This post is an overview of the paper deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation which was written as a collaboration between the UC Santa Barbara Seclab and Microsoft Research, by yours truly. I’m very excited to present this work at the 2013 ACM Conference on Computer and Communication Security in Berlin. If you’re there, please say hi! (Also, if you have suggestions of places or things to do in Europe, let me know!)
So, what is deDacota?
deDacota is my attempt to tackle the Cross-Site Scripting (XSS) problem. I know what you’re thinking, there’s been a ton of excellent research on this area. How could this work possibly be new?
Previously, we as a research community have looked at XSS vulnerabilities as a problem of lack of sanitization. Those pesky web developers (I am one, so I can say this) just can’t seem to properly sanitized the untrusted input that is output by their application.
You’d think that after all this time (at least a decade, if not more), the XSS problem would be done and solved. Just sanitize those inputs!
Hold on a minute
Well, the XSS problem is actually more complicated than it seems at first glance.
For this work, we went back and asked: What’s the root cause of XSS vulnerabilities? The answer is obvious when you think about it, and it’s not a lack of sanitization. The root cause is: the current web application model violates the basic security principle of code and data separation.
A world without XSS
That world exists now
The basic idea is that the web site sends a CSP HTTP header. This
developer can specify a set of domains where the page is allowed to
src attribute in
a <script> tag). Also, the developer can specify that there will
CSP blocks both
is blocked because the
src of the script tag is not in the CSP
allowed domain list!
That sounds amazing, sign me up
I fully believe that CSP is the future for web applications. CSP provides excellent defense-in-depth. In fact, Google has required that all new Google Chrome Extensions use CSP.
However, for existing web applications, the conversion can be, shall we say, difficult.
Wouldn’t it be great if this conversion could be done automatically?
Well, I’m glad you asked, and this is where deDacota comes in.
See, we developed an approach to automatically separate the code and data of a web application, and we enforce that separation with CSP. We implemented a prototype of this approach and wrote a paper about it.
That’s cool, how does it work?
Thanks, nice of you to ask.
First, I need to emphasize that this is a research prototype. Consider deDacota as a proof-of-concept that shows that it is possible to automatically separate the code and data of a web application.
Here I’ll try to give a very high-level description of how our approach works.
So what good is it?
I want to know more
Well, if you’ve made it all the way to the end, then I assume you do want to know more. Please, check out the full deDacota paper, and feel free to email me with any questions or follow me on Twitter: @adamdoupe. Thanks!
Extra Credit: Why deDacota? What does it mean?