124 research outputs found

    Web Application Security (Dagstuhl Seminar 18321)

    No full text
    This report documents the program and the outcomes of Dagstuhl Seminar 18321 "Web Application Security". In this third seminar on the topic, a healthy mix of academics, practitioners and representatives of all major browser vendors reflected on the last decade of web security research and discussed the upcoming security challenges for the Web platform. In addition, for the first time, the list of attendees included several members of the human factors in security community, to enable broadening the web security topic towards this important facet of application security

    Online Privacy and Web Transparency (Dagstuhl Seminar 17162)

    No full text
    This report documents the program and the outcomes of Dagstuhl Seminar 17162 "Online Privacy and Web Transparency". The seminar brought 29 participants in computer science, law and policy together, coming from companies and research institutions across Europe and the US. The 2.5-days seminar had a well-filled program, with 25 research talks, followed by 7 short panel discussions, and 6 5-minute talks. Online privacy and Web transparency is a broad research field, that includes detection of privacy leaks on the Web and mobiles, measurement of tracking technologies on the Web, transparency tools to detect bias and discrimination, as well as how laws and regulations address these problems from a law research perspective, and how technical solutions can influence standards and laws

    Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies.

    No full text
    The Content Security Policy (CSP) mechanism was developed as a mitigation against script injection attacks in 2010. In this paper, we leverage the unique vantage point of the Internet Archive to conduct a historical and longitudinal analysis of how CSP deployment has evolved for a set of 10,000 highly ranked domains. In doing so, we document the long-term struggle site operators face when trying to roll out CSP for content restriction and highlight that even seemingly secure whitelists can be bypassed through expired or typo domains. Next to these new insights, we also shed light on the usage of CSP for other use cases, in particular, TLS enforcement and framing control. Here, we find that CSP can be easily deployed to fit those security scenarios, but both lack wide-spread adoption. Specifically, while the underspecified and thus inconsistently implemented X-Frame-Options header is increasingly used on the Web, CSP’s well-specified and secure alternative cannot keep up. To understand the reasons behind this, we run a notification campaign and subsequent survey, concluding that operators have often experienced the complexity of CSP (and given up), utterly unaware of the easy-to-deploy components of CSP. Hence, we find the complexity of secure, yet functional content restriction gives CSP a bad reputation, resulting in operators not leveraging its potential to secure a site against the non-original attack vectors

    Fortgeschrittene Detektion von Angriffen und Verwundbarkeiten im modernen Web

    No full text
    Today, the Web is at the center of our digital society. Unfortunately, this omnipresence also makes it a worthwhile target for attacks. Thus, security testing should be part of every web development project to identify vulnerabilities before attackers do so. To support this process, this thesis covers advanced attack and vulnerability detection techniques as part of a security scanner for the modern Web. For this, we focus on automated black-box dynamic analyses, as manual work would not scale to the size of the Web platform. We introduce four major web development trends that make scanning modern websites more challenging: complex client-side code, a blurring of involved parties, volatile content, and the use of emerging features. Consequently, we show how a modern security scanner can overcome these challenges by integrating an instrumented browser. Throughout this thesis, we present three real-life use-cases for our scanner and conduct empirical analyses on a scale of millions of websites to demonstrate its ability to detect attacks and vulnerabilities in the wild. First, we show how our scanner can be used in a preventive manner, i.e., by determining the compatibility of a defensive mechanism on websites that are not yet vulnerable. Second, we present an automated methodology to detect anti-debugging techniques that try to hinder the manual analysis of a website. Third, we investigate the abuse of WebAssembly as part of the cryptojacking phenomenon and also as a new way to write evasive malware for the Web. However, the very same technology that enables these accurate security scans can also introduce new vulnerabilities for the unwary. To account for this, we conclude this thesis with an additional study on the potential danger of using an instrumented browser within publicly exposed web applications.Das Web spielt heutzutage eine zentrale Rolle in unserer digitalen Gesellschaft. Leider macht diese Omnipräsenz es auch zu einem lukrativen Ziel für Angriffe. Um Verwundbarkeiten zu identifizieren bevor ein Angreifer diese findet, sollte das Prüfen auf Sicherheitslücken ein fester Bestandteil während der Entwicklung von Webanwendungen sein. Um diesen Prozess zu unterstützen, behandelt diese Dissertation die fortgeschrittene Erkennung von Angriffen und Verwundbarkeiten im Rahmen eines Sicherheitsscanners für das moderne Web. Dabei fokussieren wir uns auf automatische, dynamische Black-Box-Analysen, da manuelle Arbeit für die Größe der Web-Plattform nicht angemessen wäre. Wir stellen vier wichtige Webentwicklungs-Trends vor, welche das Scannen auf modern Webseiten anspruchsvoll machen: Komplexer Code auf der Client-Seite, ein Verschwimmen der involvierten Parteien, wechselhafte Inhalte und die Verwendung von neu entstehenden Funktionalitäten. Darauffolgend zeigen wir, wie ein moderner Sicherheitsscanner diese Herausforderungen überwinden kann, in dem ein instrumentierter Browser integriert wird. Im Laufe dieser Dissertation stellen wir dann drei realistische Anwendungen für unseren Scanner vor und führen empirische Studien in der Größenordnung von Millionen an Webseiten durch, was die Fähigkeit des Scanners Angriffe und Verwundbarkeiten in freier Wildbahn zu finden demonstriert. Zuerst zeigen wir wie unser Scanner als Präventivmaßnahme verwendet werden kann, indem wir die Kompatibilität eines Verteidigungsmechanismus auf Webseiten, die noch nicht verwundbar sind, messen. Danach präsentieren wir eine vollautomatische Methodik um Anti-Debugging-Techniken zu finden, die versuchen die manuelle Analyse von Webseiten zu unterbinden. Als Drittes untersuchen wir den Missbrauch der WebAssembly-Technologie als Teil des sogenannten Cryptojackings, sowie als neuen Weg um evasive Schadsoftware für das Web zu programmieren. Allerdings kann genau dieselbe Technologie, die es uns ermöglicht diese akkuraten Sicherheitsscans zu realisieren, auch in neue Verwundbarkeiten für Unachtsame resultieren. Um dies zu berücksichtigen, endet diese Dissertation mit einer zusätzlichen Studie über die potentiellen Gefahren bei der Verwendung von instrumentierten Browsern im Rahmen von öffentlich zugänglichen Web-Anwendungen

    Cleave_ExpEco_2013_Njqj - Huntington-Klein - 6o5m6

    No full text
    This is for an attempted push-button replication of Cleave, Nikiforakis, and Slonim (2013) https://link.springer.com/article/10.1007/s10683-012-9342-

    Picky Attackers

    No full text
    corecore