Anmelden
Literatur vom gleichen Autor/der gleichen Autor*in
plus bei Google Scholar
Bibliografische Daten exportieren		  

Trust Me If You Can : How Usable Is Trusted Types In Practice?

Titelangaben

Roth, Sebastian ; Gröber, Lea ; Baus, Philipp ; Krombholz, Katharina ; Stock, Ben:
Trust Me If You Can : How Usable Is Trusted Types In Practice?
2024
Veranstaltung: 33rd USENIX Security Symposium , 14.-16.08.2024 , Philadelphia, PA.
(Veranstaltungsbeitrag: Kongress/Konferenz/Symposium/Tagung , Paper )

Abstract

Many online services deal with sensitive information such as credit card data, making those applications a prime target for adversaries, e.g., through Cross-Site Scripting (XSS) attacks. Moreover, Web applications nowadays deploy their functionality via client-side code to lower the server's load, require fewer page reloads, and allow Web applications to work even if the connection is interrupted. Given this paradigm shift of increasing complexity on the browser side, client-side security issues such as client-side XSS are getting more prominent these days. A solution already deployed in server-side applications of major companies like Google is to use type-safe data, where potentially attacker-controlled string data can never be output with sanitization. The newly introduced Trusted Types API offers an analogous solution for client-side XSS. With Trusted Types, the browser enforces that no input can be passed to an execution sink without being sanitized first. Thus, a developer's only remaining task -- in theory -- is to create a proper sanitizer. This study aims to uncover roadblocks that occur during the deployment of the mechanism and strategies on how developers can circumvent those problems by conducting a semi-structured interview, including a coding task with 13 real-world Web developers. Our work also identifies key weaknesses in the design and documentation of Trusted Types, which we urge the standardization body to incorporate before the Trusted Types becomes a standard.

Weitere Angaben

Publikationsform: Veranstaltungsbeitrag (Paper)
Begutachteter Beitrag: Ja
Institutionen der Universität: Fakultäten > Fakultät für Mathematik, Physik und Informatik
Fakultäten > Fakultät für Mathematik, Physik und Informatik > Institut für Informatik
Titel an der UBT entstanden: Nein
Themengebiete aus DDC: 000 Informatik,Informationswissenschaft, allgemeine Werke
000 Informatik,Informationswissenschaft, allgemeine Werke > 004 Informatik
Eingestellt am: 20 Jan 2025 07:47
Letzte Änderung: 20 Jan 2025 08:43
URI: https://eref.uni-bayreuth.de/id/eprint/91460