. Content Security Policy (CSP) is a mechanism to prevent XSS attacks by restricting the scripts that can be loaded on a website. Devising an effective CSP policy by hand is a daunting task due to the complexity of modern Web applications. Previous attempts to automate this process are either specific to certain server-side programming languages, require modifications to the Web application’s source code, fall short in mitigating XSS, or require third-party cooperation. To assist Web developers and facilitate the adoption of CSP, we propose a server-side system that crafts a safe CSP configuration and modifies the script content in the server response to comply with the set configuration. EasyCSPeasy overcomes various limitations of previous systems as it is language-agnostic, standalone, and does not require source code modification. We evaluate our system on six open source Web applications (five PHP-based, one Perl-based) and show that all continue to provide their commonly interacted functionalities when integrated with EasyCSPeasy. We quantify the minimal overhead introduced by our system. We deploy known vulnerable versions of three Web applications and demonstrate that the CSP policies automatically generated by EasyCSPeasy block known attacks against these applications.