The design and implementation of tripwire: a file system integrity checker
CCS '94 Proceedings of the 2nd ACM Conference on Computer and communications security
Reducing WWW latency and bandwidth requirements by real-time distillation
Proceedings of the fifth international World Wide Web conference on Computer networks and ISDN systems
Abstracting application-level web security
Proceedings of the 11th international conference on World Wide Web
Watermarking, tamper-proffing, and obfuscation: tools for software protection
IEEE Transactions on Software Engineering
A secure and reliable bootstrap architecture
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
AINA '04 Proceedings of the 18th International Conference on Advanced Information Networking and Applications - Volume 2
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
An integrated experimental environment for distributed systems and networks
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Noxes: a client-side solution for mitigating cross-site scripting attacks
Proceedings of the 2006 ACM symposium on Applied computing
Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
BrowserShield: vulnerability-driven filtering of dynamic HTML
OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
iPlane: an information plane for distributed services
OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
Static detection of security vulnerabilities in scripting languages
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
AjaxScope: a platform for remotely monitoring the client-side behavior of web 2.0 applications
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Peering through the shroud: the effect of edge opacity on ip-based client identification
NSDI'07 Proceedings of the 4th USENIX conference on Networked systems design & implementation
FlyByNight: mitigating the privacy risks of social networking
Proceedings of the 7th ACM workshop on Privacy in the electronic society
Symbiotic relationships in internet routing overlays
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
Detecting network neutrality violations with causal inference
Proceedings of the 5th international conference on Emerging networking experiments and technologies
Proceedings of the 2009 workshop on Re-architecting the internet
POPI: a user-level tool for inferring router packet forwarding priority
IEEE/ACM Transactions on Networking (TON)
JSZap: compressing JavaScript code
WebApps'10 Proceedings of the 2010 USENIX conference on Web application development
Netalyzr: illuminating the edge network
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
MOR: monitoring and measurements through the onion router
PAM'10 Proceedings of the 11th international conference on Passive and active measurement
Integrity of the web content: the case of online advertising
CollSec'10 Proceedings of the 2010 international conference on Collaborative methods for security and privacy
ISPs and ad networks against botnet ad fraud
GameSec'10 Proceedings of the First international conference on Decision and game theory for security
Integrity for the In-flight web page based on a fragile watermarking chain scheme
Proceedings of the 5th International Conference on Ubiquitous Information Management and Communication
IAAS: an integrity assurance service for web page via a fragile watermarking chain module
Proceedings of the 6th International Conference on Ubiquitous Information Management and Communication
Practical end-to-end web content integrity
Proceedings of the 21st international conference on World Wide Web
One-time cookies: Preventing session hijacking attacks with stateless authentication tokens
ACM Transactions on Internet Technology (TOIT)
Fitting square pegs through round pipes: unordered delivery wire-compatible with TCP and TLS
NSDI'12 Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation
Scalable integrity-guaranteed AJAX
APWeb'12 Proceedings of the 14th Asia-Pacific international conference on Web Technologies and Applications
iHTTP: efficient authentication of non-confidential HTTP traffic
ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
Fathom: a browser-based network measurement platform
Proceedings of the 2012 ACM conference on Internet measurement conference
Securing web-clients with instrumented code and dynamic runtime monitoring
Journal of Systems and Software
Verifiable network function outsourcing: requirements, challenges, and roadmap
Proceedings of the 2013 workshop on Hot topics in middleboxes and network function virtualization
| Hi-index | 0.00 |
While web pages sent over HTTP have no integrity guarantees, it is commonly assumed that such pages are not modified in transit. In this paper, we provide evidence of surprisingly widespread and diverse changes made to web pages between the server and client. Over 1% of web clients in our study received altered pages, and we show that these changes often have undesirable consequences for web publishers or end users. Such changes include popup blocking scripts inserted by client software, advertisements injected by ISPs, and even malicious code likely inserted by malware using ARP poisoning. Additionally, we find that changes introduced by client software can inadvertently cause harm, such as introducing cross-site scripting vulnerabilities into most pages a client visits. To help publishers understand and react appropriately to such changes, we introduce web tripwires--client-side JavaScript code that can detect most in-flight modifications to a web page. We discuss several web tripwire designs intended to provide basic integrity checks for web servers. We show that they are more flexible and less expensive than switching to HTTPS and do not require changes to current browsers.