Large-Scale Security Analysis of the Web: Challenges and Findings

Goethem, Tom Van; Chen, Ping; Nikiforakis, Nick; Desmet, Lieven; Joosen, Wouter

doi:10.1007/978-3-319-08593-7_8

Cited by 41 publications

(28 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The present paper positions itself in the popular research line of large-scale security evaluations of the Web [27]. Just to mention a few relevant works, previous evaluations focused on other aspects of web security, like remote JavaScript inclusion [19], DOM-based XSS [15], mixed content websites [7], authentication cookies [6] and HSTS [14].…”

Section: Large-scale Analysis Of the Webmentioning

confidence: 99%

Semantics-Based Analysis of Content Security Policy Deployment

2018

View full text Add to dashboard Cite

Content Security Policy (CSP) is a recent W3C standard introduced to prevent and mitigate the impact of content injection vulnerabilities on websites. In this paper we introduce a formal semantics for the latest stable version of the standard, CSP Level 2. We then perform a systematic, large-scale analysis of the effectiveness of the current CSP deployment, using the formal semantics to substantiate our methodology and to assess the impact of the detected issues. We focus on four key aspects that affect the effectiveness of CSP: browser support, website adoption, correct configuration and constant maintenance. Our analysis shows that browser support for CSP is largely satisfactory, with the exception of few notable issues, but unfortunately there are several shortcomings relative to the other three aspects. CSP appears to have a rather limited deployment as yet and, more crucially, existing policies exhibit a number of weaknesses and misconfiguration errors. Moreover, content security policies are not regularly updated to ban insecure practices and remove unintended security violations. We argue that many of these problems can be fixed by better exploiting the monitoring facilities of CSP, while other issues deserve additional research, being more rooted into the CSP design.

show abstract

Section: Large-scale Analysis Of the Webmentioning

confidence: 99%

Semantics-Based Analysis of Content Security Policy Deployment

2018

View full text Add to dashboard Cite

show abstract

“…The first observation relates to the approximate installation amounts. Although WordPress has received attention in Internet measurement research [35,36], there is no good understanding on how many websites are actually powered by the CMS, let alone on how many of these online deployments are running with plugins. While keeping this point in mind, the outer plot in Fig.…”

Section: Meta-datamentioning

confidence: 99%

A Demand-Side Viewpoint to Software Vulnerabilities in WordPress Plugins

Ruohonen

2019

Proceedings of the Evaluation and Assessment on Software Engineering

View full text Add to dashboard Cite

WordPress has long been the most popular content management system (CMS). This CMS powers millions and millions of websites. Although WordPress has had a particularly bad track record in terms of security, in recent years many of the well-known security risks have transmuted from the core WordPress to the numerous plugins and themes written for the CMS. Given this background, the paper analyzes known software vulnerabilities discovered from WordPress plugins. A demand-side viewpoint was used to motivate the analysis; the basic hypothesis is that plugins with large installation bases have been affected by multiple vulnerabilities. As the hypothesis also holds according to the empirical results, the paper contributes to the recent discussion about common security folklore. A few general insights are also provided about the relation between software vulnerabilities and software maintenance. CCS CONCEPTS• Security and privacy → Web application security;

show abstract

“…Such an assessment typically involves a large number of websites belonging to a country, or a specific industry sector, and hence it has to be done externally for efficiency, since traditional internal penetration testing and code reviewing for each website is time and labor consuming. Recently, Van Goethem et al [30] conducted a security assessment for more than 22,000 European websites, and proposed a score system to compare different websites' security levels, showing that such a large-scale security analysis of the web is achievable, albeit challenging.…”

Section: Introductionmentioning

confidence: 99%

Security Analysis of the Chinese Web

Chen

Nikiforakis

Desmet

et al. 2014

Proceedings of the 2014 Workshop on Cyber Security Analytics, Intelligence and Automation

Self Cite

View full text Add to dashboard Cite

As the web rapidly expands and gets integrated into the daily lives of more and more people, so does the number of cyber attacks against it. To defend against attackers, website operators can utilize a wide range of defense mechanisms, both at the server-side, as well as the client-side of their web applications. From a security-metrics standpoint, the presence or absence of these mechanisms can be used as a security indicator of any given website.In this paper, through a large-scale analysis of the 10,000 most popular Chinese websites, we analyze the security of the Chinese web by investigating the usage of client-side security policies, and evaluating the discovered HTTPS implementations. We show that, when compared to popular websites of the rest of the world, a significant fraction of Chinese websites lag behind on the adoption of good security practices. Among other findings, we report on the fact that 6% of websites inadvertently leak private user information, such as Chinese identity numbers, by placing spreadsheet files with sensitive content in directories indexed by search engines.

show abstract

Large-Scale Security Analysis of the Web: Challenges and Findings

Cited by 41 publications

References 12 publications

Semantics-Based Analysis of Content Security Policy Deployment

Semantics-Based Analysis of Content Security Policy Deployment

A Demand-Side Viewpoint to Software Vulnerabilities in WordPress Plugins

Security Analysis of the Chinese Web

Contact Info

Product

Resources

About