Spidering the Modern Web: Securing the Next Generation of Web Sites and Browser Extensions

Licentiate thesis, 2025

Given the range of critical and sensitive services available on the Web, securing the web applications and browser extensions in this ecosystem is of paramount importance. However, this goal has not been achieved. Vulnerabilities in web applications remain undetected, and malicious browser extensions are still available in curated app stores.

While black-box scanning is a promising method for detecting vulnerabilities in diverse web applications, crawling these increasingly client-side and stateful applications is challenging. To discover vulnerabilities in modern web applications, we develop two new scanning methods that take into account these challenges.

We first propose a novel grey-box method, Spider-Scents, for detecting stored XSS vulnerabilities that avoids these challenges by relaxing the problem to finding unprotected outputs from the database. This method supplements an otherwise black-box scanner with the ability to directly inject payloads into the database. In our evaluation, we demonstrate that these code smells are highly related to complete vulnerabilities while showcasing the improved vulnerability detection and database coverage of our method.

We then propose a new black-box scanner, SpiderSapien, with the aim to test deep states in modern web applications, by generating valid client-side actions and form inputs that could unlock previously untested functionality. In our evaluation, we show that SpiderSapien improves vulnerability detection and code coverage, while the LLM-powered method solves more diverse forms.

Finally, we develop a framework to find fake reviews from the metadata of extensions on the Chrome Web Store. We identify how reviews can be faked, and propose five statistical methods to detect them. We demonstrate how these methods find fake reviews, and show how this can be used to find malicious extensions.