Understanding and Mitigating the Security Risks of Content Inclusion in Web Browsers
Thanks to the wide range of features offered by web browsers, modern websites include various types of content such as JavaScript and CSS in order to create interactive user interfaces. Browser vendors also provided extensions to enhance web browsers with additional useful capabilities that are not necessarily maintained or supported by default.
However, included content can introduce security risks to users of these websites, unbeknownst to both website operators and users. In addition, the browser's interpretation of the resource URLs may be very different from how the web server resolves the URL to determine which resource should be returned to the browser. The URL may not correspond to an actual server-side file system structure at all, or the web server may internally rewrite parts of the URL. This semantic disconnect between web browsers and web servers in interpreting relative paths (path confusion) could be exploited by Relative Path Overwrite (RPO). On the other hand, even tough extensions provide useful additional functionality for web browsers, they are also an increasingly popular vector for attacks. Due to the high degree of privilege extensions can hold, extensions have been abused to inject advertisements into web pages that divert revenue from content publishers and potentially expose users to malware.
In this thesis, I propose novel research into understanding and mitigating the security risks of content inclusion in web browsers to protect website publishers as well as their users. First, I introduce an in-browser approach called Excision to automatically detect and block malicious third-party content inclusions as web pages are loaded into the user's browser or during the execution of browser extensions. Then, I propose OriginTracer, an in-browser approach to highlight extension-based content modification of web pages. Finally, I present the first in-depth study of style injection vulnerability using RPO and discuss potential countermeasures.
However, included content can introduce security risks to users of these websites, unbeknownst to both website operators and users. In addition, the browser's interpretation of the resource URLs may be very different from how the web server resolves the URL to determine which resource should be returned to the browser. The URL may not correspond to an actual server-side file system structure at all, or the web server may internally rewrite parts of the URL. This semantic disconnect between web browsers and web servers in interpreting relative paths (path confusion) could be exploited by Relative Path Overwrite (RPO). On the other hand, even tough extensions provide useful additional functionality for web browsers, they are also an increasingly popular vector for attacks. Due to the high degree of privilege extensions can hold, extensions have been abused to inject advertisements into web pages that divert revenue from content publishers and potentially expose users to malware.
In this thesis, I propose novel research into understanding and mitigating the security risks of content inclusion in web browsers to protect website publishers as well as their users. First, I introduce an in-browser approach called Excision to automatically detect and block malicious third-party content inclusions as web pages are loaded into the user's browser or during the execution of browser extensions. Then, I propose OriginTracer, an in-browser approach to highlight extension-based content modification of web pages. Finally, I present the first in-depth study of style injection vulnerability using RPO and discuss potential countermeasures.
Doctor of Philosophy (PhD) Thesis, 2019
[Dissertation] [Slides]
Comments
Post a Comment