Testing for Integrity Flaws in Web Sessions

Calzavara, Stefano; Rabitti, Alvise; Ragazzo, Alessio; Bugliesi, Michele

doi:10.1007/978-3-030-29962-0_29

Cited by 7 publications

(4 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Of particular concern is the vulnerability of JavaScript in supply chain attacks [23,24,25], highlighting de ciencies in verifying the integrity of third-party script content, making JavaScript a potential threat that jeopardizes user security. To enhance the security of government websites, security measures such as Subresource Integrity (SRI) [26] and Content Security Policy (CSP) [27,28,29,30,31,32] become crucial. These measures help mitigate security risks faced by government websites and enhance their resilience against malicious attacks.…”

Section: Related Workmentioning

confidence: 99%

SilkSecured: A Comprehensive Analysis of Security and Dependencies in China's Governmental Web Systems

Zuo,

Cheng,

et al. 2024

Preprint

View full text Add to dashboard Cite

The study "SilkSecured" delves into the practice of governmental web systems in China. It scrutinizes the security and dependency challenges besieging China's governmental web infrastructure, with an intent to unearth pivotal concerns and proffer enhancements. The inquiry reveals substantial vulnerabilities and dependencies that could impede the digital efficacy and safety of governmental web systems. To counter these identified frailties, "SilkSecured" presents a suite of strategic recommendations tailored to bolster the digital fortitude of China's governmental web infrastructure. It underscores the critical need for robust domain name resolution services to assure secure and reliable access to government websites. The study accentuates the necessity for stringent vetting and regular updates of third-party libraries, aiming to avert potential security threats. Furthermore, it advocates for an optimized deployment of web systems by advocating for a diversified distribution of network nodes, which could substantially augment system resilience and performance. Through this comprehensive analysis, "SilkSecured" aspires to serve as a beacon for governmental departments, championing the ongoing enhancement of security protocols within China's governmental web domains. This initiative is envisioned to fortify the digital infrastructure against the spectrum of evolving cyber threats, thus safeguarding the digital governance ecosystem in China. The recommendations provided aim to underpin the robustness and reliability of governmental web systems, ensuring their integrity in the digital era.

show abstract

Section: Related Workmentioning

confidence: 99%

SilkSecured: A Comprehensive Analysis of Security and Dependencies in China's Governmental Web Systems

Zuo,

Cheng,

et al. 2024

Preprint

View full text Add to dashboard Cite

show abstract

“…The deployment of HSTS policy grows in recent years [16,54]. However, HSTS still has security issues due to misconfigurations [42,46,60] and partial adoptions [21,61]. Adversaries can use these weak practices to bypass the protection of HSTS policy [59], which also applies to SCC attacks.…”

Section: Bypassing Https Security Policiesmentioning

confidence: 99%

“…By measuring and exploring the adoption, works show that HSTS policy is still messed in configuration [42,46,54,60] and can be bypassed [59]. Some variants of stripping attacks appear, when HSTS is partially deployed [22,42,61], or in the help of malicious DNS servers [13,33]. However, these stripping attacks are noticeable to users now, because of browser security indicators, which show connection security and the authenticity of the remote web server.…”

Section: Related Workmentioning

confidence: 99%

Talking with Familiar Strangers: An Empirical Study on HTTPS Context Confusion Attacks

Zhang

Zheng

Shen

et al. 2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

HTTPS is principally designed for secure end-to-end communication, which adds confidentiality and integrity to sensitive data transmission. While several man-in-the-middle attacks (e.g., SSL Stripping) are available to break the secured connections, state-ofthe-art security policies (e.g., HSTS) have significantly increased the cost of successful attacks. However, the TLS certificates shared by multiple domains make HTTPS hijacking attacks possible again. In this paper, we term the HTTPS MITM attacks based on the shared TLS certificates as HTTPS Context Confusion Attack (SCC Attack). Despite a known threat, it has not yet been studied thoroughly. We aim to fill this gap with an in-depth empirical assessment of SCC Attack. We find the attack can succeed even for servers that have deployed current best practice of security policies. By rerouting encrypted traffic to another flawed server that shares the TLS certificate, attackers can bypass the security practices, hijack the ongoing HTTPS connections, and subsequently launch additional attacks including phishing and payment hijacking. Particularly, vulnerable HTTP headers from a third-party server are exploitable for this attack, and it is possible to hijack an already-established secure connection. Through tests on popular websites, we find vulnerable subdomains under 126 apex domains in Alexa top 500 sites, including large vendors like Alibaba, JD, and Microsoft. Meanwhile, through a large-scale measurement, we find that TLS certificate sharing is prominent, which uncovers the high potential of such attacks, and we summarize the security dependencies among different parties. For responsible disclosure, we have reported the issues to affected vendors and received positive feedback. Our study sheds light on an influential attack surface of the HTTPS ecosystem and calls for proper mitigation against MITM attacks. CCS CONCEPTS • Security and privacy → Security services; Network security.

show abstract

“…The notion of related-domain attacker was first introduced by Bortz, Barth and Czeskis [10]. Their work identified the security risks posed by related do- [16]. Related-domain attackers have also been considered in formal web security models, again in the context of web sessions [14].…”

Section: Related Workmentioning

confidence: 99%

Can I Take Your Subdomain? Exploring Related-Domain Attacks in the Modern Web

Squarcina¹,

Tempesta²,

Veronese³

et al. 2020

Preprint

Self Cite

View full text Add to dashboard Cite

Related-domain attackers control a sibling domain of their target web application, e.g., as the result of a subdomain takeover. Despite their additional power over traditional web attackers, related-domain attackers received only limited attention by the research community. In this paper we define and quantify for the first time the threats that related-domain attackers pose to web application security. In particular, we first clarify the capabilities that related-domain attackers can acquire through different attack vectors, showing that different instances of the related-domain attacker concept are worth attention. We then study how these capabilities can be abused to compromise web application security by focusing on different angles, including: cookies, CSP, CORS, postMessage and domain relaxation. By building on this framework, we report on a large-scale security measurement on the top 50k domains from the Tranco list that led to the discovery of vulnerabilities in 887 sites, where we quantified the threats posed by related-domain attackers to popular web applications.

show abstract

Testing for Integrity Flaws in Web Sessions

Cited by 7 publications

References 24 publications

SilkSecured: A Comprehensive Analysis of Security and Dependencies in China's Governmental Web Systems

SilkSecured: A Comprehensive Analysis of Security and Dependencies in China's Governmental Web Systems

Talking with Familiar Strangers: An Empirical Study on HTTPS Context Confusion Attacks

Can I Take Your Subdomain? Exploring Related-Domain Attacks in the Modern Web

Contact Info

Product

Resources

About