Visible to the public If It's Not Secure, It Should Not Compile: Preventing DOM-Based XSS in Large-Scale Web Development with API Hardening

TitleIf It's Not Secure, It Should Not Compile: Preventing DOM-Based XSS in Large-Scale Web Development with API Hardening
Publication TypeConference Paper
Year of Publication2021
AuthorsWang, Pei, Bangert, Julian, Kern, Christoph
Conference Name2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)
Date Publishedmay
KeywordsAPI, APIs, Application program interface, application program interfaces, Application Programming Interface (API), composability, compositionality, cross-site scripting, empirical software engineering, encoding, language based security, pubcrawl, resilience, Resiliency, security, Software, software engineering, Testing, web security, Writing
AbstractWith tons of efforts spent on its mitigation, Cross-site scripting (XSS) remains one of the most prevalent security threats on the internet. Decades of exploitation and remediation demonstrated that code inspection and testing alone does not eliminate XSS vulnerabilities in complex web applications with a high degree of confidence. This paper introduces Google's secure-by-design engineering paradigm that effectively prevents DOM-based XSS vulnerabilities in large-scale web development. Our approach, named API hardening, enforces a series of company-wide secure coding practices. We provide a set of secure APIs to replace native DOM APIs that are prone to XSS vulnerabilities. Through a combination of type contracts and appropriate validation and escaping, the secure APIs ensure that applications based thereon are free of XSS vulnerabilities. We deploy a simple yet capable compile-time checker to guarantee that developers exclusively use our hardened APIs to interact with the DOM. We make various of efforts to scale this approach to tens of thousands of engineers without significant productivity impact. By offering rigorous tooling and consultant support, we help developers adopt the secure coding practices as seamlessly as possible. We present empirical results showing how API hardening has helped reduce the occurrences of XSS vulnerabilities in Google's enormous code base over the course of two-year deployment.
Citation Keywang_if_2021