Don’t Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild.

The Web has become highly interactive and an important driver for modern life, enabling information retrieval, social exchange, and online shopping. From the security perspective, Cross-Site Scripting (XSS) is one of the most nefarious attacks against Web clients. Research has long since focused on three categories of XSS: Reflected, Persistent, and DOMbased XSS. In this paper, we argue that our community must consider at least four important classes of XSS, and present the first systematic study of the threat of Persistent Client-Side XSS, caused by the insecure use of client-side storage. While the existence of this class has been acknowledged, especially by the non-academic community like OWASP, prior works have either only found such flaws as side effects of other analyses or focused on a limited set of applications to analyze. Therefore, the community lacks in-depth knowledge about the actual prevalence of Persistent Client-Side XSS in the wild. To close this research gap, we leverage taint tracking to identify suspicious flows from client-side persistent storage (Web Storage, cookies) to dangerous sinks (HTML, JavaScript, and script.src). We discuss two attacker models capable of injecting malicious payloads into storage, i.e., a Network Attacker capable of temporarily hijacking HTTP communication (e.g., in a public WiFi), and a Web Attacker who can leverage flows into storage or an existing reflected XSS flaw to persist their payload. With our taint-aware browser and these models in mind, we study the prevalence of Persistent Client-Side XSS in the Alexa Top 5,000 domains. We find that more than 8% of them have unfiltered data flows from persistent storage to a dangerous sink, which showcases the developers’ inherent trust in the integrity of storage content. Even worse, if we only consider sites that make use of data originating from storage, 21% of the sites are vulnerable. For those sites with vulnerable flows from storage to sink, we find that at least 70% are directly exploitable by our attacker models. Finally, investigating the vulnerable flows originating from storage allows us to categorize them into four disjoint categories and propose appropriate mitigations

Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification

Large-scale discovery of thousands of vulnerable Web sites has become a frequent event, thanks to recent advances in security research and the rise in maturity of Internet-wide scanning tools. The issues related to disclosing the vulnerability information to the affected parties, however, have only been treated as a side note in prior research. In this paper, we systematically examine the feasibility and efficacy of large-scale notification campaigns. For this, we comprehensively survey existing communication channels and evaluate their usability in an automated notification process. Using a data set of over 44,000 vulnerable Web sites, we measure success rates, both with respect to the total number of fixed vulnerabilities and to reaching responsible parties, with the following high-level results: Although our campaign had a statistically significant impact compared to a control group, the increase in the fix rate of notified domains is marginal. If a notification report is read by the owner of the vulnerable application, the likelihood of a subsequent resolution of the issues is sufficiently high: about 40%. But, out of 35,832 transmitted vulnerability reports, only 2,064 (5.8%) were actually received successfully, resulting in an unsatisfactory overall fix rate, leaving 74.5% of Web applications exploitable after our month-long experiment. Thus, we conclude that currently no reliable notification channels exist, which significantly inhibits the success and impact of large-scale notification

Effects of nintedanib in patients with limited cutaneous systemic sclerosis and interstitial lung disease

OBJECTIVES: To investigate the course of interstitial lung disease (ILD) and the effects of nintedanib in patients with limited cutaneous systemic sclerosis (lcSSc). METHODS: In the SENSCIS trial, patients with SSc-ILD were randomised to receive nintedanib or placebo. Patients who completed the SENSCIS trial were eligible to enter SENSCIS-ON, in which all patients received open-label nintedanib. RESULTS: Among 277 patients with lcSSc treated in the SENSCIS trial, the rate (SE) of decline in FVC (mL/year) over 52 weeks was -74.5 (19.2) in the placebo group and -49.1 (19.8) in the nintedanib group (difference: 25.3 [95% CI -28.9, 79.6]). Among 249 patients with data at week 52, mean (SE) changes in FVC at week 52 were -86.4 (21.1) mL in the placebo group and -39.1 (22.2) mL in the nintedanib group. Among 183 patients with lcSSc who participated in SENSCIS-ON and had data at week 52, mean (SE) changes in FVC from baseline to week 52 of SENSCIS-ON were -41.5 (24.0) mL in patients who took placebo in the SENSCIS trial and initiated nintedanib in SENSCIS-ON and -45.1 (19.1) mL in patients who took nintedanib in the SENSCIS trial and continued it in SENSCIS-ON. CONCLUSION: Patients with lcSSc may develop progressive fibrosing ILD. By targeting pulmonary fibrosis, nintedanib slows decline in lung function in patients with lcSSc and ILD. TRIAL REGISTRATION: ClinicalTrials.gov (https://www.clinicaltrials.gov), NCT02597933 and NCT03313180

Development and internal validation of prognostic models to predict negative health outcomes in older patients with multimorbidity and polypharmacy in general practice

Background Polypharmacy interventions are resource-intensive and should be targeted to those at risk of negative health outcomes. Our aim was to develop and internally validate prognostic models to predict health-related quality of life (HRQoL) and the combined outcome of falls, hospitalisation, institutionalisation and nursing care needs, in older patients with multimorbidity and polypharmacy in general practices. Methods Design: two independent data sets, one comprising health insurance claims data (n=592 456), the other data from the PRIoritising MUltimedication in Multimorbidity (PRIMUM) cluster randomised controlled trial (n=502). Population: >= 60 years, >= 5 drugs, >= 3 chronic diseases, excluding dementia. Outcomes: combined outcome of falls, hospitalisation, institutionalisation and nursing care needs (after 6, 9 and 24 months) (claims data); and HRQoL (after 6 and 9 months) (trial data). Predictor variables in both data sets: age, sex, morbidity-related variables (disease count), medication-related variables (European Union-Potentially Inappropriate Medication list (EU-PIM list)) and health service utilisation. Predictor variables exclusively in trial data: additional socio-demographics, morbidity-related variables (Cumulative Illness Rating Scale, depression), Medication Appropriateness Index (MAI), lifestyle, functional status and HRQoL (EuroQol EQ-5D-3L). Analysis: mixed regression models, combined with stepwise variable selection, 10-fold cross validation and sensitivity analyses. Results Most important predictors of EQ-5D-3L at 6 months in best model (Nagelkerke's R-2 0.507) were depressive symptoms (-2.73 (95% CI: -3.56 to -1.91)), MAI (-0.39 (95% CI: -0.7 to -0.08)), baseline EQ-5D-3L (0.55 (95% CI: 0.47 to 0.64)). Models based on claims data and those predicting long-term outcomes based on both data sets produced low R-2 values. In claims data-based model with highest explanatory power (R-2=0.16), previous falls/fall-related injuries, previous hospitalisations, age, number of involved physicians and disease count were most important predictor variables. Conclusions Best trial data-based model predicted HRQoL after 6 months well and included parameters of well-being not found in claims. Performance of claims data-based models and models predicting long-term outcomes was relatively weak. For generalisability, future studies should refit models by considering parameters representing well-being and functional status

The Na+/H+ exchanger NHE1 is required for directional migration stimulated via PDGFR-α in the primary cilium

We previously demonstrated that the primary cilium coordinates platelet-derived growth factor (PDGF) receptor (PDGFR) α–mediated migration in growth-arrested fibroblasts. In this study, we investigate the functional relationship between ciliary PDGFR-α and the Na+/H+ exchanger NHE1 in directional cell migration. NHE1 messenger RNA and protein levels are up-regulated in NIH3T3 cells and mouse embryonic fibroblasts (MEFs) during growth arrest, which is concomitant with cilium formation. NHE1 up-regulation is unaffected in Tg737orpk MEFs, which have no or very short primary cilia. In growth-arrested NIH3T3 cells, NHE1 is activated by the specific PDGFR-α ligand PDGF-AA. In wound-healing assays on growth-arrested NIH3T3 cells and wild-type MEFs, NHE1 inhibition by 5′-(N-ethyl-N-isopropyl) amiloride potently reduces PDGF-AA–mediated directional migration. These effects are strongly attenuated in interphase NIH3T3 cells, which are devoid of primary cilia, and in Tg737orpk MEFs. PDGF-AA failed to stimulate migration in NHE1-null fibroblasts. In conclusion, stimulation of directional migration in response to ciliary PDGFR-α signals is specifically dependent on NHE1 activity, indicating that NHE1 activation is a critical event in the physiological response to PDGFR-α stimulation

microRNA miR-142-3p Inhibits Breast Cancer Cell Invasiveness by Synchronous Targeting of WASL, Integrin Alpha V, and Additional Cytoskeletal Elements

MicroRNAs (miRNAs, micro ribonucleic acids) are pivotal post-transcriptional regulators of gene expression. These endogenous small non-coding RNAs play significant roles in tumorigenesis and tumor progression. miR-142-3p expression is dysregulated in several breast cancer subtypes. We aimed at investigating the role of miR-142-3p in breast cancer cell invasiveness. Supported by transcriptomic Affymetrix array analysis and confirmatory investigations at the mRNA and protein level, we demonstrate that overexpression of miR-142-3p in MDA-MB-231, MDA-MB-468 and MCF-7 breast cancer cells leads to downregulation of WASL (Wiskott-Aldrich syndrome-like, protein: N-WASP), Integrin-αV, RAC1, and CFL2, molecules implicated in cytoskeletal regulation and cell motility. ROCK2, IL6ST, KLF4, PGRMC2 and ADCY9 were identified as additional targets in a subset of cell lines. Decreased Matrigel invasiveness was associated with the miR-142-3p-induced expression changes. Confocal immunofluorescence microscopy, nanoscale atomic force microscopy and digital holographic microscopy revealed a change in cell morphology as well as a reduced cell volume and size. A more cortical actin distribution and a loss of membrane protrusions were observed in cells overexpressing miR-142-3p. Luciferase activation assays confirmed direct miR-142-3p-dependent regulation of the 3’-untranslated region of ITGAV and WASL. siRNA-mediated depletion of ITGAV and WASL resulted in a significant reduction of cellular invasiveness, highlighting the contribution of these factors to the miRNA-dependent invasion phenotype. While knockdown of WASL significantly reduced the number of membrane protrusions compared to controls, knockdown of ITGAV resulted in a decreased cell volume, indicating differential contributions of these factors to the miR-142-3p-induced phenotype. Our data identify WASL, ITGAV and several additional cytoskeleton-associated molecules as novel invasion-promoting targets of miR-142-3p in breast cancer

A comparative co-simulation analysis to improve the sustainability of cogeneration-based district multi-energy systems using photovoltaics, power-to-heat, and heat storage

For an extensive decarbonization of district multi-energy systems, efforts are needed that go beyond today\u27s cogeneration of heat and power in district multi-energy systems. The multitude of existing technical possibilities are confronted with a large variety of existing multi-energy system configurations. The variety impedes the development of universal decarbonization pathways. In order to tackle the decarbonization challenge in existing and distinct districts, this paper calculates a wide range of urban district configurations in an extensive co-simulation based on domain specific submodels. A district multi-energy system comprising a district heating network, a power grid, and cogeneration is simulated for two locations in Germany with locally captured weather data, and for a whole year with variable parameters to configure a power-to-heat operation, building insolation/refurbishment, rooftop photovoltaic orientation, future energy demand scenarios, and district sizes with a temporal resolution of 60 seconds, in total 3840 variants. The interdependencies and synergies between the electrical low-voltage distribution grid and the district heating network are analysed in terms of efficiency and compliance with network restrictions. Thus, important sector-specific simulations of the heat and the electricity sector are combined in a holistic district multi-energy system co-simulation. The clearly most important impact on emission reduction and fuel consumption is a low heat demand, which can be achieved through thermal refurbishment of buildings. Up to \SI{46}{\percent} reduction in $CO_2$ emissions are possible using the surplus electricity from photovoltaics for power-to-heat in combination with central heat storage in the district\u27s combined heat and power plant. Domestic hot water heated by district heating network in combination with power-to-heat conversion distributed in the district reduces the load on the distribution power grid. Even though the investigated measures already improve the sustainability significantly, providing the energy needed for the production of synthetic fuels remains the crucial challenge on the further path towards net-zero

Microfiber-microcavity system for efficient single photon collection

Funded by the National Research Foundation of Korea (NRF) grant (MSIP) (NRF-2007-341-C00018, NRF-2014M3C1A3052567); State of Bavaria.Single photon sources are key components for various quantum information processing. For practical quantum applications, bright single photon sources with efficient fiber-optical interfaces are highly required. Here, bright fiber-coupled single photon sources based on InAs quantum dots are demonstrated through the k-vector matching between a microfiber mode and a normal mode of the linear photonic crystal cavity. One of the modes of the linear photonic crystal cavity whose k-vector is similar to that of the microfiber mode is employed. From independent transmission measurement, the coupling efficiency directly into the fiber of 58% is obtained. When the quantum dot and cavity system is non-resonantly pumped with 80 MHz pulse train, a raw count rate of 1.81 MHz is obtained with g(2)(0) = 0.46. Resonant pump is expected to improve the rather high g(2)(0) value. Time-resolved photoluminescence is also measured to confirm the three-fold Purcell enhancement. This system provides a promising route for efficient direct fiber collections of single photons for quantum information processing.PostprintPeer reviewe