Securing the Next Generation Web
Doctoral thesis, 2022

With the ever-increasing digitalization of society, the need for secure systems is growing. While some security features, like HTTPS, are popular, securing web applications, and the clients we use to interact with them remains difficult.

To secure web applications we focus on both the client-side and server-side. For the client-side, mainly web browsers, we analyze how new security features might solve a problem but introduce new ones. We show this by performing a systematic analysis of the new Content Security Policy (CSP)  directive navigate-to. In our research, we find that it does introduce new vulnerabilities, to which we recommend countermeasures. We also create AutoNav, a tool capable of automatically suggesting navigation policies for this directive. Finding server-side vulnerabilities in a black-box setting where  there is no access to the source code is challenging. To improve this, we develop novel black-box methods for automatically finding vulnerabilities. We  accomplish this by identifying key challenges in web scanning and combining the best of previous methods. Additionally, we leverage SMT solvers to  further improve the coverage and vulnerability detection rate of scanners.

In addition to browsers, browser extensions also play an important role in the web ecosystem. These small programs, e.g. AdBlockers and password  managers, have powerful APIs and access to sensitive user data like browsing history. By systematically analyzing the extension ecosystem we find new  static and dynamic methods for detecting both malicious and vulnerable extensions. In addition, we develop a method for detecting malicious extensions  solely based on the meta-data of downloads over time.

We analyze new attack vectors introduced by Google’s new vehicle OS, Android Automotive. This  is based on Android with the addition of vehicle APIs. Our analysis results in new attacks pertaining to safety, privacy, and availability. Furthermore, we  create AutoTame, which is designed to analyze third-party apps for vehicles for the vulnerabilities we found.

Android Automotive

Web application scanning

Web Application Security


Content Security Policy

Input validation

Browser extensions

Opponent: Associate Professor Adam Doupé, Arizona State University.


Benjamin Eriksson

Chalmers, Computer Science and Engineering (Chalmers), Information Security

AutoNav: Evaluation and Automatization of Web Navigation Policies

The Web Conference 2020 - Proceedings of the World Wide Web Conference, WWW 2020,; (2020)p. 1320-1331

Paper in proceeding

Black widow: Blackbox data-driven web scanning

Proceedings - IEEE Symposium on Security and Privacy,; Vol. 2021-May(2021)p. 1125-1142

Paper in proceeding

Benjamin Eriksson, Amanda Stjerna, Riccardo De Masellis, Philipp Ruem- mer, Andrei Sabelfeld. Black Ostrich: Web Application Scanning with String Solvers

Hardening the security analysis of browser extensions

Proceedings of the ACM Symposium on Applied Computing,; (2022)p. 1694-1703

Paper in proceeding

Pablo Picazo-Sanchez, Benjamin Eriksson, Andrei Sabelfeld. No Signal Left to Chance: Driving Browser Extension Analysis by Down- load Patterns

On the road with third-party apps: Security analysis of an in-vehicle app platform

VEHITS 2019 - Proceedings of the 5th International Conference on Vehicle Technology and Intelligent Transport Systems,; (2019)p. 64-75

Paper in proceeding

Our modern society depends on efficient and secure online services. Whether it is for banking,
medical journals, talking with friends on social media, or online entertainment, security is crucial.
We regularly hear news about websites being “hacked” and data being leaked. These problems stem
from security bugs in the web applications we rely on. Insecure web applications not only put the
companies at risk of losing revenue but also risks users’ private data being sold or made public. In
addition to web applications, our browsers and their extensions, which we use to interact with these
applications can also serve as an avenue for attackers to steal users’ data.
Security bugs, or vulnerabilities, comes in many shapes and sizes. They can range from sending
data without using encryption to more complex bugs where attackers can gain full control over the
web application by injecting their code. Even in cases where great care is put into securing
applications, subtle vulnerabilities might still be missed. Sometimes, complex workflows and chains
of actions are required to find a problem. For example, a social media user might need to join a
group, then post a photo, before they can find the vulnerability in the photo’s comment section.
Similarly in web browsers, new security mechanisms are constantly being proposed. However,
while these might fix one problem they can introduce new ones unless the entire ecosystem is
considered. Finally, the extensions we allow in our browsers possess great capabilities to read and
manipulate user data. As such, thorough security vetting is required both to detect vulnerabilities
and maliciousness.
This thesis focus on improving web security by developing novel and efficient methods for
detecting security vulnerabilities in web applications, as well as browsers and their extensions.
Vulnerability detection in web applications is improved by unifying previous orthogonal methods in
a non-trivial way. Furthermore, by incorporating and improving on works in mathematical logic
practical challenges in web application scanning can be solved. Security problems of browser
extensions are tackled by a systematic analysis of the extension ecosystem. This resulted in new
code analysis methods that can find previously undetected malicious extensions. Additionally, novel
meta-data analysis methods are developed for finding malicious extensions without the need for the
extension’s code. Finally, by extending the methods to embedded systems, malicious apps in
infotainment systems for vehicles can also be detected.

WebSec: Securing Web-driven Systems

Swedish Foundation for Strategic Research (SSF) (RIT17-0011), 2018-03-01 -- 2023-02-28.

Areas of Advance

Information and Communication Technology

Subject Categories

Computer and Information Science



Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 5146




Opponent: Associate Professor Adam Doupé, Arizona State University.

More information

Latest update

8/5/2022 2