Large-Scale Security Analysis of the Web: Challenges and Findings

  • Tom van Goethem
  • Ping Chen
  • Nick Nikiforakis
  • Lieven Desmet
  • Wouter Joosen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8564)


As the web expands in size and adoption, so does the interest of attackers who seek to exploit web applications and exfiltrate user data. While there is a steady stream of news regarding major breaches and millions of user credentials compromised, it is logical to assume that, over time, the applications of the bigger players of the web are becoming more secure. However, as these applications become resistant to most prevalent attacks, adversaries may be tempted to move to easier, unprotected targets which still hold sensitive user data.

In this paper, we report on the state of security for more than 22,000 websites that originate in 28 EU countries. We first explore the adoption of countermeasures that can be used to defend against common attacks and serve as indicators of “security consciousness”. Moreover, we search for the presence of common vulnerabilities and weaknesses and, together with the adoption of defense mechanisms, use our findings to estimate the overall security of these websites. Among other results, we show how a website’s popularity relates to the adoption of security defenses and we report on the discovery of three, previously unreported, attack variations that attackers could have used to attack millions of users.


European Union European Union Country Negative Score Security Feature Security Consciousness 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    Common Vulnerability Scoring System (CVSS),
  3. 3.
    Common Weakness Scoring System (CWSS),
  4. 4.
  5. 5.
    Phantomjs: Headless webkit with javascript api,
  6. 6.
  7. 7.
  8. 8.
    Alarifi, A., Alsaleh, M., Al-Salman, A.: Security analysis of top visited arabic web sites. In: 2013 15th International Conference on Advanced Communication Technology (ICACT), pp. 173–178. IEEE (2013)Google Scholar
  9. 9.
    Balduzzi, M., Gimenez, C.T., Balzarotti, D., Kirda, E.: Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications. In: 18th Annual Network and Distributed System Security Symposium, San Diego, USA (2011)Google Scholar
  10. 10.
    Barth, A.: HTTP state management mechanism. IETF RFC (2011)Google Scholar
  11. 11.
    Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM conference on Computer and communications security, CCS 2008, pp. 75–88. ACM, New York (2008)Google Scholar
  12. 12.
    Canali, D., Balzarotti, D., Francillon, A.: The role of web hosting providers in detecting compromised websites. In: Proceedings of the 22nd International Conference on World Wide Web, WWW 2013, pp. 177–188 (2013)Google Scholar
  13. 13.
    Chen, P., Nikiforakis, N., Huygens, C., Desmet, L.: A Dangerous Mix: Large-scale analysis of mixed-content websites. In: Proceedings of the 16th Information Security Conference, ISC 2013, Dallas, USA (2013)Google Scholar
  14. 14.
    Thai Duong and Juliano Rizzo. Here Come The ⊕ Ninjas (2011)Google Scholar
  15. 15.
    Hodges, J., Jackson, C., Barth, A.: HTTP strict transport security (HSTS). IETF RFC (2012)Google Scholar
  16. 16.
    Kals, S., Kirda, E., Kruegel, C., Jovanovic, N.: Secubat: a web vulnerability scanner. In: Proceedings of the 15th International Conference on World Wide Web, pp. 247–256. ACM (2006)Google Scholar
  17. 17.
    Lekies, S., Stock, B., Johns, M.: 25 million flows later: large-scale detection of dom-based xss. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1193–1204. ACM (2013)Google Scholar
  18. 18.
    Lundeen, R., Ou, J., Rhodes, T.: New ways i’m going to hack your web app. (2011)Google Scholar
  19. 19.
    Marlinspike, M.: New tricks for defeating ssl in practice. Blackhat (2009)Google Scholar
  20. 20.
    Microsoft: IE8 Security Part IV: The XSS Filter (2008)Google Scholar
  21. 21.
    Nikiforakis, N., Invernizzi, L., Kapravelos, A., Acker, S.V., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote javascript inclusions. In: Proceedings of the 2012 ACM Conference on Computer and Communications security, CCS 2012, pp. 736–747. ACM, New York (2012)Google Scholar
  22. 22.
    Nikiforakis, N., Younan, Y., Joosen, W.: HProxy: Client-side detection of SSL stripping attacks. In: Proceedings of the 7th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, DIMVA 2010 (2010)Google Scholar
  23. 23.
    Rizzo, J., Duong, T.: Crime: Compression ratio info-leak made easy. In: Ekoparty Security Conference (2012)Google Scholar
  24. 24.
    Ross, D., Gondrom, T.: HTTP Header X-Frame-Options. IETF RFC (2013)Google Scholar
  25. 25.
    Sellers, D.: ASP.NET 2.0 and the new HTTP-only property. MSDN Blogs (March 2006)Google Scholar
  26. 26.
    Son, S., Shmatikov, V.: The postman always rings twice: Attacking and defending postmessage in html5 websitesGoogle Scholar
  27. 27.
    Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, pp. 921–930. ACM, New York (2010)CrossRefGoogle Scholar
  28. 28.
    Sterne, B., Barth, A.: Content Security Policy 1.0. W3C Candidate Recommendation (2012)Google Scholar
  29. 29.
    Vasek, M., Moore, T.: Identifying Risk Factors for Webserver Compromise. In: Proceedings of the Eighteenth International Conference on Financial Cryptography and Data Security, FC 2014 (2014)Google Scholar
  30. 30.
    West, M.: Play safely in sandboxed iframes (2013)Google Scholar
  31. 31.
    WhiteHat. Website Security Statistics Report,
  32. 32.
    Zeller, W., Felten, E.W.: Cross-site request forgeries: Exploitation and prevention. The New York Times, 1–13 (2008)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Tom van Goethem
    • 1
  • Ping Chen
    • 1
  • Nick Nikiforakis
    • 1
  • Lieven Desmet
    • 1
  • Wouter Joosen
    • 1
  1. 1.iMinds-DistriNetKU LeuvenLeuvenBelgium

Personalised recommendations