694 research outputs found

    How to design browser security and privacy alerts

    Get PDF
    Browser security and privacy alerts must be designed to ensure they are of value to the end-user, and communicate risks efficiently. We performed a systematic literature review, producing a list of guidelines from the research. Papers were analysed quantitatively and qualitatively to formulate a comprehensive set of guidelines. Our findings seek to provide developers and designers with guidance as to how to construct security and privacy alerts. We conclude by providing an alert template, highlighting its adherence to the derived guidelines

    Hardening the security analysis of browser extensions

    Get PDF
    Browser extensions boost the browsing experience by a range of features from automatic translation and grammar correction to password management, ad blocking, and remote desktops. Yet the power of extensions poses significant privacy and security challenges because extensions can be malicious and/or vulnerable. We observe that there are gaps in the previous work on analyzing the security of browser extensions and present a systematic study of attack entry points in the browser extension ecosystem. Our study reveals novel password stealing, traffic stealing, and inter-extension attacks. Based on a combination of static and dynamic analysis we show how to discover extension attacks, both known and novel ones, and study their prevalence in the wild. We show that 1,349 extensions are vulnerable to inter-extension attacks leading to XSS. Our empirical study uncovers a remarkable cluster of "New Tab"extensions where 4,410 extensions perform traffic stealing attacks. We suggest several avenues for the countermeasures against the uncovered attacks, ranging from refining the permission model to mitigating the attacks by declarations in manifest files

    Policy-agnostic programming on the client-side

    Get PDF
    Browser security has become a major concern especially due to web pages becoming more complex. These web applications handle a lot of information, including sensitive data that may be vulnerable to attacks like data exfiltration, cross-site scripting (XSS), etc. Most modern browsers have security mechanisms in place to prevent such attacks but they still fall short in preventing more advanced attacks like evolved variants of data exfiltration. Moreover, there is no standard that is followed to implement security into the browser. A lot of research has been done in the field of information flow security that could prove to be helpful in solving the problem of securing the client-side. Policy- agnostic programming is a programming paradigm that aims to make implementation of information flow security in real world systems more flexible. In this paper, we explore the use of policy-agnostic programming on the client-side and how it will help prevent common client-side attacks. We verify our results through a client-side salary management application. We show a possible attack and how our solution would prevent such an attack

    09141 Abstracts Collection -- Web Application Security

    Get PDF
    From 29th March to 3rd April 2009 the Dagstuhl Seminar 09141 Web Application Security was held in Schloss Dagstuhl -- Leibniz Center for Informatics. During the seminar, several participants presented their current research, and ongoing work and open problems were discussed. Abstracts of the presentations given during the seminar are put together in this paper. Links to full papers (if available) are provided in the corresponding seminar summary document

    Securing the Next Generation Web

    Get PDF
    With the ever-increasing digitalization of society, the need for secure systems is growing. While some security features, like HTTPS, are popular, securing web applications, and the clients we use to interact with them remains difficult.To secure web applications we focus on both the client-side and server-side. For the client-side, mainly web browsers, we analyze how new security features might solve a problem but introduce new ones. We show this by performing a systematic analysis of the new Content Security Policy (CSP)\ua0 directive navigate-to. In our research, we find that it does introduce new vulnerabilities, to which we recommend countermeasures. We also create AutoNav, a tool capable of automatically suggesting navigation policies for this directive. Finding server-side vulnerabilities in a black-box setting where\ua0 there is no access to the source code is challenging. To improve this, we develop novel black-box methods for automatically finding vulnerabilities. We\ua0 accomplish this by identifying key challenges in web scanning and combining the best of previous methods. Additionally, we leverage SMT solvers to\ua0 further improve the coverage and vulnerability detection rate of scanners.In addition to browsers, browser extensions also play an important role in the web ecosystem. These small programs, e.g. AdBlockers and password\ua0 managers, have powerful APIs and access to sensitive user data like browsing history. By systematically analyzing the extension ecosystem we find new\ua0 static and dynamic methods for detecting both malicious and vulnerable extensions. In addition, we develop a method for detecting malicious extensions\ua0 solely based on the meta-data of downloads over time. We analyze new attack vectors introduced by Google’s new vehicle OS, Android Automotive. This\ua0 is based on Android with the addition of vehicle APIs. Our analysis results in new attacks pertaining to safety, privacy, and availability. Furthermore, we\ua0 create AutoTame, which is designed to analyze third-party apps for vehicles for the vulnerabilities we found

    The Security Analysis of Browser Extensions

    Get PDF
    Paljud tänapäevased brauserid võimaldavad funktsionaalsuse lisamist või muutmist laienduste kaudu. Rohkete võimaluste tõttu on laiendused muutunud kasutajate hulgas populaarseks ja see on toonud kaasa uued ründevektorid, mis ohustavad kasutajate turvalisust. Töös analüüsime populaarsemate veebibrauserite laienduste turvaarhitektuuri. Vaatleme Firefox 3.6, Google Chrome 5.0.360 ja Internet Explorer 8 laienduste ehitust ja nende turvalisust. Töö annab ülevaate vastavate brauserite laienduste arhitektuurilisest turvalisusest ja kirjeldab võimalikke ründevektoreid. Selgitame, kuidas on vastavate veebibrauserite koodiruum ja mälu kaitstud ja teeme kindlaks missuguseid õiguseid brauserite laiendused omavad. Uurime, kuidas on praegust laienduste arhitektuuri kasutades võimalik brausereid kompromiteerida ja kirjeldame sellega kaasnevaid riske. Selleks demonstreerime laiendusi, mis kompromiteerivad brauseri, näitamaks olemasoleva arhitektuuri puudujääke. Näitame erinevaid ründevektoreid ja kirjeldame nendele vastavaid ründestsenaariumeid. Töö tulemusena selguvad brauserite laienduste turvaarhitektuuri nõrkused. Nende leevendamiseks pakume välja lahendusi, mis parandavad turvaarhitektuuri. Töö tulemusena on võimalik brauserite kasutajaid informeerida olemasolevatest ohtudest ja teadvustada turvalisuse olulisusest.In this work, we analyse the security models of browser extensions. We view the extension models of Mozilla Firefox 3.6, Internet Explorer 8 and Google Chrome 5.0.360. Because browsers are providing functionalities similar to operating systems, we analyse these extension models as we would analyse an operating system. We show that the current security models can be abused with little effort. A browser with a compromised extension may result in the whole computer being compromised. To support our claims, we tested most of the attacks that are described in this analysis. The source code of these attacks is not included in the thesis. Thus, due to previously mentioned risks, we want to stress the importance of the threat that extensions pose to the security of browsers. The feasibility of creating malware extensions is analysed for each browser individually. Based on the analysis we propose possible attack vectors for each browser. Finally, we suggest ways to improve the current security models and give advice to the users

    Mayall:a framework for desktop JavaScript auditing and post-exploitation analysis

    Get PDF
    Writing desktop applications in JavaScript offers developers the opportunity to write cross-platform applications with cutting edge capabilities. However in doing so, they are potentially submitting their code to a number of unsanctioned modifications from malicious actors. Electron is one such JavaScript application framework which facilitates this multi-platform out-the-box paradigm and is based upon the Node.js JavaScript runtime --- an increasingly popular server-side technology. In bringing this technology to the client-side environment, previously unrealized risks are exposed to users due to the powerful system programming interface that Node.js exposes. In a concerted effort to highlight previously unexposed risks in these rapidly expanding frameworks, this paper presents the Mayall Framework, an extensible toolkit aimed at JavaScript security auditing and post-exploitation analysis. The paper also exposes fifteen highly popular Electron applications and demonstrates that two thirds of applications were found to be using known vulnerable elements with high CVSS scores. Moreover, this paper discloses a wide-reaching and overlooked vulnerability within the Electron Framework which is a direct byproduct of shipping the runtime unaltered with each application, allowing malicious actors to modify source code and inject covert malware inside verified and signed applications without restriction. Finally, a number of injection vectors are explored and appropriate remediations are proposed
    corecore