The Nonce-nce of Web Security: an Investigation of CSP Nonces Reuse

Content Security Policy (CSP) is an effective security mechanism that prevents the exploitation of Cross-Site Scripting (XSS) vulnerabilities on websites by specifying the sources from which their web pages can load resources, such as scripts and styles. CSP nonces enable websites to allow the execution of specific inline scripts and styles without relying on a whitelist. In this study, we measure and analyze the use of CSP nonces in the wild, specifically looking for nonce reuse, short nonces, and invalid nonces. We find that, of the 2271 sites that deploy a nonce-based policy, 598 of them reuse the same nonce value in more than one response, potentially enabling attackers to bypass protection offered by the CSP against XSS attacks. We analyze the causes of the nonce reuses to identify whether they are introduced by the server-side code or if the nonces are being cached by web caches. Moreover, we investigate whether nonces are only reused within the same session or for different sessions, as this impacts the effectiveness of CSP in preventing XSS attacks. Finally, we discuss the possibilities for attackers to bypass the CSP and achieve XSS in different nonce reuse scenarios.Comment: Accepted at the WASP workshop (ESORICS 2023

Montecarlo wavefield imaging of 3D prestack data

We present a new imaging methodology based on the depth extrapolation of a single dataset obtained by randomly compressing sources and shot-gathers. In this work a Monte Carlo imaging condition was implemented with a Phase Shift Plus Interpolation (PSPI) extrapolating kernel and tested on the SEG-EAGE salt model. This study demonstrates that wavefield 3D prestack depth migration is possible for industrial applications, providing high quality results in reasonable computational times

Quarter-mile walk test sensitive to training-induced fitness changes

BACKGROUND: Cardiorespiratory fitness (CRF) is an important aspect of the overall health of an individual and its monitoring must be promoted in the general population. Thus, the aim of the study was to cross-validate and improve CRF estimation based on quarter-mile Rockport Fitness Walking Test. METHODS: Thirty participants (31.4±7.99 years) were randomized in either a four-week aerobic training group (10 men and 10 women) or a control group (eight men and two women). CRF was assessed via VO2max test and estimated via quarter-mile Rockport Fitness and Ebbeling treadmill tests, before and after the training intervention. The original quarter-mile Rockport VO2max estimation was found to greatly overestimate CRF by 22 mL/kg/min. When its coefficient was updated according to our data, it largely improved (by 6.8 mL/kg/min). Furthermore, a new algorithm for predicting VO2max was designed using multi-linear regression analysis. RESULTS: The original quarter-mile Rockport Fitness Walking Test was not sensitive to CRF changes. It showed changes in VO2max, which were significantly different from the actual observed changes (-1.1±4.08 vs. 1.61±2.84, P=0.02, respectively). The Ebbeling treadmill test appeared to systematically overestimate CRF changes. Our new algorithm showed improved sensitivity for detecting CRF changes and stability. CONCLUSIONS: The original quarter-mile Rockport Fitness Walking Test equation for predicting VO2max was neither accurate nor sensitive to changes in CRF, most likely due to cardiovascular drift. Our new algorithm, based on the same brisk walking test, can provide a more accurate estimate of CRF, which is also sensitive to VO2max changes, in a broad age range (18 to 50 years)