Large-Scale Analysis of Style Injection by Relative Path Overwrite

Arshad, Sajjad; Mirheidari, Seyed Ali; Lauinger, Tobias; Crispo, Bruno; Kirda, Engin; Robertson, William

doi:10.1145/3178876.3186090

Cited by 6 publications

(8 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Another body of work focuses on the issues related to the inclusion of third-party subresources and trackers in webpages [4,7,31,32,35,41]. Arshad et al [5] perform the rst large-scale analysis of scriptless CSS injection. They show that around 9% of 10k most popular websites contain at least one vulnerable page, out of which more than one third can be exploited.…”

Section: Related Workmentioning

confidence: 99%

An Empirical Study of the Use of Integrity Verification Mechanisms for Web Subresources

Chapuis¹,

Omolola²,

Cherubini³

et al. 2020

Proceedings of the Web Conference 2020

View full text Add to dashboard Cite

Web developers can (and do) include subresources such as scripts, stylesheets and images in their webpages. Such subresources might be stored on content delivery networks (CDNs). This practice creates security and privacy risks, should a subresource be corrupted. The subresource integrity (SRI) recommendation, released in mid-2016 by the W3C, enables developers to include digests in their webpages in order for web browsers to verify the integrity of subresources before loading them. In this paper, we conduct the rst large-scale longitudinal study of the use of SRI on the Web by analyzing massive crawls (≈3B URLs) of the Web over the last 3.5 years. Our results show that the adoption of SRI is modest (≈3.40%), but grows at an increasing rate and is highly in uenced by the practices of popular library developers (e.g., Bootstrap) and CDN operators (e.g., jsDelivr). We complement our analysis about SRI with a survey of web developers (=227): It shows that a substantial proportion of developers know SRI and understand its basic functioning, but most of them ignore important aspects of the recommendation. The results of the survey also show that the integration of SRI by developers is mostly manual-hence not scalable and error prone. This calls for a better integration of SRI in build tools. CCS CONCEPTS • Security and privacy → Web protocol security; Hash functions and message authentication codes.

show abstract

Section: Related Workmentioning

confidence: 99%

An Empirical Study of the Use of Integrity Verification Mechanisms for Web Subresources

Chapuis¹,

Omolola²,

Cherubini³

et al. 2020

Proceedings of the Web Conference 2020

View full text Add to dashboard Cite

show abstract

“…Resources of type iframe are, essentially, equivalent to scripts used for drive-by attacks [31,32]. The other resource types can be misused only for attempting to inject malware in the browser, by exploiting vulnerabilities in the browser code for handling the corresponding resources [33][34][35][36].…”

Section: Data Collection and Methodologymentioning

confidence: 99%

A Security-Oriented Analysis of Web Inclusions in the Italian Public Administration

Bartoli

Lorenzo

Medvet

et al. 2018

Cybernetics and Information Technologies

View full text Add to dashboard Cite

Modern web sites serve content that browsers fetch automatically from a number of different web servers that may be placed anywhere in the world. Such content is essential for defining the appearance and behavior of a web site and is thus a potential target for attacks. Many public administrations offer services on the web, thus we have entered a world in which web sites of public interest are continuously and systematically depending on web servers that may be located anywhere in the world and are potentially under control of other governments. In this work we focus on these issues by investigating the content included by almost 10000 web sites of the Italian Public Administration. We analyse the nature of such content, its quantity, its geographical location, the amount of dynamic variations over time. Our analyses demonstrate that the perimeter of trust of the Italian Public Administration collectively includes countries that are well beyond the control of the Italian government and provides several insights useful for implementing a centralized monitoring service aimed at detecting anomalies.

show abstract

“…Another research found that because of the browser failing to ask permission, websites were able to read the battery status and profile users accordingly [30]. Previous studies [8], [9], [10] focused on adoption of response headers in general or in particular such as Content Security Policy [11], [12] and Referrer Policy [13]. Studies showed that unless these policies are used correctly both by server-side and client-side, they do not protect against possible attacks.…”

Section: Related Workmentioning

confidence: 99%

“…Previous studies focused on the adoption of response headers and their security and privacy implications [8], [9], [10], [11], [12], [13]. In other work [14], [15], researchers proposed sandboxing scripts as a countermeasure to data leakage.…”

Section: Introductionmentioning

confidence: 99%