- From: Jeff Hodges <jdhodges@google.com>
- Date: Mon, 7 Jun 2021 08:17:43 -0700
- To: public-webappsec@w3.org
- Message-ID: <CAOt3QXtQzZ82g2c5THFdA9B_+UwhrYLKTFgNEPJJXk84N7BMYg@mail.gmail.com>
[ from the latest Bulletproof TLS Newsletter <https://www.feistyduck.com/bulletproof-tls-newsletter/issue_77_quic_graduates_to_rfc_9000> ] First, Do No Harm: Studying the manipulation ofsecurity headers in browser extensions <https://swag.cispa.saarland/papers/agarwal2021extensions.pdf>. Shubham Agarwal, Ben Stock, Network and Distributed Systems Security (NDSS) Symposium 2021, 21-24 February 2021, San Diego, CA, USA. Abstract—Browser extensions are add-ons that aim to enhance the functionality of native Web applications on the client side. They intend to provide a rich end-user experience by leveraging feature-rich privileged JavaScript APIs, otherwise inaccessible for native applications. However, numerous large-scale investigations have also reported that extensions often indulge in malicious activities by exploiting access to these privileged APIs such as ad injection, stealing privacy-sensitive data, user fingerprinting, spying user activities on the Web, and malware distribution. In this work, we instead focus on tampering with security headers. To that end, we analyze over 186K Chrome extensions, publicly available on the Chrome Web Store, to detect extensions that actively intercept requests and responses and tamper with their security headers by either injecting, dropping, or modifying them, thereby undermining the security guarantees that these headers typically provide. We propose an automated framework to detect such extensions by leveraging a combination of static and dynamic analysis techniques. We evaluate our proposed methodology by investigating the extensions’ behavior against Tranco Top 100 domains and domains targeted explicitly by the extensions under test and report our findings. We observe that over 2.4K extensions actively tamper with at least one security header, undermining the purpose of the server-delivered, clientenforced security headers. [ ... ] B. HTTP Security Headers [ ... ] ... We focus on four widely-used, security-critical headers deployed by popular Web applications for this study, based on our observations from recent academic and non-academic studies over adoptions of various HTTP security headers such as by Buchanan et al. [6] and other following works. 1) Content-Security Policy (CSP): ... 2) HTTP Strict-Transport-Security (HSTS): ... 3) X-Frame-Options: ... 4) X-Content-Type-Options: ...
Received on Monday, 7 June 2021 15:20:06 UTC