CISPA
Browse
wi2023diffcsp.pdf (868.5 kB)

DiffCSP: Finding Browser Bugs in Content Security Policy Enforcement through Differential Testing

Download (868.5 kB)
conference contribution
posted on 2024-05-15, 10:47 authored by Seongil Wi, Trung Tin Nguyen, Jiwhan Kim, Ben StockBen Stock, Sooel Son
The Content Security Policy (CSP) is one of the de facto security mechanisms that mitigate web threats. Many websites have been deploying CSPs mainly to mitigate cross-script scripting (XSS) attacks by instructing client browsers to constrain JavaScript (JS) execution. However, a browser bug in CSP enforcement enables an adversary to bypass a deployed CSP, posing a security threat. As the CSP specification evolves, CSP becomes more complicated in supporting an increasing number of directives, which brings additional complexity to implementing correct enforcement behaviors. Unfortunately, the finding of CSP enforcement bugs in a systematic way has been largely understudied. In this paper, we propose DiffCSP, the first differential testing framework to find CSP enforcement bugs regarding JS execution. DiffCSP generates CSPs and a comprehensive set of HTML instances that exhibit all known ways of executing JS snippets. DiffCSP then executes each HTML instance for each generated policy across different browsers, thereby collecting inconsistent execution results. To analyze a large volume of the execution results, we leverage a decision tree and identify common causes of the observed inconsistencies. We demonstrate the efficacy of DiffCSP by finding 29 security bugs and eight functional bugs. We also show that three bugs are due to unclear descriptions of the CSP specification. We further identify the common root causes of CSP enforcement bugs, such as incorrect CSP inheritance and hash handling. Moreover, we confirm the risky trend of client browsers deriving completely different interpretations from the same CSPs, which raises security concerns. Our study demonstrates the effectiveness of DiffCSP for identifying CSP enforcement bugs, and our findings contributed to patching six security bugs in major browsers, including Chrome and Safari.

History

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

Network and Distributed System Security Symposium (NDSS)

Journal

NDSS

BibTeX

@conference{Wi:Nguyen:Kim:Stock:Son:2023, title = "DiffCSP: Finding Browser Bugs in Content Security Policy Enforcement through Differential Testing", author = "Wi, Seongil" AND "Nguyen, Trung Tin" AND "Kim, Jiwhan" AND "Stock, Ben" AND "Son, Sooel", year = 2023, month = 2, journal = "NDSS" }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC