CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

Content Security for Web Applications

Daniel Hausknecht (Institutionen för data- och informationsteknik, Programvaruteknik (Chalmers))
Göteborg : Chalmers University of Technology, 2016. - 95 s.
[Licentiatavhandling]

This thesis puts the focus on security problems related to web applications and web browsers by analyzing real-world web applications and modern client-side security mechanisms. For the latter, we mostly look at practical issues related to Content Security Policy (CSP) enforcement in web browsers. First, we inspect password meters and password generators implementations on the web in a large scale empirical study. After discussing current practices and security concerns, we develop a generic framework for integrating password meters and generators in a secure way. We implement this framework solely based on today's existing browser technologies and demonstrate its effectiveness with a real world password meter. Browsers come with frameworks to add functionality through browser extensions. By design, extensions are very powerful and can access and modify every part of visited web pages, from HTTP headers to a page's DOM. This also means security measures can be weakened or even removed completely. We investigate if and how browser extensions abuse their power by analyzing a large set of real-world browser extensions. We implement a mechanism which allows web servers to react to CSP header modifications by browser extensions. Last, we shed light on CSP in the context of data exfiltration and the dispute in the security community whether CSP is meant to protect from it. We analyze the practical implications through an empirical study on DNS and resource prefetching mechanisms in web browsers allowing data exfiltration in the face of CSP. Finally, we discuss different possible research directions to limit data exfiltration attacks in the future.

Nyckelord: web security, browser security, content security policy, empirical study



Den här publikationen ingår i följande styrkeområden:

Läs mer om Chalmers styrkeområden  

Denna post skapades 2016-02-18.
CPL Pubid: 232197

 

Institutioner (Chalmers)

Institutionen för data- och informationsteknik, Programvaruteknik (Chalmers)

Ämnesområden

Informations- och kommunikationsteknik
Datavetenskap (datalogi)

Chalmers infrastruktur

Examination

Datum: 2016-02-29
Tid: 13:00
Lokal: EE (EDIT building)
Opponent: William Robertson