Web Application Content Security
Doctoral thesis, 2018
The web has become ubiquitous in modern lives. People go online to stay in contact with their friends or to manage their bank account. With lots of different sensitive information handled by web applications securing them naturally becomes important. In this thesis we analyze the state of the art in client-side web security, empirically study real-world deployments, analyze best practices and actively contribute to improve security of the web platform.
We explore how password meters and password generators are included into web applications and how it should be done, in particular when external code is used.
Next, we investigate if and how browser extensions and modify Content Security Policy HTTP headers (CSP) by analyzing a large set of real-world browser extensions. We implement a mechanism which allows web servers to react to CSP header modifications by browser extensions.
Is CSP meant to prevent data exfiltration on the web? We discuss the different positions in the security community with respect to this question. Without choosing a side we show that the current CSP standard does in fact not prevent data exfiltration and provide possible solutions.
With login pages as the points of authenticating to a web service their security is particularly relevant. In a large-scale empirical study we automatically identify and analyze login page security configurations on the web, and discuss measures to improve the security of login pages.
Last, we analyze a standard proposal for Origin Manifest, a mechanism for origin-wide security configurations. We implement a mechanism to automatically generate such configurations, make extensions to the mechanism, implement a prototype and run several large-scale empirical studies to evaluate the standard proposal.
We explore how password meters and password generators are included into web applications and how it should be done, in particular when external code is used.
Next, we investigate if and how browser extensions and modify Content Security Policy HTTP headers (CSP) by analyzing a large set of real-world browser extensions. We implement a mechanism which allows web servers to react to CSP header modifications by browser extensions.
Is CSP meant to prevent data exfiltration on the web? We discuss the different positions in the security community with respect to this question. Without choosing a side we show that the current CSP standard does in fact not prevent data exfiltration and provide possible solutions.
With login pages as the points of authenticating to a web service their security is particularly relevant. In a large-scale empirical study we automatically identify and analyze login page security configurations on the web, and discuss measures to improve the security of login pages.
Last, we analyze a standard proposal for Origin Manifest, a mechanism for origin-wide security configurations. We implement a mechanism to automatically generate such configurations, make extensions to the mechanism, implement a prototype and run several large-scale empirical studies to evaluate the standard proposal.
Content Security Policy
crawling
web application security
web security
client side
security HTTP headers
ED, Rännvägen 6, Chalmers
Opponent: Davide Balzarotti, EURECOM, Sophia Antipolis, France
Author
Daniel Hausknecht
Software Technology, Group C2
Steven Van Acker, Daniel Hausknecht, Andrei Sabelfeld, Raising the Bar: Evaluating Origin-wide Security Manifests
Today, the Web is ubiquitous. Websites have long moved from static information pages sent to a client browser for sheer display. Today, websites widely implement complex web applications as powerful as on a device installed applications. Today, people use browsers to chat and share pictures with friends and family, go shopping or even manage their bank accounts online.
Naturally, a lot of private data is involved. Data that should be protected against unintended recipients, against hackers. To this end, the web community has come up with several protection mechanisms to secure the content of web applications.
In this thesis we analyze various client-side web security problems. For example we investigate the deployment of security critical web services like online password meters and password generators, and the client-side security configurations of login pages of the 100.000 most visited websites. We study how and if certain security problems are addressed by real world web applications, if sufficient protection mechanisms exist, and propose solutions to improve the state of the art for web security.
Naturally, a lot of private data is involved. Data that should be protected against unintended recipients, against hackers. To this end, the web community has come up with several protection mechanisms to secure the content of web applications.
In this thesis we analyze various client-side web security problems. For example we investigate the deployment of security critical web services like online password meters and password generators, and the client-side security configurations of login pages of the 100.000 most visited websites. We study how and if certain security problems are addressed by real world web applications, if sufficient protection mechanisms exist, and propose solutions to improve the state of the art for web security.
Subject Categories
Other Computer and Information Science
Information Science
Computer Science
Areas of Advance
Information and Communication Technology
ISBN
978-91-7597-768-3
Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 4449
Publisher
Chalmers
ED, Rännvägen 6, Chalmers
Opponent: Davide Balzarotti, EURECOM, Sophia Antipolis, France