Security Challenges in an Increasingly Tangled Web

Kumar, Deepak; Ma, Zane; Durumeric, Zakir; Mirian, Ariana; Mason, Joshua; Halderman, J. Alex; Bailey, Michael

doi:10.1145/3038912.3052686

Cited by 40 publications

(31 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Unfortunately, no in-depth analysis about the adoption and the understanding of SRI (by web developers) has been performed so far. Most existing works [25,39] focus on modest-size datasets of webpages, focus on one snapshot only, and only look at the basic statistics, e.g., they do not study the main factors behind the adoption/usage of SRI. Our work lls this gap (i) by conducting the rst large-scale longitudinal study on the adoption/usage of SRI on the Web, and (ii) by surveying web developers regarding their understanding and usage of SRI.…”

Section: Introductionmentioning

confidence: 99%

An Empirical Study of the Use of Integrity Verification Mechanisms for Web Subresources

Chapuis¹,

Omolola²,

Cherubini³

et al. 2020

Proceedings of the Web Conference 2020

View full text Add to dashboard Cite

Web developers can (and do) include subresources such as scripts, stylesheets and images in their webpages. Such subresources might be stored on content delivery networks (CDNs). This practice creates security and privacy risks, should a subresource be corrupted. The subresource integrity (SRI) recommendation, released in mid-2016 by the W3C, enables developers to include digests in their webpages in order for web browsers to verify the integrity of subresources before loading them. In this paper, we conduct the rst large-scale longitudinal study of the use of SRI on the Web by analyzing massive crawls (≈3B URLs) of the Web over the last 3.5 years. Our results show that the adoption of SRI is modest (≈3.40%), but grows at an increasing rate and is highly in uenced by the practices of popular library developers (e.g., Bootstrap) and CDN operators (e.g., jsDelivr). We complement our analysis about SRI with a survey of web developers (=227): It shows that a substantial proportion of developers know SRI and understand its basic functioning, but most of them ignore important aspects of the recommendation. The results of the survey also show that the integration of SRI by developers is mostly manual-hence not scalable and error prone. This calls for a better integration of SRI in build tools. CCS CONCEPTS • Security and privacy → Web protocol security; Hash functions and message authentication codes.

show abstract

Section: Introductionmentioning

confidence: 99%

An Empirical Study of the Use of Integrity Verification Mechanisms for Web Subresources

Chapuis¹,

Omolola²,

Cherubini³

et al. 2020

Proceedings of the Web Conference 2020

View full text Add to dashboard Cite

show abstract

“…Assuming that no other whitelisted source suffers from an open redirect vulnerability, a developer needs to only whitelist full URLs. This may, however, be brittle when considering that third parties often add more scripts [10,11], for which URLs can change, which would violate the CSP. Hence, we overall find that the prevalence of script gadgets on many widely used hosts severely impairs CSP's ability to mitigate XSS attacks.…”

Section: Discussionmentioning

confidence: 99%

Assessing the Impact of Script Gadgets on CSP at Scale

Roth

Backes

Stock

2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…We obtain the resource dependencies of the Alexa top-200K websites' main pages 1 using the method described in [28]. This Chromium-based Headless [12] crawler renders a given website and tracks resource dependencies by recording network requests sent to third-party domains.…”

Section: Data Collectionmentioning

confidence: 99%

“…Our study is far broader, and sheds light on dependency chains across many different types of websites rather than simply inspecting advertisements. More related is Kumar et al [28], who recently characterized websites' resource dependencies on third-party services. In-line with our work, they found that dependency chains are widespread.…”

Section: Related Workmentioning

confidence: 99%

The Chain of Implicit Trust: An Analysis of the Web Third-party Resources Loading

Ikram

Masood

Tyson

et al. 2019

The World Wide Web Conference

View full text Add to dashboard Cite

The Web is a tangled mass of interconnected services, where websites import a range of external resources from various third-party domains. However, the latter can further load resources hosted on other domains. For each website, this creates a dependency chain underpinned by a form of implicit trust between the first-party and transitively connected third-parties. The chain can only be loosely controlled as first-party websites often have little, if any, visibility of where these resources are loaded from. This paper performs a large-scale study of dependency chains in the Web, to find that around 50% of first-party websites render content that they did not directly load. Although the majority (84.91%) of websites have short dependency chains (below 3 levels), we find websites with dependency chains exceeding 30. Using VirusTotal, we show that 1.2% of these third-parties are classified as suspicious -although seemingly small, this limited set of suspicious third-parties have remarkable reach into the wider ecosystem. By running sandboxed experiments, we observe a range of activities with the majority of suspicious JavaScript downloading malware; worryingly, we find this propensity is greater among implicitly trusted JavaScripts.

show abstract

Security Challenges in an Increasingly Tangled Web

Cited by 40 publications

References 16 publications

An Empirical Study of the Use of Integrity Verification Mechanisms for Web Subresources

An Empirical Study of the Use of Integrity Verification Mechanisms for Web Subresources

Assessing the Impact of Script Gadgets on CSP at Scale

The Chain of Implicit Trust: An Analysis of the Web Third-party Resources Loading

Contact Info

Product

Resources

About