CISPA
Browse
cispa_all_3463.pdf (1.68 MB)

12 Angry Developers -- A Qualitative Study on Developers' Struggles with CSP

Download (1.68 MB)
conference contribution
posted on 2023-11-29, 18:17 authored by Sebastian Roth, Lea GröberLea Gröber, Michael BackesMichael Backes, Katharina KrombholzKatharina Krombholz, Ben StockBen Stock
The Web has improved our ways of communicating, collaborating, teaching, and entertaining us and our fellow human beings. However, this cornerstone of our modern society is also one of the main targets of attacks, most prominently Cross-Site Scripting (XSS). A correctly crafted Content Security Policy (CSP) is capable of effectively mitigating the effect of those Cross-Site Scripting attacks. However, research has shown that the vast majority of all policies in the wild are trivially bypassable. To uncover the root causes behind the omnipresent misconfiguration of CSP, we conducted a qualitative study involving 12 real-world Web developers. By combining a semi-structured interview, a drawing task, and a programming task, we were able to identify the participant’s misconceptions regarding the attacker model covered by CSP as well as roadblocks for secure deployment or strategies used to create a CSP.

History

Preferred Citation

Sebastian Roth, Lea Gröber, Michael Backes, Katharina Krombholz and Ben Stock. 12 Angry Developers -- A Qualitative Study on Developers' Struggles with CSP. In: ACM Conference on Computer and Communications Security (CCS). 2021.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

ACM Conference on Computer and Communications Security (CCS)

Legacy Posted Date

2021-08-11

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_3463, title = "12 Angry Developers -- A Qualitative Study on Developers' Struggles with CSP", author = "Roth, Sebastian and Gröber, Lea and Backes, Michael and Krombholz, Katharina and Stock, Ben", booktitle="{ACM Conference on Computer and Communications Security (CCS)}", year="2021", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC