CSPAutoGen: Black-box enforcement of content security policy upon real-world websites

Xiang Pan, Yinzhi Cao, Shuangping Liu, Yu Zhou, Yan Chen, Tingzhe Zhou

Research output: Chapter in Book/Report/Conference proceedingConference contribution

18 Scopus citations

Abstract

Content security policy (CSP)-which has been standardized by W3C and adopted by all major commercial browsers-is one of the most promising approaches for defending against cross-site scripting (XSS) attacks. Although client-side adoption of CSP is successful, server-side adoption is far behind the client side: according to a large-scale survey, less than 0.002% of Alexa Top 1M websites enabled CSP. To facilitate the adoption of CSP, we propose CSPAutoGen to enable CSP in real-time, without server modifications, and being compatible with real-world websites. Specifically, CSPAutoGen trains so-called templates for each domain, generates CSPs based on the templates, rewrites incoming webpages on the fly to apply those generated CSPs, and then serves those rewritten webpages to client browsers. CSPAutoGen is designed to automatically enforce the most secure and strict version of CSP without enabling "unsafe-inline" and "unsafe-eval", i.e., CSPAutoGen can handle all the inline and dynamic scripts. We have implemented a prototype of CSPAutoGen, and our evaluation shows that CSPAutoGen can correctly render all the Alexa Top 50 websites. Moreover, we conduct extensive case studies on five popular websites, indicating that CSPAutoGen can preserve the behind-the-login functionalities, such as sending emails and posting comments. Our security analysis shows that CSPAutoGen is able to defend against all the tested real-world XSS attacks.

Original languageEnglish (US)
Title of host publicationCCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages653-665
Number of pages13
ISBN (Electronic)9781450341394
DOIs
StatePublished - Oct 24 2016
Event23rd ACM Conference on Computer and Communications Security, CCS 2016 - Vienna, Austria
Duration: Oct 24 2016Oct 28 2016

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
Volume24-28-October-2016
ISSN (Print)1543-7221

Other

Other23rd ACM Conference on Computer and Communications Security, CCS 2016
CountryAustria
CityVienna
Period10/24/1610/28/16

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'CSPAutoGen: Black-box enforcement of content security policy upon real-world websites'. Together they form a unique fingerprint.

Cite this