Security Implications of Using Third-Party Resources in the World Wide Web

Karlis Podins, Arturs Lavrenovs
{"title":"Security Implications of Using Third-Party Resources in the World Wide Web","authors":"Karlis Podins, Arturs Lavrenovs","doi":"10.1109/AIEEE.2018.8592057","DOIUrl":null,"url":null,"abstract":"Modern web pages have nothing in common with the static connotation coming from the word “page” - it is a dynamic unique experience created by active content and executed within browser, just-in-time assembled from various resources hosted on many different domains. Active content increases attack surface naturally exposing users to many novel threats. A popular security advice has been to deploy active content blocker plugins like NoScript, unfortunately they are not capable to effectively stop the attacks. Content Security Policy (CSP) can be effective against these attacks, but we demonstrate how poor decisions made by website administrators or external resource hosters can render CSP ineffective. As a practical contribution, we have scanned Alexa Top Million web pages for insecure CSP configuration and conducted a follow up scan one year later to observe the changes. Initially only 2% of those web pages were observed to use CSP but in the follow-up the percentage more than doubled. We have found a substantial number of web pages with too loose CSP rules, about 5% of websites that have CSP still enable determined attacker to host malicious content on commercial external resources while fulfilling the CSP rule when exploiting Cross-Site Scripting vulnerability. We also provide a model for the problem domain, formalization of user and domain models, and preferred user security policy.","PeriodicalId":198244,"journal":{"name":"2018 IEEE 6th Workshop on Advances in Information, Electronic and Electrical Engineering (AIEEE)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2018-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 IEEE 6th Workshop on Advances in Information, Electronic and Electrical Engineering (AIEEE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/AIEEE.2018.8592057","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 3

Abstract

Modern web pages have nothing in common with the static connotation coming from the word “page” - it is a dynamic unique experience created by active content and executed within browser, just-in-time assembled from various resources hosted on many different domains. Active content increases attack surface naturally exposing users to many novel threats. A popular security advice has been to deploy active content blocker plugins like NoScript, unfortunately they are not capable to effectively stop the attacks. Content Security Policy (CSP) can be effective against these attacks, but we demonstrate how poor decisions made by website administrators or external resource hosters can render CSP ineffective. As a practical contribution, we have scanned Alexa Top Million web pages for insecure CSP configuration and conducted a follow up scan one year later to observe the changes. Initially only 2% of those web pages were observed to use CSP but in the follow-up the percentage more than doubled. We have found a substantial number of web pages with too loose CSP rules, about 5% of websites that have CSP still enable determined attacker to host malicious content on commercial external resources while fulfilling the CSP rule when exploiting Cross-Site Scripting vulnerability. We also provide a model for the problem domain, formalization of user and domain models, and preferred user security policy.
在万维网上使用第三方资源的安全问题
现代网页与来自“页面”一词的静态内涵没有任何共同之处——它是一种动态的独特体验,由活动内容创建并在浏览器中执行,从托管在许多不同域的各种资源中及时组装而成。活动内容增加了攻击面,自然地将用户暴露在许多新的威胁中。一个流行的安全建议是部署像NoScript这样的活动内容拦截器插件,不幸的是,它们不能有效地阻止攻击。内容安全策略(CSP)可以有效地对抗这些攻击,但我们展示了网站管理员或外部资源主机做出的糟糕决策如何使CSP无效。作为一个实际的贡献,我们已经扫描了Alexa前百万网页不安全的CSP配置,并进行了后续扫描一年后观察变化。最初,只有2%的网页被观察到使用CSP,但在后续调查中,这一比例增加了一倍多。我们发现有相当数量的网页的CSP规则过于宽松,大约5%的CSP网站在利用跨站脚本漏洞时,仍然允许恶意攻击者在商业外部资源上托管恶意内容,同时满足CSP规则。我们还提供了问题域的模型、用户和域模型的形式化以及首选用户安全策略。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信