Protecting browsers from cross-origin CSS attacks
Proceedings of the 17th ACM conference on Computer and communications security
Clickjacking: attacks and defenses
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Mediums: visual integrity preserving framework
Proceedings of the third ACM conference on Data and application security and privacy
Content-based isolation: rethinking isolation policy design on client systems
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
| Hi-index | 0.00 |
Browsers are rapidly improving as a platform for compelling, interactive applications. Unfortunately, the web security model is still not fully understood. Existing browser security policies were designed in an era where Web users only interacted with one principal at a time, but modern browsers often have many tabs open simultaneously, and these tabs often contain third-party content from multiple sources. In this thesis, we articulate the "web attacker" threat model, which captures these multi-principal interactions, and use this threat model to demonstrate a variety of attacks on existing browser security policies. These attacks can be used to bypass firewalls, intercept private data, and forge unauthorized transactions. We collaborate with browser and plug-in vendors to deploy industry-wide solutions. We also show how web advertising networks, a powerful weapon in the hands of the web attacker, can be equally powerful to security researchers as a platform for research and analysis.