Much of the work on cross-site scripting detection to date has focused on nding missing sanitizers in programs of average size. This, however, is just the tip of the iceberg, as we have discovered by working with very large applications. When it comes to very large legacy applications, other kinds of sanitization issues leading to cross-site scripting emerge.
We empirically analyzed sanitizer use in a shipping web application with over 400,000 lines of code and over 23,244 methods, the largest empirical analysis of sanitizer use of which we are aware. Our analysis reveals two novel classes of errors: context-mismatched sanitization and inconsistent multiple sanitization. Both of these arise not because sanitizers are incorrectly implemented, but rather because they are not placed in code correctly.
To address these errors, we propose ScriptGard, a system for ASP.NET applications which can detect and repair the incorrect placement of sanitizers. ScriptGard serves both as a testing aid to developers as well as a runtime mitigation technique. While mitigations for cross site scripting attacks have seen intense prior research, none of the previous approaches consider both server and browser context, none of them achieve the same degree of precision, and many other mitigation techniques require major changes to server side code or to browsers. Our approach, in contrast, can be incrementally retrotted to legacy systems with no changes to the source code and no browser changes. With our optimizations, when used for mitigation, ScriptGard incurs virtually no statistically signicant overhead.
We performed our security testing on a set of 53 large web pages derived from 7 sub-applications built on top of our test application. Out of 25; 209 total paths exercised, we found context-mismatched sanitization on 1,207 paths ScriptGard analyzed, 4.7% of the total paths exercised. We observed 285 additional instances of inconsistent multiple sanitization.