1,471 Hits in 5.1 sec

An Empirical study of HTML5 Websockets and their Cross Browser behavior for Mixed Content and Untrusted Certificates

Achin Kulshrestha
2013 International Journal of Computer Applications  
This research provides an overview of the Websocket protocol and API, and focuses on the state of Websocket security.  ...  Today, Websockets is a finished standard and has greatly helped modern web applications to achieve real time communication without any overhead of sending HTTP headers with every request.  ...  Although the Websocket protocol differs from HTTP in various ways, Most of the issues relevant to HTTP based web application such as MITM, authentication and authorization are relevant to Websockets as  ... 
doi:10.5120/14119-2221 fatcat:ot3yhedrgbfw7fzcxhnhfwms6i

How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security

Ben Stock, Martin Johns, Marius Steffens, Michael Backes
2017 USENIX Security Symposium  
This evolution has not followed a security blueprint, resulting in many classes of vulnerabilities specific to the Web. Even though the server-side code of the past  ...  While in its early days, the Web was mostly static, it has organically grown into a full-fledged technology stack.  ...  This work was supported by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA) (FKZ: 16KIS0345).  ... 
dblp:conf/uss/StockJS017 fatcat:vkz2j7q2cbeqdf23necpkgha3u

Content Security Problems?

Stefano Calzavara, Alvise Rabitti, Michele Bugliesi
2016 Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security - CCS'16  
Content Security Policy (CSP) is an emerging W3C standard introduced to mitigate the impact of content injection vulnerabilities on websites.  ...  We perform a systematic, largescale analysis of four key aspects that impact on the effectiveness of CSP: browser support, website adoption, correct configuration and constant maintenance.  ...  Weissbacher et al. evaluated the deployment of CSP on the Alexa Top 1M in March 2014 [28] .  ... 
doi:10.1145/2976749.2978338 dblp:conf/ccs/CalzavaraRB16 fatcat:wntuokgxozgobhb2xq5qt5td6q

Why Is CSP Failing? Trends and Challenges in CSP Adoption [chapter]

Michael Weissbacher, Tobias Lauinger, William Robertson
2014 Lecture Notes in Computer Science  
We performed weekly crawls of the Alexa Top 1M to measure adoption of web security headers, and find that CSP both significantly lags other security headers, and that the policies in use are often ineffective  ...  However, despite the promise of these security benefits and being implemented in almost all major browsers, CSP adoption is minuscule-our measurements show that CSP is deployed in enforcement mode on only  ...  Acknowledgements This work was supported by the Office of Naval Research (ONR) under grant N00014-12-1-0165.  ... 
doi:10.1007/978-3-319-11379-1_11 fatcat:zc3usj2xingmtj4xa2xoxugvh4

ESCUDO: A Fine-Grained Protection Model for Web Browsers

Karthick Jayaraman, Wenliang Du, Balamurugan Rajagopalan, Steve J. Chapin
2010 2010 IEEE 30th International Conference on Distributed Computing Systems  
We describe our implementation of a prototype of ESCUDO in the Lobo web browser, and illustrate how web applications can use ESCUDO for securing their resources.  ...  In this paper, we present ESCUDO, a new web browser protection model designed based on established principles of mandatory access control.  ...  Cookies: Typically, web applications instruct the web browser to store a cookie in the browser using a set-cookie header in HTTP.  ... 
doi:10.1109/icdcs.2010.71 dblp:conf/icdcs/JayaramanDRC10 fatcat:7gaztmgmwjfbbicw665vd4e62u

Malicious Websites Detection and Search Engine Protection

Hao Zhou, Jianhua Sun, Hao Chen
2013 Journal of Advances in Computer Networks  
Most of exiting systems to detect malicious websites focus on specific attack. At the same time, available browser extensions based on blacklist are powerless to countless websites.  ...  Nevertheless, the flooding of large number of malicious websites on search engine has posed tremendous threat to our users.  ...  Jsoup is a Java library that parses HTML to the same DOM as modern browsers do. We use it to retrieve the response of a website and get desired information through parsing the HTML.  ... 
doi:10.7763/jacn.2013.v1.52 fatcat:bwjozmqrcvgkth56dkgoy44tei

Towards stateless, client-side driven Cross-Site Request Forgery protection for Web applications

Sebastian Lekies, Walter Tighzert, Martin Johns
2012 Sicherheit  
This wayfull coverage of client-side generation of HTTP requests is provided. 1I ntroduction Cross-site Request Forgery (CSRF) is one of the dominant threats in the Webapplication landscape.  ...  Cross-site request forgery (CSRF) is one of the dominant threats in the Web application landscape.  ...  To do this step on the server-side, the filter of the outgoing HTTP responses would have to completely parse the response'sHTML content to find all hyperlinks, forms, and other relevant HTML elements.  ... 
dblp:conf/sicherheit/LekiesTJ12 fatcat:abdbwyvbnrdbpad25ryzv3eilu

Oblique: Accelerating Page Loads Using Symbolic Execution

Ronny Ko, James Mickens, Blake Loring, Ravi Netravali
2021 Symposium on Networked Systems Design and Implementation  
In this paper, we introduce Oblique, a third-party web accelerator which enables secure outsourcing of page analysis.  ...  Unfortunately for mobile browsers, latency (not bandwidth) is often the key influence on page load time.  ...  The browser fires this event when the browser has finished the HTML parse, fetched all objects discovered by the parse, and evaluated all of those objects.  ... 
dblp:conf/nsdi/KoMLN21 fatcat:ebuv6dmidjcqtophpv6x6luafi

Architectures for Inlining Security Monitors in Web Applications [chapter]

Jonas Magazinius, Daniel Hedin, Andrei Sabelfeld
2014 Lecture Notes in Computer Science  
Securing JavaScript in the browser is an open and challenging problem.  ...  This paper focuses on securing JavaScript code by inlining security checks in the code before it is executed.  ...  This work was funded by the European Community under the ProSecuToR and WebSand projects and the Swedish agencies SSF and VR.  ... 
doi:10.1007/978-3-319-04897-0_10 fatcat:qypp4vnkzrfj5bgzocnf2ccvs4

Lightweight server support for browser-based CSRF protection

Alexei Czeskis, Alexander Moshchuk, Tadayoshi Kohno, Helen J. Wang
2013 Proceedings of the 22nd international conference on World Wide Web - WWW '13  
Cross-Site Request Forgery (CSRF) attacks are one of the top threats on the web today.  ...  These attacks exploit ambient authority in browsers (e.g., cookies, HTTP authentication state), turning them into confused deputies and causing undesired side effects on vulnerable web sites.  ...  For the redirect chain ⇒ ⇒, modern browsers (IE, Chrome, Firefox, and Safari) will choose as the referrer if the redirection from ⇒ was made via the HTTP Location header  ... 
doi:10.1145/2488388.2488413 dblp:conf/www/CzeskisMKW13 fatcat:c4l4shopnbamzfbj65ea6jof24

Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs [article]

Giancarlo Pellegrino, Martin Johns, Simon Koch, Michael Backes, Christian Rossow
2017 arXiv   pre-print
In this paper, we present Deemon, to the best of our knowledge the first automated security testing framework to discover CSRF vulnerabilities.  ...  Using the information captured in the model, our approach then automatically creates and conducts security tests, to practically validate the found CSRF issues.  ...  This work was supported by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA) (FKZ: 16KIS0345, 16KIS0656), the  ... 
arXiv:1708.08786v1 fatcat:zt2vy4wrc5crzknkgzuhgxyceq

Reining in the Web's Inconsistencies with Site Policy

Stefano Calzavara, Tobias Urban, Dennis Tatang, Marius Steffens, Ben Stock
2020 Zenodo  
Over the years, browsers have adopted an ever-increasing number of client-enforced security policies deployed through HTTP headers.  ...  This, however, enables inconsistencies, as different pages within the same security boundaries (in form of origins or sites) can express conflicting security requirements.  ...  While the latter contains 'unsafe-inline', the option is invalid for modern browsers in the presence of hashes.  ... 
doi:10.5281/zenodo.4312470 fatcat:vrvekaqimzhyrjijpd7nojm6tm

Towards a Formal Foundation of Web Security

Devdatta Akhawe, Adam Barth, Peifung E. Lam, John Mitchell, Dawn Song
2010 2010 23rd IEEE Computer Security Foundations Symposium  
We propose a formal model of web security based on an abstraction of the web platform and use this model to analyze the security of several sample web mechanisms and applications.  ...  Our case study of a Kerberos-based single sign-on system illustrates the differences between a secure network protocol using custom client software and a similar but vulnerable web protocol that uses cookies  ...  However, we believe our model is an important first step towards creating a formal foundation for web security.  ... 
doi:10.1109/csf.2010.27 dblp:conf/csfw/AkhaweBLMS10 fatcat:f6qmtqticzak3ikxatju4jswl4

Towards automated web application logic reconstruction for application level security [article]

George Noseevich, Dennis Gamayunov
2015 arXiv   pre-print
Modern overlay security mechanisms like Web Application Firewalls (WAF) suffer from inability to recognize custom high-level application logic and data objects, which results in low accuracy, high false  ...  We aim at creating multi-layer models that adequately simulate various aspects of web application functionality that are significant for intrusion detection and prevention, including request parsing and  ...  For example, "session id" is transmitted in the cookie header in an HTTP request and must have a correct value for all actions in the non-public part of the service, while "CSRF token" is transmitted in  ... 
arXiv:1511.02564v1 fatcat:5d3d2mcxwbcjrkm7s4hdle2xoy

Delivering a Secured Cloud Computing Architecture and Traditional IT Outsourcing Environment via Penetration Tools in Ghana

Umar Sayibu, Department of Mathematics/ICT, Bagabaga College of Education, Tamale, +233, Ghana, Frimpong Twum, Issah Baako
2019 International Journal of Computer Network and Information Security  
making users computer potential candidates of botnets and to hijack the sessions of authentic users to make unapproved purchases on their behalf.  ...  In this paper, security penetration tools have been employed to evaluate the security vulnerabilities of cloud-based solutions and Traditional ITO to discover possible vulnerabilities, their causes and  ...  X-Frame-Options Header Not Set Web applications are exploited in this manner. Modern browsers support the X-Frame-Options HTTP header.  ... 
doi:10.5815/ijcnis.2019.11.06 fatcat:ant7vdyuq5h5zola3r2tcxdsc4
« Previous Showing results 1 — 15 out of 1,471 results