If It’s Not Secure, It Should Not Compile: Preventing DOM-Based XSS in Large-Scale Web Development with API Hardening

Julian Bangert
Proceedings of the 43rd International Conference on Software Engineering (ICSE '21), IEEE (2021)

Abstract

Cross-site scripting (XSS) is one of the most intractable security vulnerabilities in web applications. Tons of efforts have been spent to mitigate XSS, yet it remains one of the most prevalent security threats on the Internet. Decades of exploitation and remediation demonstrated that code inspection and testing does not ensure the absence of XSS vulnerabilities in complex web applications with a high degree of confidence.

This paper introduces Google's secure-by-design engineering paradigm that effectively prevents DOM-based XSS vulnerabilities in large-scale web development. Our approach, named API hardening, enforces a series of company-wide secure coding practices. We provide a set of secure APIs to replace native DOM APIs that are prone to XSS vulnerabilities. Through a combination of type contracts and appropriate validation and escaping, the secure APIs ensure that applications based thereon are free of XSS vulnerabilities. We deploy a simple yet capable compile-time checker to guarantee that developers exclusively use our hardened APIs to interact with the DOM. We make various of efforts to scale this approach to tens of thousands of Google engineers without significant productivity impact. By offering rigorous tooling and consultant support, we help developers adopt the secure coding practices as seamlessly as possible. We present empirical results showing how API hardening has helped reduce the occurrences of XSS vulnerabilities in Google's enormous code base over the course of two-year deployment.