Charlie Hothersall-Thomas
ABSTRACT
The security of the client side of a web application relies on browser features such as cookies, the same-origin policy and HTTPS. As the client side grows increasingly powerful and sophisticated, browser vendors have stepped up their offering of security mechanisms which can be leveraged to protect it. These are often introduced experimentally and informally and, as adoption increases, gradually become standardised (e.g., CSP, CORS and HSTS). Considering the diverse landscape of browser vendors, releases, and customised versions for mobile and embedded devices, there is a compelling need for a systematic assessment of browser security. We present BrowserAudit, a tool for testing that a deployed browser enforces the guarantees implied by the main standardised and experimental security mechanisms. It includes more than 400 fully-automated tests that exercise a broad range of security features, helping web users, application developers and security researchers to make an informed security assessment of a deployed browser. We validate BrowserAudit by discovering both fresh and known security-related bugs in major browsers.
- Bootstrap. http://getbootstrap.com/.Google Scholar
- Browser DOM access checker. http://lcamtuf.coredump.cx/dom_checker/.Google Scholar
- Browserscope. http://www.browserscope.org/.Google Scholar
- BrowserSpy. http://browserspy.dk/.Google Scholar
- BrowserStack. http://www.browserstack.com/.Google Scholar
- Can I Use.. .. http://caniuse.com/.Google Scholar
- Chai. http://chaijs.com/.Google Scholar
- How’s My SSL? https://www.howsmyssl.com/.Google Scholar
- jQuery. http://jquery.com/.Google Scholar
- Mocha. http://mochajs.org/.Google Scholar
- Nginx. http://nginx.org/.Google Scholar
- Panopticlick. https://panopticlick.eff.org/.Google Scholar
- PostgreSQL. http://www.postgresql.org/.Google Scholar
- Qualys SSL Labs. https://www.ssllabs.com/.Google Scholar
- The Can I Use... test suite. http://tests.caniuse.com/.Google Scholar
- The Go Programming Language. https://golang.org/.Google Scholar
- A. Barth. HTTP State Management Mechanism. RFC 6265 (Proposed Standard), Apr. 2011.Google Scholar
- A. Barth, J. Caballero, and D. Song. Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In Proceedings of S&P 2009, pages 360––371, 2009. Google ScholarDigital Library
- A. Barth, C. Jackson, and J. Mitchell. Securing Frame Communication in Browsers. In Proceedings of USENIX Security 2008, pages 17–30, 2008. Google ScholarDigital Library
- A. Barth, C. Jackson, and J. C. Mitchell. Robust Defenses for Cross-site Request Forgery. In Proceedings of CCS’08, pages 75–88, 2008. Google ScholarDigital Library
- A. Barth and M. West. Content Security Policy 1.1, June 2013. W3C Working Draft WD-CSP11-20130604.Google Scholar
- K. Bhargavan, A. Delignat-Lavaud, and S. Maffeis. Language-Based Defenses Against Untrusted Browser Origins. In Proceedings of USENIX Security 2013, pages 653–670, 2013. Google ScholarDigital Library
- E. Budianto, Y. Jia, X. Dong, P. Saxena, and Z. Liang. You Can’t Be Me: Enabling Trusted Paths and User Sub-origins in Web Browsers. In A. Stavrou, H. Bos, and G. Portokalidis, editors, Proceedings of RAID 2014, volume 8688 of Lecture Notes in Computer Science, pages 150–171. Springer, 2014.Google ScholarCross Ref
- Bugzilla. Bug 1007205 — CSP allows local CSS @import with only ‘unsafe-inline’ set. https: //bugzilla.mozilla.org/show_bug.cgi?id=1007205.Google Scholar
- Bugzilla. Bug 1007634 — CSP allows local Worker construction with only ‘unsafe-inline’ set. https: //bugzilla.mozilla.org/show_bug.cgi?id=1007634.Google Scholar
- Bugzilla. Bug 471020 — Add X-Content-Type-Options: nosniff support to Firefox. https: //bugzilla.mozilla.org/show_bug.cgi?id=471020.Google Scholar
- Bugzilla. Bug 671389 — Implement CSP sandbox directive. https: //bugzilla.mozilla.org/show_bug.cgi?id=671389.Google Scholar
- P. De Ryck, L. Desmet, P. Philippaerts, and F. Piessens. A security analysis of next generation web standards. Technical report, ENISA, July 2011.Google Scholar
- X. Dong, Z. Chen, H. Siadati, S. Tople, P. Saxena, and Z. Liang. Protecting sensitive web content from client-side vulnerabilities with CRYPTONS. In Proceedings of CCS’13, pages 1311–1324, 2013. Google ScholarDigital Library
- P. Eckersley. How unique is your web browser? In Proceedings of PETS’10, pages 1–18, 2010. Google ScholarDigital Library
- R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol – HTTP/1.1. RFC 2616 (Draft Standard), June 1999. Google ScholarDigital Library
- GitHub. BrowserAudit project. https://github.com/browseraudit/.Google Scholar
- M. Heiderich, M. Niemietz, F. Schuster, T. Holz, and J. Schwenk. Scriptless Attacks: Stealing the Pie Without Touching the Sill. In Proceedings of CCS’12, pages 760–771, 2012. Google ScholarDigital Library
- I. Hickson and D. Hyatt. HTML5: A vocabulary and associated APIs for HTML and XHTML. W3C Candidate Recommendation CR-HTML5-20140429, Apr. 2014.Google Scholar
- J. Hodges, C. Jackson, and A. Barth. HTTP Strict Transport Security (HSTS). RFC 6797 (Proposed Standard), Nov. 2012.Google Scholar
- L.-S. Huang, A. Moshchuk, H. J. Wang, S. Schechter, and C. Jackson. Clickjacking: Attacks and Defenses. In Proceedings of USENIX Security 2012, pages 22–22, 2012. Google ScholarDigital Library
- C. Jackson and A. Barth. Forcehttps: Protecting High-security Web Sites from Network Attacks. In Proceedings of WWW’08, pages 525–534, 2008. Google ScholarDigital Library
- E. Kirda. Cross Site Scripting Attacks. In Encyclopedia of Cryptography and Security, pages 275–277. 2011.Google Scholar
- S. Maffeis, J. C. Mitchell, and A. Taly. Object Capabilities and Isolation of Untrusted Web Applications. In Proceedings of S&P 2010, pages 125––140, 2010. Google ScholarDigital Library
- MSDN Blogs. IE8 Security Part VI: Beta 2 Update. http://blogs.msdn.com/b/ie/archive/2008/09/02/ ie8-security-part-vi-beta-2-update.aspx.Google Scholar
- K. Patil, X. Dong, X. Li, Z. Liang, and X. Jiang. Towards Fine-Grained Access Control in JavaScript Contexts. In Proceedings of ICDCS’11, pages 720–729, 2011. Google ScholarDigital Library
- D. Ross and T. Gondrom. HTTP Header Field X-Frame-Options. RFC 7034 (Informational), Oct. 2013.Google Scholar
- G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson. Busting Framebusting: a Study of Clickjacking Vulnerabilities at Popular Sites. In Proceedings of W2SP 2010, 2010.Google Scholar
- K. Singh, A. Moshchuk, H. J. Wang, and W. Lee. On the Incoherencies in Web Browser Access Control Policies. In Proceedings of S&P 2010, pages 463––478, 2010. Google ScholarDigital Library
- B. Sterne and A. Barth. Content Security Policy 1.0. Nov. 2012. W3C Candidate Recommendation CR-CSP-20121115.Google Scholar
- A. Van Kesteren. Cross-origin Resource Sharing. W3C Recommendation REC-cors-20140116, Jan. 2014.Google Scholar
- M. Zalewski. Browser Security Handbook, 2010.Google Scholar
- M. Zalewski. The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, 2012. Google ScholarDigital Library
Index Terms
- BrowserAudit: automated testing of browser security features
Recommendations
Fortifying web-based applications automatically
CCS '11: Proceedings of the 18th ACM conference on Computer and communications securityBrowser designers create security mechanisms to help web developers protect web applications, but web developers are usually slow to use these features in web-based applications (web apps). In this paper we introduce Zan, a browser-based system for ...
FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security
Detection of Intrusions and Malware, and Vulnerability AssessmentAbstractBrowser fingerprinting has established itself as a stateless technique to identify users on the Web. In particular, it is a highly criticized technique to track users. However, we believe that this identification technique can serve more virtuous ...
Enhancing the Security of Cookies
ICISC '01: Proceedings of the 4th International Conference Seoul on Information Security and CryptologyCookies are pieces of information generated by a Web server to be stored in a user's machine. The information in cookies can range from selected items in a user's shopping cart to authentication information used for accessing restricted pages. While ...
Comments