CISPA
Browse

Trust Me If You Can – How Usable Is Trusted Types In Practice?

Download (304.28 kB)
conference contribution
posted on 2024-05-15, 10:46 authored by Sebastian Roth, Lea Gröber, Philip Baus, Katharina Krombholz, Ben StockBen Stock
Many online services deal with sensitive information such as credit card data, making those applications a prime target for adversaries, e.g., through Cross-Site Scripting (XSS) attacks. Moreover, Web applications nowadays deploy their functionality via client-side code to lower the server’s load, require fewer page reloads, and allow Web applications to work even if the connection is interrupted. Given this paradigm shift of increasing complexity on the browser side, client-side security issues such as client-side XSS are getting more prominent these days. A solution already deployed in server-side applications of major companies like Google is to use type-safe data, where potentially attacker-controlled string data can never be output with sanitization. For client-side XSS, an analogous solution is offered by the newly introduced Trusted Types API. With Trusted Types, the browser enforces that no input can be passed to an execution sink without having been sanitized first. Thus, the only remaining task – in theory – for a developer is to create a proper sanitizer. This study aims to uncover roadblocks that occur during the deployment of the mechanism, as well as strategies on how developers can circumvent those problems, by conducting a semi-structured interview including a coding task with 13 real-world Web developers. Our work also identifies key weaknesses in the design and documentation of Trusted Types, which we urge the standardization body to incorporate before the Trusted Types becomes a standard.

History

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

Usenix Security Symposium (USENIX-Security)

Journal

USENIX Security Symposium

BibTeX

@conference{Roth:Gröber:Baus:Krombholz:Stock:2024, title = "Trust Me If You Can – How Usable Is Trusted Types In Practice?", author = "Roth, Sebastian" AND "Gröber, Lea" AND "Baus, Philip" AND "Krombholz, Katharina" AND "Stock, Ben", year = 2024, month = 8, journal = "USENIX Security Symposium" }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC