research-article

12 Angry Developers - A Qualitative Study on Developers' Struggles with CSP

Authors:

Sebastian Roth,

Michael Backes,

Katharina Krombholz,

Ben StockAuthors Info & Claims

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Pages 3085 - 3103

https://doi.org/10.1145/3460120.3484780

Published: 13 November 2021 Publication History

Abstract

The Web has improved our ways of communicating, collaborating, teaching, and entertaining us and our fellow human beings. However, this cornerstone of our modern society is also one of the main targets of attacks, most prominently Cross-Site Scripting (XSS). A correctly crafted Content Security Policy (CSP) is capable of effectively mitigating the effect of those Cross-Site Scripting attacks. However, research has shown that the vast majority of all policies in the wild are trivially bypassable.

To uncover the root causes behind the omnipresent misconfiguration of CSP, we conducted a qualitative study involving 12 real-world Web developers. By combining a semi-structured interview, a drawing task, and a programming task, we were able to identify the participant's misconceptions regarding the attacker model covered by CSP as well as roadblocks for secure deployment or strategies used to create a CSP.

References

[1]

Vishal Arghode. Qualitative and quantitative research: Paradigmatic differences. Global Education Journal, 2012 (4), 2012.

[2]

A. Barth. RFC 6454: The Web Origin Concept. Online at https://www.ietf.org/rfc/rfc6454.txt, 2011.

[3]

A Blandford, D Furniss, and S Makri. Introduction: Behind the scenes. 2016.

[4]

]chromium-mixed-contentChromium Blog. Protecting users from insecure downloads in google chrome. https://blog.chromium.org/2020/02/protecting-users-from-insecure.html, a .

[5]

]firefox-https-onlyMozilla Security Blog. Firefox 83 introduces https-only mode. https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/, b .

[6]

Virginia Braun and Victoria Clarke. Using thematic analysis in psychology. Qualitative research in psychology, 3 (2): 77--101, 2006.

[7]

Stefano Calzavara, Alvise Rabitti, and Michele Bugliesi. Content security problems?: Evaluating the effectiveness of content security policy in the wild. In CCS, 2016.

[8]

Stefano Calzavara, Sebastian Roth, Alvise Rabitti, Michael Backes, and Ben Stock. A tale of two headers: a formal analysis of inconsistent click-jacking protection on the web. In 29th $$USENIX$$ Security Symposium ($$USENIX$$ Security 20), pages 683--697, 2020.

[9]

Stefano Calzavara, Tobias Urban, Dennis Tatang, Marius Steffens, and Ben Stock. Reining in the web's inconsistencies with site policy. In NDSS, 2021.

[10]

John L Campbell, Charles Quincy, Jordan Osserman, and Ove K Pedersen. Coding in-depth semistructured interviews: Problems of unitization and intercoder reliability and agreement. Sociological Methods & Research, 42 (3): 294--320, 2013.

[11]

]csp-com-hashescontent-security policy.com. Csp: Hashing. https://content-security-policy.com/hash/, a .

[12]

]csp-com-noncescontent-security policy.com. Csp: Nonces. https://content-security-policy.com/nonce/, b .

[13]

MITRE Common Weakness Enumeration (CWE). Cve search for security vulnerabilities (cross site scripting (xss)). https://www.cvedetails.com/vulnerability-list.php?vendor_id=0&product_id=0&version_id=0&page=15&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=1&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=1&trc=19379&sha=e3bb5586965f5a13bfaa78233a10ebc3f9606d12.

[14]

diagrams.net. Diagrams. https://www.diagrams.net/.

[15]

t al.(2013)Doupé, Cui, Jakubowski, Peinado, Kruegel, and Vigna]doupe2013dedacotaAdam Doupé, Weidong Cui, Mariusz H Jakubowski, Marcus Peinado, Christopher Kruegel, and Giovanni Vigna. dedacota: toward preventing server-side xss via automatic code and data separation. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 1205--1216, 2013.

Digital Library

[16]

TeamViewer Germany GmbH. Teamviewer. https://www.teamviewer.com/.

[17]

Google. Withgoogle: Content security policy. https://csp.withgoogle.com/docs/strict-csp.html.

[18]

er]gorski2018warnPeter Leo Gorski, Luigi Lo Iacono, Stephan Wiefling, and Sebastian Möller. Warn if secure or how to deal with security by default in software development?. In HAISA, pages 170--190, 2018.

[19]

Daniel Hausknecht, Jonas Magazinius, and Andrei Sabelfeld. May i?-content security policy endorsement for browser extensions. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 261--281. Springer, 2015.

Digital Library

[20]

Ben Hayak. Same Origin Method Execution (SOME). Online at http://www.benhayak.com/2015/06/same-origin-method-execution-some.html, 2015.

[21]

Mario Heiderich, Marcus Niemietz, Felix Schuster, Thorsten Holz, and Jörg Schwenk. Scriptless attacks: stealing the pie without touching the sill. In Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 2012.

Digital Library

[22]

Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and Edward Z Yang. mxss attacks: Attacking well-secured web-applications by using innerhtml mutations. In ACM SIGSAC conference on Computer & communications security. ACM, 2013.

[23]

pkun]ion2011homeIulia Ion, Niharika Sachdeva, Ponnurangam Kumaraguru, and Srdjan vC apkun. Home is safer than the cloud! privacy concerns for consumer cloud storage. In Proceedings of the Seventh Symposium on Usable Privacy and Security, pages 1--20, 2011.

Digital Library

[24]

Internet Security Research Group (ISRG). Let's encrypt. https://letsencrypt.org/.

[25]

Markus Jakobsson, Zulfikar Ramzan, and Sid Stamm. Javascript breaks free. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.85.3195&rep=rep1&type=pdf .

[26]

Burke Johnson and Larry Christensen. Educational research: Quantitative, qualitative, and mixed approaches. Sage, 2008.

[27]

Ruogu Kang, Laura Dabbish, Nathaniel Fruchter, and Sara Kiesler. ?my data just goes everywhere:" user mental models of the internet and implications for privacy and security. In Eleventh Symposium On Usable Privacy and Security ($$SOUPS$$ 2015), pages 39--52, 2015.

[28]

Amit Klein. Dom based cross site scripting or xss of the third kind. http://www.webappsec.org/projects/articles/071105.shtml, 2005.

[29]

Klaus Krippendorff. Content analysis: An introduction to its methodology. Sage, London, 2004.

[30]

Katharina Krombholz, Karoline Busse, Katharina Pfeffer, Matthew Smith, and Emanuel von Zezschwitz. "If HTTPS Were Secure, I Wouldn't Need 2FA"-End User and Administrator Mental Models of HTTPS. IEEE Security & Privacy, 2019.

[31]

Thomas D LaToza, Gina Venolia, and Robert DeLine. Maintaining mental models: a study of developer work habits. In Proceedings of the 28th international conference on Software engineering, pages 492--501, 2006.

Digital Library

[32]

Jonathan Lazar, Jinjuan Heidi Feng, and Harry Hochheiser. Research methods in human-computer interaction. Morgan Kaufmann, 2017.

Digital Library

[33]

Sebastian Lekies, Ben Stock, and Martin Johns. 25 million flows later: Large-scale detection of dom-based xss. In CCS, 2013.

[34]

Vela Nava, and Johns]lekies2017codeSebastian Lekies, Krzysztof Kotowicz, Samuel Groß, Eduardo A Vela Nava, and Martin Johns. Code-reuse attacks for the web: Breaking cross-site scripting mitigations via script gadgets. In ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2017.

[35]

Calendly LLC. Calendly. https://calendly.com/.

[36]

Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, and Matthew Smith. Deception task design in developer password studies: Exploring a student sample. In Fourteenth Symposium on Usable Privacy and Security ($$SOUPS$$ 2018), pages 297--313, 2018.

[37]

Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, and Matthew Smith. On conducting security developer studies with cs students: Examining a password-storage study with cs students, freelancers, and company developers. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, pages 1--13, 2020.

Digital Library

[38]

Mozilla Development Network. Csp: frame-ancestors. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors.

[39]

Open Web Application Security Project (OWASP). Owasp top 10 web application security risks 2017. https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS).

[40]

Xiang Pan, Yinzhi Cao, Shuangping Liu, Yu Zhou, Yan Chen, and Tingzhe Zhou. Cspautogen: Black-box enforcement of content security policy upon real-world websites. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 653--665, 2016.

Digital Library

[41]

Phil Ringnalda. Getting around IE's MIME type mangling. http://weblog.philringnalda.com/2004/04/06/getting-around-ies-mime-type-mangling.

[42]

David Ross. Happy 10th birthday cross-site scripting. Online at https://blogs.msdn.microsoft.com/dross/2009/12/15/happy-10th-birthday-cross-site-scripting/, 2009.

[43]

Roth, Backes, and Stock]roth2020assessingSebastian Roth, Michael Backes, and Ben Stock. Assessing the impact of script gadgets on csp at scale. 2020 a .

[44]

Roth, Barron, Calzavara, Nikiforakis, and Stock]roth2020cspSebastian Roth, Timothy Barron, Stefano Calzavara, Nick Nikiforakis, and Ben Stock. Complex security policy? a longitudinal analysis of deployed content security policies. In NDSS, 2020 b .

[45]

Prateek Saxena, Steve Hanna, Pongsin Poosankam, and Dawn Song. Flax: Systematic discovery of client-side validation vulnerabilities in rich web applications. In NDSS, 2010.

[46]

Dolière Francis Some, Nataliia Bielova, and Tamara Rezk. On the content security policy violations due to the same-origin policy. In Proceedings of the 26th International Conference on World Wide Web, pages 877--886, 2017.

Digital Library

[47]

Sid Stamm, Brandon Sterne, and Gervase Markham. Reining in the web with content security policy. In International Conference on World Wide Web (WWW), 2010.

Digital Library

[48]

Marius Steffens, Christian Rossow, Martin Johns, and Ben Stock. Don't trust the locals: Investigating the prevalence of persistent client-side cross-site scripting in the wild. 2019.

[49]

Marius Steffens, Marius Musch, Martin Johns, and Ben Stock. Who's hosting the block party? studying third-party blockage of csp and sri. In Network and Distributed Systems Security (NDSS) Symposium 2021, 2021.

[50]

Ben Stock, Stephan Pfistner, Bernd Kaiser, Sebastian Lekies, and Martin Johns. From facepalm to brain bender: Exploring client-side cross-site scripting. In Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, pages 1419--1430, 2015.

Digital Library

[51]

Anselm Strauss and Juliet M Corbin. Grounded theory in practice. Sage, London, 1997.

[52]

Michael Sutton. The dangers of persistent web browser storage, 2009.

[53]

European Union. EU Commission Recommendation (2003/361/EC). Online at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32003H0361, 2003.

[54]

W3C. CSP 1.0. Online at https://www.w3.org/TR/CSP1/, 2015.

[55]

]csp2W3C. CSP Level 2. Online at https://www.w3.org/TR/CSP2/, 2016 a .

[56]

]csp3W3C. CSP Level 3. Online at https://www.w3.org/TR/CSP3/, 2016 b .

[57]

GitHub W3C webappsec csp. Issue 7: Csp: connect-src 'self' and websockets. https://github.com/w3c/webappsec-csp/issues/7.

[58]

Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, and Artur Janc. CSP is dead, long live CSP! On the insecurity of whitelists and the future of content security policy. In CCS, 2016.

[59]

Michael Weissbacher, Tobias Lauinger, and William Robertson. Why is CSP failing? Trends and challenges in CSP adoption. In RAID, 2014.

Cited By

Karanassios CHadan HZhang-Kennedy LAssal H(2024)Towards Security-Focused Developer PersonasProceedings of the 13th Nordic Conference on Human-Computer Interaction10.1145/3679318.3685406(1-18)Online publication date: 13-Oct-2024
https://dl.acm.org/doi/10.1145/3679318.3685406
Pei WLikhtenshteyn YYue C(2023)A Tale of Two Communities: Privacy of Third Party App Users in Crowdsourcing - The Case of Receipt TranscriptionProceedings of the ACM on Human-Computer Interaction10.1145/36100447:CSCW2(1-43)Online publication date: 4-Oct-2023
https://dl.acm.org/doi/10.1145/3610044
Di Tizio GSpeicher PSimeonovski MBackes MStock BKünnemann R(2023)Pareto-optimal Defenses for the Web Infrastructure: Theory and PracticeACM Transactions on Privacy and Security10.1145/356759526:2(1-36)Online publication date: 13-Mar-2023
https://dl.acm.org/doi/10.1145/3567595
Show More Cited By

Index Terms

12 Angry Developers - A Qualitative Study on Developers' Struggles with CSP
1. Security and privacy
  1. Software and application security
    1. Web application security

Recommendations

CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Content Security Policy is a web platform mechanism designed to mitigate cross-site scripting (XSS), the top security vulnerability in modern web applications. In this paper, we take a closer look at the practical benefits of adopting CSP and identify ...
CSP & Co. Can Save Us from a Rogue Cross-Origin Storage Browser Network! But for How Long?
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy

We introduce a new browser abuse scenario where an attacker uses local storage capabilities without the website's visitor knowledge to create a network of browsers for persistent storage and distribution of arbitrary data. We describe how security-aware ...
CSPAutoGen: Black-box Enforcement of Content Security Policy upon Real-world Websites
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Content security policy (CSP) which has been standardized by W3C and adopted by all major commercial browsers-is one of the most promising approaches for defending against cross-site scripting (XSS) attacks. Although client-side adoption of CSP is ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

November 2021

3558 pages

ISBN:9781450384544

DOI:10.1145/3460120

General Chairs:
Yongdae Kim
KAIST, Republic of Korea
,
Jong Kim
POSTECH, Republic of Korea
,
Program Chairs:
Giovanni Vigna
University of California, Santa Barbara / VMware, USA
,
Elaine Shi
Carnegie Mellon University, USA

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '21

Sponsor:

SIGSAC

CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security

November 15 - 19, 2021

Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
508
Total Downloads

Downloads (Last 12 months)103
Downloads (Last 6 weeks)16

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Karanassios CHadan HZhang-Kennedy LAssal H(2024)Towards Security-Focused Developer PersonasProceedings of the 13th Nordic Conference on Human-Computer Interaction10.1145/3679318.3685406(1-18)Online publication date: 13-Oct-2024
https://dl.acm.org/doi/10.1145/3679318.3685406
Pei WLikhtenshteyn YYue C(2023)A Tale of Two Communities: Privacy of Third Party App Users in Crowdsourcing - The Case of Receipt TranscriptionProceedings of the ACM on Human-Computer Interaction10.1145/36100447:CSCW2(1-43)Online publication date: 4-Oct-2023
https://dl.acm.org/doi/10.1145/3610044
Di Tizio GSpeicher PSimeonovski MBackes MStock BKünnemann R(2023)Pareto-optimal Defenses for the Web Infrastructure: Theory and PracticeACM Transactions on Privacy and Security10.1145/356759526:2(1-36)Online publication date: 13-Mar-2023
https://dl.acm.org/doi/10.1145/3567595
Ortloff AFassl MPonticello AMartius FMertens AKrombholz KSmith M(2023)Different Researchers, Different Results? Analyzing the Influence of Researcher Experience and Data Type During Qualitative Analysis of an Interview and Survey Study on Security AdviceProceedings of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544548.3580766(1-21)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544548.3580766
Fourné MWermke DEnck WFahl SAcar Y(2023)It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179320(1527-1544)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179320
Ren MYue C(2023)Coverage and Secure Use Analysis of Content Security Policies via Clustering2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00032(411-428)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00032
Golinelli MBonomi FCrispo B(2023)The Nonce-nce of Web Security: An Investigation of CSP Nonces ReuseComputer Security. ESORICS 2023 International Workshops10.1007/978-3-031-54129-2_27(459-475)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-54129-2_27
Hantke FStock BBarakat CPelsser CBenson TChoffnes D(2022)HTML violations and where to find themProceedings of the 22nd ACM Internet Measurement Conference10.1145/3517745.3561437(358-373)Online publication date: 25-Oct-2022
https://dl.acm.org/doi/10.1145/3517745.3561437
Sahin MUnlu THebert CShepherd LCoull NLean C(2022)Measuring Developers’ Web Security Awareness from Attack and Defense Perspectives2022 IEEE Security and Privacy Workshops (SPW)10.1109/SPW54247.2022.9833858(31-43)Online publication date: May-2022
https://doi.org/10.1109/SPW54247.2022.9833858
Reuter CIacono LBenlian A(2022)A quarter century of usable security and privacy research: transparency, tailorability, and the road aheadBehaviour & Information Technology10.1080/0144929X.2022.208090841:10(2035-2048)Online publication date: 2-Jun-2022
https://doi.org/10.1080/0144929X.2022.2080908

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents