Write a Blog >>
ICSE 2021
Mon 17 May - Sat 5 June 2021

Cross-site scripting (XSS) is one of the most intractable security vulnerabilities in web applications. Tons of efforts has been spent to mitigate XSS, yet it remains one of the most prevalent security threats on the Internet.

This paper presents our experience with preventing DOM-based XSS in a large software development organization through a safe-by-design engineering paradigm. Our approach, named \emph{API hardening}, enforces organization-wide safe coding practices. We provide a set of secure-by-design APIs to replace native DOM APIs that are prone to XSS vulnerabilities. These APIs and their implementations ensure, through a combination of type contracts and appropriate validation and escaping, that applications based thereon are free of XSS vulnerabilities. We deploy a straightforward compile-time security checker to ensure that developers exclusively use our hardened APIs to interact with the DOM. We make various of efforts to scale this approach to tens of thousands of software engineers without significant productivity impact. By offering rigorous tooling and consultant support, we help developers adopt the safe coding practices as seamlessly as possible. We present empirical results showing how API hardening has helped reduce the occurrences of XSS vulnerabilities in the organization’s code base over the course of two-year deployment.

Conference Day
Thu 27 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

20:50 - 21:50
3.6.1. Security Vulnerabilities: Different DomainsTechnical Track at Blended Sessions Room 1 +12h
Chair(s): Davide FucciBlekinge Institute of Technology
20:50
20m
Paper
Containing Malicious Package Updates in npm with a Lightweight Permission SystemTechnical Track
Technical Track
Gabriel FerreiraCarnegie Mellon University, Limin JiaCarnegie Mellon University, Joshua SunshineCarnegie Mellon University, Christian KästnerCarnegie Mellon University
Pre-print Media Attached
21:10
20m
Paper
Too Quiet in the Library: An Empirical Study of Security Updates in Android Apps’ Native CodeArtifact ReusableTechnical TrackArtifact Available
Technical Track
Sumaya AlmaneeUniversity of California, Irvine, Arda ÜnalUniversity of California, Irvine, Mathias PayerEPFL, Joshua GarciaUniversity of California, Irvine
Link to publication DOI Pre-print Media Attached
21:30
20m
Paper
If It’s Not Secure, It Should Not Compile: Preventing DOM-Based XSS in Large-Scale Web Development with API HardeningTechnical Track
Technical Track
Pre-print Media Attached

Conference Day
Fri 28 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change