BrowserAudit: automated testing of browser security features

Proceedings of the 2015 International Symposium on Software Testing and Analysis Pub Date : 2015-07-13 DOI:10.1145/2771783.2771789

Charlie Hothersall-Thomas, S. Maffeis, Chris Novakovic

{"title":"BrowserAudit: automated testing of browser security features","authors":"Charlie Hothersall-Thomas, S. Maffeis, Chris Novakovic","doi":"10.1145/2771783.2771789","DOIUrl":null,"url":null,"abstract":"The security of the client side of a web application relies on browser features such as cookies, the same-origin policy and HTTPS. As the client side grows increasingly powerful and sophisticated, browser vendors have stepped up their offering of security mechanisms which can be leveraged to protect it. These are often introduced experimentally and informally and, as adoption increases, gradually become standardised (e.g., CSP, CORS and HSTS). Considering the diverse landscape of browser vendors, releases, and customised versions for mobile and embedded devices, there is a compelling need for a systematic assessment of browser security. We present BrowserAudit, a tool for testing that a deployed browser enforces the guarantees implied by the main standardised and experimental security mechanisms. It includes more than 400 fully-automated tests that exercise a broad range of security features, helping web users, application developers and security researchers to make an informed security assessment of a deployed browser. We validate BrowserAudit by discovering both fresh and known security-related bugs in major browsers.","PeriodicalId":264859,"journal":{"name":"Proceedings of the 2015 International Symposium on Software Testing and Analysis","volume":"27 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-07-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"17","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2015 International Symposium on Software Testing and Analysis","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2771783.2771789","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 17

Abstract

The security of the client side of a web application relies on browser features such as cookies, the same-origin policy and HTTPS. As the client side grows increasingly powerful and sophisticated, browser vendors have stepped up their offering of security mechanisms which can be leveraged to protect it. These are often introduced experimentally and informally and, as adoption increases, gradually become standardised (e.g., CSP, CORS and HSTS). Considering the diverse landscape of browser vendors, releases, and customised versions for mobile and embedded devices, there is a compelling need for a systematic assessment of browser security. We present BrowserAudit, a tool for testing that a deployed browser enforces the guarantees implied by the main standardised and experimental security mechanisms. It includes more than 400 fully-automated tests that exercise a broad range of security features, helping web users, application developers and security researchers to make an informed security assessment of a deployed browser. We validate BrowserAudit by discovering both fresh and known security-related bugs in major browsers.

查看原文本刊更多论文

BrowserAudit:自动测试浏览器的安全特性

web应用程序客户端的安全性依赖于浏览器的特性，如cookie、同源策略和HTTPS。随着客户端变得越来越强大和复杂，浏览器供应商已经加快了提供安全机制的步伐，可以利用这些机制来保护客户端。这些通常是实验性的和非正式的，随着采用的增加，逐渐标准化(例如，CSP、CORS和HSTS)。考虑到浏览器供应商、发行版本以及针对移动和嵌入式设备的定制版本的多样性，我们迫切需要对浏览器安全性进行系统评估。我们提供了BrowserAudit，一个用于测试已部署的浏览器是否执行了主要标准化和实验性安全机制所隐含的保证的工具。它包括400多个全自动测试，测试了广泛的安全特性，帮助网络用户、应用程序开发人员和安全研究人员对部署的浏览器做出明智的安全评估。我们通过发现主流浏览器中新的和已知的安全相关错误来验证BrowserAudit。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2015 International Symposium on Software Testing and Analysis

自引率

0.00%

发文量