694 research outputs found
How to design browser security and privacy alerts
Browser security and privacy alerts must be designed to ensure they are of value to the end-user, and communicate risks efficiently. We performed a systematic literature review, producing a list of guidelines from the research. Papers were analysed quantitatively and qualitatively to formulate a comprehensive set of guidelines. Our findings seek to provide developers and designers with guidance as to how to construct security and privacy alerts. We conclude by providing an alert template, highlighting its adherence to the derived guidelines
Hardening the security analysis of browser extensions
Browser extensions boost the browsing experience by a range of features from automatic translation and grammar correction to password management, ad blocking, and remote desktops. Yet the power of extensions poses significant privacy and security challenges because extensions can be malicious and/or vulnerable. We observe that there are gaps in the previous work on analyzing the security of browser extensions and present a systematic study of attack entry points in the browser extension ecosystem. Our study reveals novel password stealing, traffic stealing, and inter-extension attacks. Based on a combination of static and dynamic analysis we show how to discover extension attacks, both known and novel ones, and study their prevalence in the wild. We show that 1,349 extensions are vulnerable to inter-extension attacks leading to XSS. Our empirical study uncovers a remarkable cluster of "New Tab"extensions where 4,410 extensions perform traffic stealing attacks. We suggest several avenues for the countermeasures against the uncovered attacks, ranging from refining the permission model to mitigating the attacks by declarations in manifest files
Policy-agnostic programming on the client-side
Browser security has become a major concern especially due to web pages becoming more complex. These web applications handle a lot of information, including sensitive data that may be vulnerable to attacks like data exfiltration, cross-site scripting (XSS), etc. Most modern browsers have security mechanisms in place to prevent such attacks but they still fall short in preventing more advanced attacks like evolved variants of data exfiltration. Moreover, there is no standard that is followed to implement security into the browser.
A lot of research has been done in the field of information flow security that could prove to be helpful in solving the problem of securing the client-side. Policy- agnostic programming is a programming paradigm that aims to make implementation of information flow security in real world systems more flexible. In this paper, we explore the use of policy-agnostic programming on the client-side and how it will help prevent common client-side attacks. We verify our results through a client-side salary management application. We show a possible attack and how our solution would prevent such an attack
09141 Abstracts Collection -- Web Application Security
From 29th March to 3rd April 2009 the Dagstuhl Seminar
09141 Web Application Security was held in Schloss Dagstuhl -- Leibniz
Center for Informatics. During the seminar, several participants presented
their current research, and ongoing work and open problems were
discussed. Abstracts of the presentations given during the seminar are
put together in this paper. Links to full papers (if available) are provided
in the corresponding seminar summary document
Securing the Next Generation Web
With the ever-increasing digitalization of society, the need for secure systems is growing. While some security features, like HTTPS, are popular, securing web applications, and the clients we use to interact with them remains difficult.To secure web applications we focus on both the client-side and server-side. For the client-side, mainly web browsers, we analyze how new security features might solve a problem but introduce new ones. We show this by performing a systematic analysis of the new Content Security Policy (CSP)\ua0 directive navigate-to. In our research, we find that it does introduce new vulnerabilities, to which we recommend countermeasures. We also create AutoNav, a tool capable of automatically suggesting navigation policies for this directive. Finding server-side vulnerabilities in a black-box setting where\ua0 there is no access to the source code is challenging. To improve this, we develop novel black-box methods for automatically finding vulnerabilities. We\ua0 accomplish this by identifying key challenges in web scanning and combining the best of previous methods. Additionally, we leverage SMT solvers to\ua0 further improve the coverage and vulnerability detection rate of scanners.In addition to browsers, browser extensions also play an important role in the web ecosystem. These small programs, e.g. AdBlockers and password\ua0 managers, have powerful APIs and access to sensitive user data like browsing history. By systematically analyzing the extension ecosystem we find new\ua0 static and dynamic methods for detecting both malicious and vulnerable extensions. In addition, we develop a method for detecting malicious extensions\ua0 solely based on the meta-data of downloads over time. We analyze new attack vectors introduced by Google’s new vehicle OS, Android Automotive. This\ua0 is based on Android with the addition of vehicle APIs. Our analysis results in new attacks pertaining to safety, privacy, and availability. Furthermore, we\ua0 create AutoTame, which is designed to analyze third-party apps for vehicles for the vulnerabilities we found
The Security Analysis of Browser Extensions
Paljud tänapäevased brauserid võimaldavad funktsionaalsuse lisamist või
muutmist laienduste kaudu. Rohkete võimaluste tõttu on laiendused muutunud
kasutajate hulgas populaarseks ja see on toonud kaasa uued ründevektorid,
mis ohustavad kasutajate turvalisust. Töös analüüsime populaarsemate
veebibrauserite laienduste turvaarhitektuuri. Vaatleme Firefox 3.6, Google
Chrome 5.0.360 ja Internet Explorer 8 laienduste ehitust ja nende turvalisust.
Töö annab ülevaate vastavate brauserite laienduste arhitektuurilisest
turvalisusest ja kirjeldab võimalikke ründevektoreid. Selgitame, kuidas on
vastavate veebibrauserite koodiruum ja mälu kaitstud ja teeme kindlaks missuguseid
õiguseid brauserite laiendused omavad. Uurime, kuidas on praegust
laienduste arhitektuuri kasutades võimalik brausereid kompromiteerida
ja kirjeldame sellega kaasnevaid riske. Selleks demonstreerime laiendusi, mis
kompromiteerivad brauseri, näitamaks olemasoleva arhitektuuri puudujääke.
Näitame erinevaid ründevektoreid ja kirjeldame nendele vastavaid ründestsenaariumeid.
Töö tulemusena selguvad brauserite laienduste turvaarhitektuuri
nõrkused. Nende leevendamiseks pakume välja lahendusi, mis parandavad
turvaarhitektuuri. Töö tulemusena on võimalik brauserite kasutajaid
informeerida olemasolevatest ohtudest ja teadvustada turvalisuse olulisusest.In this work, we analyse the security models of browser extensions. We
view the extension models of Mozilla Firefox 3.6, Internet Explorer 8 and
Google Chrome 5.0.360. Because browsers are providing functionalities similar
to operating systems, we analyse these extension models as we would
analyse an operating system. We show that the current security models can
be abused with little effort. A browser with a compromised extension may
result in the whole computer being compromised. To support our claims, we
tested most of the attacks that are described in this analysis. The source code
of these attacks is not included in the thesis. Thus, due to previously mentioned
risks, we want to stress the importance of the threat that extensions
pose to the security of browsers. The feasibility of creating malware extensions is analysed
for each browser individually. Based on the analysis we propose possible
attack vectors for each browser. Finally, we suggest ways to improve the
current security models and give advice to the users
Mayall:a framework for desktop JavaScript auditing and post-exploitation analysis
Writing desktop applications in JavaScript offers developers the opportunity to write cross-platform applications with cutting edge capabilities. However in doing so, they are potentially submitting their code to a number of unsanctioned modifications from malicious actors. Electron is one such JavaScript application framework which facilitates this multi-platform out-the-box paradigm and is based upon the Node.js JavaScript runtime --- an increasingly popular server-side technology. In bringing this technology to the client-side environment, previously unrealized risks are exposed to users due to the powerful system programming interface that Node.js exposes. In a concerted effort to highlight previously unexposed risks in these rapidly expanding frameworks, this paper presents the Mayall Framework, an extensible toolkit aimed at JavaScript security auditing and post-exploitation analysis. The paper also exposes fifteen highly popular Electron applications and demonstrates that two thirds of applications were found to be using known vulnerable elements with high CVSS scores. Moreover, this paper discloses a wide-reaching and overlooked vulnerability within the Electron Framework which is a direct byproduct of shipping the runtime unaltered with each application, allowing malicious actors to modify source code and inject covert malware inside verified and signed applications without restriction. Finally, a number of injection vectors are explored and appropriate remediations are proposed
- …