An Empirical Analysis of XSS Sanitization in Web Application Frameworks

Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin and Dawn Song

EECS Department
University of California, Berkeley
Technical Report No. UCB/EECS-2011-11
February 9, 2011

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2011/EECS-2011-11.pdf

Filtering or sanitization is the predominant mechanism in today’s applications to defend against cross-site scripting (XSS) attacks. XSS sanitization can be difficult to get right as it ties in closely with the parsing behavior of the browser. This paper explains some of the subtleties of ensuring correct sanitization, as well as common pitfalls. We study several emerging web application frameworks including those presently used for development of commercial web applications. We evaluate how effective these frameworks are in guarding against the common pitfalls of sanitization. We find that while some web frameworks safeguard against the empirically relevant use cases, most do not. In addition, some of the security features in present web frameworks provide a false sense of security.


BibTeX citation:

@techreport{Weinberger:EECS-2011-11,
    Author = {Weinberger, Joel and Saxena, Prateek and Akhawe, Devdatta and Finifter, Matthew and Shin, Richard and Song, Dawn},
    Title = {An Empirical Analysis of XSS Sanitization in Web Application Frameworks},
    Institution = {EECS Department, University of California, Berkeley},
    Year = {2011},
    Month = {Feb},
    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2011/EECS-2011-11.html},
    Number = {UCB/EECS-2011-11},
    Abstract = {Filtering or sanitization is the predominant mechanism in today’s applications to defend against cross-site scripting (XSS) attacks. XSS sanitization can be difficult to get right as it ties in closely with the parsing behavior of the browser. This paper explains some of the subtleties of ensuring correct sanitization, as well as common pitfalls. We study several emerging web application frameworks including those presently used for development of commercial web applications. We evaluate how effective these frameworks are in guarding against the common pitfalls of sanitization. We find that while some web frameworks safeguard against the empirically relevant use cases, most do not. In addition, some of the security features in present web frameworks provide a false sense of security.}
}

EndNote citation:

%0 Report
%A Weinberger, Joel
%A Saxena, Prateek
%A Akhawe, Devdatta
%A Finifter, Matthew
%A Shin, Richard
%A Song, Dawn
%T An Empirical Analysis of XSS Sanitization in Web Application Frameworks
%I EECS Department, University of California, Berkeley
%D 2011
%8 February 9
%@ UCB/EECS-2011-11
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2011/EECS-2011-11.html
%F Weinberger:EECS-2011-11