AutoNav: Evaluation and Automatization of Web Navigation Policies
Paper in proceeding, 2020

Undesired navigation in browsers powers a significant class of attacks on web applications. In a move to mitigate risks associated with undesired navigation, the security community has proposed a standard that gives control to web pages to restrict navigation. The standard draft introduces a new navigate-to directive of the Content Security Policy (CSP). The directive is currently being implemented by mainstream browsers. This paper is a first evaluation of navigate-to, focusing on security, performance, and automatization of navigation policies. We present new vulnerabilities introduced by the directive into the web ecosystem, opening up for attacks such as probing to detect if users are logged in to other websites or have active shopping carts, bypassing third-party cookie blocking, exfiltrating secrets, as well as leaking browsing history. Unfortunately, the directive triggers vulnerabilities even in websites that do not use the directive in their policies. We identify both specification- and implementation-level vulnerabilities and propose countermeasures to mitigate both. To aid developers in configuring navigation policies, we develop and implement AutoNav1, an automated black-box mechanism to infer navigation policies. AutoNav leverages the benefits of origin-wide policies in order to improve security without degrading performance. We evaluate the viability of navigate-to and AutoNav by an empirical study on Alexa's top 10,000 websites.

web application security

csp

web navigations

Author

Benjamin Eriksson

Chalmers, Computer Science and Engineering (Chalmers), Information Security

Andrei Sabelfeld

Chalmers, Computer Science and Engineering (Chalmers), Information Security

The Web Conference 2020 - Proceedings of the World Wide Web Conference, WWW 2020

1320-1331
978-145037023-3 (ISBN)

29th International World Wide Web Conference, WWW 2020
Taipei, Taiwan,

Subject Categories

Public Administration Studies

Computer Science

Computer Systems

DOI

10.1145/3366423.3380207

More information

Latest update

9/15/2020