Sciweavers

CCS
2011
ACM

SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications

13 years 12 days ago
SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications
We empirically analyzed sanitizer use in a shipping web application with over 400,000 lines of code and over 23,244 methods, the largest empirical analysis of sanitizer use of which we are aware. Our analysis reveals two novel classes of errors: context-mismatched sanitization and inconsistent multiple sanitization. Both of these arise not because sanitizers are incorrectly implemented, but rather because they are not placed in code correctly. Much of the work on crosssite scripting detection to date has focused on finding missing sanitizers in programs of average size. In large legacy applications, other sanitization issues leading to cross-site scripting emerge. To address these errors, we propose ScriptGard, a system for ASP.NET applications which can detect and repair the incorrect placement of sanitizers. ScriptGard serves both as a testing aid to developers as well as a runtime mitigation technique. While mitigations for cross site scripting attacks have seen intense prior rese...
Prateek Saxena, David Molnar, Benjamin Livshits
Added 13 Dec 2011
Updated 13 Dec 2011
Type Journal
Year 2011
Where CCS
Authors Prateek Saxena, David Molnar, Benjamin Livshits
Comments (0)