Filters








221 Hits in 6.6 sec

No boundaries: data exfiltration by third parties embedded on web pages

Gunes Acar, Steven Englehardt, Arvind Narayanan
2020 Proceedings on Privacy Enhancing Technologies  
AbstractWe investigate data exfiltration by third-party scripts directly embedded on web pages.  ...  Although the possibility of these attacks was well known, we provide the first empirical evidence based on measurements of 300,000 distinct web pages from 50,000 sites.  ...  This study is supported by an NSF grant (CNS 1526353). Some of our measurements were funded by an Amazon AWS Cloud Credits for Research grant.  ... 
doi:10.2478/popets-2020-0070 fatcat:4x64dhnc5nagxbsfnlcyi3oqgy

Secure Integration of Web Content and Applications on Commodity Mobile Operating Systems

Drew Davidson, Yaohui Chen, Franklin George, Long Lu, Somesh Jha
2017 Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security - ASIA CCS '17  
content can use the privileges of its embedding app to exfiltrate sensitive information such as the user's location and contacts.  ...  Unfortunately, the interactions between app code and web content expose new attack vectors: a malicious app can subvert its embedded web content to steal user secrets; on the other hand, malicious web  ...  Web-to-App Attacks: an embedded web page from a third-party may attack its host app.  ... 
doi:10.1145/3052973.3052998 dblp:conf/ccs/DavidsonCGLJ17 fatcat:wq7eovz2trgqdjb4o5pqevgscm

Data exfiltration: A review of external attack vectors and countermeasures

Faheem Ullah, Matthew Edwards, Rajiv Ramdhany, Ruzanna Chitchyan, M. Ali Babar, Awais Rashid
2018 Journal of Network and Computer Applications  
Data exfiltration can be perpetrated by an outsider or an insider of an organization.  ...  on protecting data in 'in use' state, therefore, future research needs to be directed towards securing data in 'in rest' and 'in transit' states (e) There is no standard or framework for evaluation of  ...  This way queries generated by third-party application are evaluated on transformed view rather than original user's profile data.  ... 
doi:10.1016/j.jnca.2017.10.016 fatcat:fweg67tparct5owb3r4qrpgvxq

Network Attack Analysis and the Behaviour Engine

Anthony Benham, Huw Read, Iain Sutherland
2013 International Journal of Computing and Network Technology  
, to detect data exfiltration attempts over covert channelling.  ...  Behaviour Engines allow the acquisition of tacit knowledge by using a learn-by-doing workflow and provide a direct interface between the expert user and the developing project code based on an intuitive  ...  These emails include embedded URLs that link to an infected Web page or an embedded object that upon being clicked on, drops a Remote Administration Tool (RAT) for control by an external Command & Control  ... 
doi:10.12785/ijcnt/010202 fatcat:g5chqpaafvdlpas46w4bfikab4

Understanding Malicious Cross-library Data Harvesting on Android

Jice Wang, Yue Xiao, Xueqiang Wang, Yuhong Nan, Luyi Xing, Xiaojing Liao, Jinwei Dong, Nicolás Serrano, Haoran Lu, XiaoFeng Wang, Yuqing Zhang
2021 USENIX Security Symposium  
reports and using C2 server to schedule data exfiltration) and significant impacts.  ...  Using a methodology that incorporates semantic analysis on an SDK's Terms of Services (ToS, which describes restricted data access and sharing policies) and code analysis on cross-library interactions,  ...  The authors of Indiana University are supported in part by Indiana University FRSP-SF and NSF CNS-1618493, 1801432 and 1838083.  ... 
dblp:conf/uss/WangXWNXLDSL0Z21 fatcat:shna4yft3nhcxn76hpitmzpihi

Network Attack Analysis and the Behaviour Engine

A. Benham, H. Read, I. Sutherland
2013 2013 IEEE 27th International Conference on Advanced Information Networking and Applications (AINA)  
, to detect data exfiltration attempts over covert channelling.  ...  Behaviour Engines allow the acquisition of tacit knowledge by using a learn-by-doing workflow and provide a direct interface between the expert user and the developing project code based on an intuitive  ...  These emails include embedded URLs that link to an infected Web page or an embedded object that upon being clicked on, drops a Remote Administration Tool (RAT) for control by an external Command & Control  ... 
doi:10.1109/aina.2013.157 dblp:conf/aina/BenhamRS13 fatcat:zwih4tl2k5chzgvy7qczzf4fzq

Beeswax: a platform for private web apps

Jean-Sébastien Légaré, Robert Sumi, William Aiello
2016 Proceedings on Privacy Enhancing Technologies  
Even if a web-based messaging service offered confidential channels, how would users know whether their keys, or indeed even their plaintext, was not being exfiltrated?  ...  This focuses scrutiny and trust on the platform itself, rather than on all the applications using it.  ...  There currently is not good support for third-party extensions on mobile web browsers.  ... 
doi:10.1515/popets-2016-0014 dblp:journals/popets/LegareSA16 fatcat:zohfxak72jfsrjxmwgs24mitae

Ex-Ray

Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca Stringhini, William Robertson, Engin Kirda
2017 Proceedings of the 33rd Annual Computer Security Applications Conference on - ACSAC 2017  
In this paper, we present a dynamic technique for identifying privacy-violating extensions in Web browsers that relies solely on observations of the network traffic patterns generated by browser extensions  ...  The area of privacy-violating browser extensions has so far been covered by manual analysis and systems performing search on specific text on network traffic.  ...  ACKNOWLEDGMENTS This work was supported by the National Science Foundation (NSF) under grant CNS-1409738, the EPSRC under grant EP/N008448/1, an EPSRC-funded Future Leaders in Engineering and Physical  ... 
doi:10.1145/3134600.3134632 dblp:conf/acsac/WeissbacherMSSR17 fatcat:fhpddlyojjbtzdvksgb2spymu4

On the Content Security Policy Violations due to the Same-Origin Policy

Dolière Francis Some, Nataliia Bielova, Tamara Rezk
2017 Proceedings of the 26th International Conference on World Wide Web - WWW '17  
that governs interactions between resources of web pages.  ...  In this work, we describe how CSP may be violated due to the SOP when a page contains an embedded iframe from the same origin.  ...  This way, the third party script successfully bypasses the restrictions of the CSP of the page.  ... 
doi:10.1145/3038912.3052634 dblp:conf/www/SomeBR17 fatcat:ofne4sltgrhcjgbwcqpeplmhla

Accountable Javascript Code Delivery [article]

Ilkan Esiyok, Robert Kuennemann, Pascal Berrang, Katriel Cohn-Gordon
2022 arXiv   pre-print
We propose Accountable JS, a browser extension and opt-in protocol for accountable delivery of active content on a web page.  ...  Due to the ephemeral nature of web applications, a client visiting a website has no guarantee that the code it receives today is the same as yesterday, or the same as others receive.  ...  This is in contrast to trusting a concrete piece of code provided by the third party. We tested this technique using Nimiq's Wallet, which can be embedded in third-party web pages.  ... 
arXiv:2202.09795v1 fatcat:mqqilcl7t5fqrhona5vfwrdecu

Retrofitting Applications with Provenance-Based Security Monitoring [article]

Adam Bates, Kevin Butler, Alin Dobra, Brad Reaves, Patrick Cable, Thomas Moyer, Nabil Schear
2016 arXiv   pre-print
We show how our system can be used in real time to monitor system intrusions or detect data exfiltration attacks while imposing less than 5.1 ms end-to-end overhead on web requests.  ...  Our approach leverages a key insight that minimal knowledge of open protocols can be leveraged to extract precise and efficient provenance information by interposing on application components' communications  ...  Furthermore, instrumentation could extend past the primary software artifact to its dependencies, including the web server, runtime framework, and other third party libraries.  ... 
arXiv:1609.00266v1 fatcat:4spvnliyz5avpakkh5wcpkxvhe

Cybersecurity: Exploring core concepts through six scenarios

Alan T. Sherman, David DeLatte, Michael Neary, Linda Oliva, Dhananjay Phatak, Travis Scheponik, Geoffrey L. Herman, Julia Thompson
2017 Cryptologia  
the need for more thought in cybersecurity on what should be taught and how to teach it.  ...  The target audience is anyone who is interested in learningabout cybersecurity, including those with little to no background in cybersecurity.  ...  Funding This work was supported in part by the U.S. Department of Defense under CAE-R grants H98230-15-1-0294 and H98230-15-1-0273, and by the National Science Foundation under SFS grant 1241576.  ... 
doi:10.1080/01611194.2017.1362063 fatcat:7mkrp5q5zze3pmioywlrboqzlu

CloudFence: Data Flow Tracking as a Cloud Service [chapter]

Vasilis Pappas, Vasileios P. Kemerlis, Angeliki Zavou, Michalis Polychronakis, Angelos D. Keromytis
2013 Lecture Notes in Computer Science  
CloudFence allows users to independently audit the treatment of their data by third-party services, through the intervention of the infrastructure provider that hosts these services.  ...  overhead on real settings.  ...  This work was supported by DARPA and the National Science Foundation through Contract FA8651-11-C-7190 and Grant CNS-12-28748, respectively, with additional support from Intel and Google.  ... 
doi:10.1007/978-3-642-41284-4_21 fatcat:ndclb2pbnnenha4vcktyddkwb4

Language-based Defenses Against Untrusted Browser Origins

Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Sergio Maffeis
2013 USENIX Security Symposium  
Bhargavan and Delignat-Lavaud are supported by the ERC Starting Grant CRYSP. Maffeis is supported by EPSRC grant EP/I004246/1.  ...  This is contrary to the usual web security threat model where a website tries to defend itself from third-party components.  ...  Defensive Web Components Web users increasingly store sensitive data on servers spread across the web.  ... 
dblp:conf/uss/BhargavanDM13 fatcat:spuif3bjxjgvfp75yejkbl5che

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities

Yuchen Zhou, David Evans
2014 USENIX Security Symposium  
Correctly integrating third-party services into web applications is challenging, and mistakes can have grave consequences when third-party services are used for security-critical tasks such as authentication  ...  Since traditional programming techniques are hard to apply to programs running inside black-box web servers, we propose to detect vulnerabilities by probing behaviors of the system.  ...  This work has been supported by a Research Award from Google and research grants from the National Science Foundation and Air Force Office of Scientific Research.  ... 
dblp:conf/uss/ZhouE14 fatcat:ulq2czzzd5gr7dmf2jvyhzngna
« Previous Showing results 1 — 15 out of 221 results