Write a Blog >>
ICSE 2021
Mon 17 May - Sat 5 June 2021

Cross-site scripting (XSS) is one of the most intractable security vulnerabilities in web applications. Tons of efforts has been spent to mitigate XSS, yet it remains one of the most prevalent security threats on the Internet.

This paper presents our experience with preventing DOM-based XSS in a large software development organization through a safe-by-design engineering paradigm. Our approach, named \emph{API hardening}, enforces organization-wide safe coding practices. We provide a set of secure-by-design APIs to replace native DOM APIs that are prone to XSS vulnerabilities. These APIs and their implementations ensure, through a combination of type contracts and appropriate validation and escaping, that applications based thereon are free of XSS vulnerabilities. We deploy a straightforward compile-time security checker to ensure that developers exclusively use our hardened APIs to interact with the DOM. We make various of efforts to scale this approach to tens of thousands of software engineers without significant productivity impact. By offering rigorous tooling and consultant support, we help developers adopt the safe coding practices as seamlessly as possible. We present empirical results showing how API hardening has helped reduce the occurrences of XSS vulnerabilities in the organization’s code base over the course of two-year deployment.

Thu 27 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

20:50 - 21:50
3.6.1. Security Vulnerabilities: Different DomainsTechnical Track at Blended Sessions Room 1 +12h
Chair(s): Davide Fucci Blekinge Institute of Technology
20:50
20m
Paper
Containing Malicious Package Updates in npm with a Lightweight Permission SystemTechnical Track
Technical Track
Gabriel Ferreira Carnegie Mellon University, Limin Jia Carnegie Mellon University, Joshua Sunshine Carnegie Mellon University, Christian Kästner Carnegie Mellon University
Pre-print Media Attached
21:10
20m
Paper
Too Quiet in the Library: An Empirical Study of Security Updates in Android Apps’ Native CodeArtifact ReusableTechnical TrackArtifact Available
Technical Track
Sumaya Almanee University of California, Irvine, Arda Ünal University of California, Irvine, Mathias Payer EPFL, Joshua Garcia University of California, Irvine
Link to publication DOI Pre-print Media Attached
21:30
20m
Paper
If It’s Not Secure, It Should Not Compile: Preventing DOM-Based XSS in Large-Scale Web Development with API HardeningTechnical Track
Technical Track
Pei Wang Google, Julian Bangert Google, Christoph Kern Google
Pre-print Media Attached

Fri 28 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change