ICTACT Journal on Communication Technology

Open Access Open Access  Restricted Access Subscription Access
Open Access Open Access Open Access  Restricted Access Restricted Access Subscription Access

An Insecure Wild Web:A Large-Scale Study of Effectiveness of Web Security Mechanisms


Affiliations
1 Vishwakarma Institute of Information Technology, India
     

   Subscribe/Renew Journal


This research work presents a large-scale study of the problems in real-world web applications and widely-used mobile browsers. Through a large-scale experiment, we find inconsistencies in Secure Socket Layer (SSL) warnings among popular mobile web browsers (over a billion users download). The majority of popular mobile browsers on the Google Play Store either provide incomplete information in SSL warnings shown to users or failed to provide SSL warnings in the presence of security certificate errors, thus making it a difficult task even for a security savvy user to make an informed decision. In addition, we find that 28% of websites are using mixed content. Mixed content means a secure website (https) loads a sub resource using insecure HTTP protocol. The mixed content weakens the security of entire website and vulnerable to man-in-the-middle (MITM) attacks. Furthermore, we inspected the default behavior of mobile web browsers and report that majority of mobile web browsers allow execution of mixed content in web applications, which implies billions of mobile browser users are vulnerable to eavesdropping and MITM attacks. Based on our findings, we make recommendations for website developers, users and browser vendors.

Keywords

Web Security, Mixed Content, SSL Warnings, HSTS, CSP, X-Frame-Options, X-XSS-Protection.
Subscription Login to verify subscription
User
Notifications
Font Size

  • Yu-Chi Chen and Raylin Tso, “A Survey on Security of Certificateless Signature Schemes”, IETE Technical Review, Vol. 33, No. 2, pp. 115-121, 2016.

  • Majeed Alajeely, Robin Doss and Asmaa Ahmad, “Security and Trust in Opportunistic Networks-A Survey”, IETE Technical Review, Vol. 33, No. 3, pp. 256-268, 2016.

  • Neelam Bhalla, “Information Security: A Technical Review”, IETE Technical Review, Vol. 19, No. 2, pp. 47-59, 2002.

  • Kailas Patil and Braun Frederik, “A Measurement Study of the Content Security Policy on Real-World Applications”, International Journal of Network Security, Vol. 18, No. 2, pp. 383-392, 2016.

  • Kailas Patil, T. Vyas, F. Braun, M. Goodwin, and Z. Liang, “Poster: User CSP-User Specified Content Security Policies”, Proceedings of Symposium on Usable Privacy and Security, pp. 1-2, 2013.

  • Matthew Van Gundy and Hao Chen, “Noncespaces: using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks”, Proceedings of 16th Network and Distributed System Security Symposium, pp. 1-13, 2009.

  • T. Jim, N. Swamy, and M. Hicks, “Defeating Script Injection Attacks with Browser-Enforced Embedded Policies”, Proceedings of 16th International Conference on World Wide Web, pp. 601-610, 2007.

  • D. Akhawe, P. Saxena and D. Song, “Privilege Separation in Html5 Applications”, Proceedings of 21st Conference on Security Symposium, pp. 23, 2012.

  • E. Budianto, Y. Jia, X. Dong, P. Saxena, and Z. Liang, “You can’t be me: Enabling trusted paths and user sub-origins in web browsers”, Proceedings of International Workshop on Recent Advances in Intrusion Detection, pp. 150-171, 2014.

  • Kailas Patil, Xinshu Dong, Xiaolei Li, Zhenkai Liang and Xuxian Jiang, “Towards Fine-Grained Access Control in JavaScript Contexts”, Proceedings of 31st International Conference on Distributed Computing Systems, pp. 720-729, 2011.

  • X. Dong, K. Patil, J. Mao, and Z. Liang, “A Comprehensive Client-Side Behavior Model for Diagnosing Attacks in Ajax Applications”, Proceedings of 18th International Conference in Engineering of Complex Computer Systems, pp. 177-187, 2013.

  • Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin and Dawn Song, “A Systematic Analysis of XSS Sanitization in Web Application Frameworks”, Proceedings of European Symposium on Research in Computer Security, pp. 150-171, 2011.

  • X. Dong, Z. Chen, H. Siadati, S. Tople, P. Saxena, and Z. Liang, “Protecting Sensitive web Content from Client-Side Vulnerabilities with Cryptons”, Proceedings on ACM conference on Computer and Communications Security, pp. 1311-1324, 2013.

  • Amit Klein, “Cross Site Scripting Explained. Sanctum Security Group”, Available at: https://crypto.stanford.edu/cs155/papers/CSS.pdf.

  • Web Application Security Assessment Report, Available at: http://www.cstl.com/CST/Penetration-Test/CST-Web-Application-Testing-Report.pdf.

  • S. Stamm, B. Sterne and G. Markham, “Reining in the Web with Content Security Policy”, Proceedings of 19th International Conference on World Wide Web, pp. 921-930, 2010.

  • HTTP Strict Transport Security (HSTS), Available at: https://tools.ietf.org/html/rfc6797.

  • HTTP Header Field X-Frame-Options, Available at: https://tools.ietf.org/html/rfc7034.

  • Lin-Shung Huang, Alex Moshchuk, Helen J. Wang, Stuart Schechter and Collin Jackson, “Clickjacking: Attacks and Defenses”, Proceedings of 21st USENIX Security Symposium, pp. 413-428, 2012.

  • M. Marlinspike, “New Tricks for Defeating SSL in Practice”, Available at: https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

  • Hossein Saiedian and Dan S. Broyles, “Security Vulnerabilities in the Same-Origin Policy: Implications and Alternatives”, Computer, Vol. 44, No. 9, pp. 29-26, 2011.

  • Scrapy Framework, Available at: https://scrapy.org/, Accessed on 2015.

  • Ronak Shah and Kailas Patil. “Evaluating Effectiveness of Mobile Browser Security Warnings”, ICTACT Journal of Communication Technology, Vol. 7, No. 3, pp. 1373-1378, 2016.

  • Kailas Patil, “Preventing Click Event Hijacking by User Intention Inference”, ICTACT Journal of Communication Technology, Vol. 7, No. 4, pp. 1408-1416, 2016.

  • Kailas Patil, “Request Dependency Integrity: Validating Web Requests using Dependencies in the Browser Environment”, International Journal of Information Privacy, Security and Integrity, Vol. 2, No. 4, pp. 281-306, 2016.

  • Dnyaneshwar K Patil and Kailas Patil, “Automated Client Side Sanitizer for Code Injection Attacks”, International Journal of Information Technology and Computer Science, Vol. 8, No. 4, pp. 86-95, 2016.

  • Dnyaneshwar K. Patil and Kailas Patil, “Client-Side Automated Sanitizer for Cross-Site Scripting Vulnerabilities”, International Journal of Computer Applications, Vol. 121, No. 20, pp. 1-7, 2015.

  • Kailas Patil, “Isolating Malicious Content Scripts of Browser Extensions”, International Journal of Information Privacy, Security and Integrity, 2017.

  • User Agent String Explained, Available at: http://www.useragentstring.com/, Accessed on 2013.


Abstract Views: 231

PDF Views: 2




  • An Insecure Wild Web:A Large-Scale Study of Effectiveness of Web Security Mechanisms

Abstract Views: 231  |  PDF Views: 2

Authors

Kailas Patil
Vishwakarma Institute of Information Technology, India

Abstract


This research work presents a large-scale study of the problems in real-world web applications and widely-used mobile browsers. Through a large-scale experiment, we find inconsistencies in Secure Socket Layer (SSL) warnings among popular mobile web browsers (over a billion users download). The majority of popular mobile browsers on the Google Play Store either provide incomplete information in SSL warnings shown to users or failed to provide SSL warnings in the presence of security certificate errors, thus making it a difficult task even for a security savvy user to make an informed decision. In addition, we find that 28% of websites are using mixed content. Mixed content means a secure website (https) loads a sub resource using insecure HTTP protocol. The mixed content weakens the security of entire website and vulnerable to man-in-the-middle (MITM) attacks. Furthermore, we inspected the default behavior of mobile web browsers and report that majority of mobile web browsers allow execution of mixed content in web applications, which implies billions of mobile browser users are vulnerable to eavesdropping and MITM attacks. Based on our findings, we make recommendations for website developers, users and browser vendors.

Keywords


Web Security, Mixed Content, SSL Warnings, HSTS, CSP, X-Frame-Options, X-XSS-Protection.

References