Securing the Tangled Web
Venue
Communications of the ACM, vol. 57, no. 9 (2014), pp. 38-47
Publication Year
2014
Authors
Christoph Kern
BibTeX
Abstract
Preventing script injection vulnerabilities through software design. Script
injection vulnerabilities are a bane of Web application development: deceptively
simple in cause and remedy, they are nevertheless surprisingly difficult to prevent
in large-scale Web development. Cross-site scripting (XSS) arises when insufficient
data validation, sanitization, or escaping within a Web application allow an
attacker to cause browser-side execution of malicious JavaScript in the
application's context. This injected code can then do whatever the attacker wants,
using the privileges of the victim. Exploitation of XSS bugs results in complete
(though not necessarily persistent) compromise of the victim's session with the
vulnerable application. This article provides an overview of how XSS
vulnerabilities arise and why it is so difficult to avoid them in real-world Web
application software development. Software design patterns developed at Google to
address the problem are then described.