Skip to main content

Large-Scale Security Analysis of the Web: Challenges and Findings

  • Conference paper
Trust and Trustworthy Computing (Trust 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8564))

Included in the following conference series:

Abstract

As the web expands in size and adoption, so does the interest of attackers who seek to exploit web applications and exfiltrate user data. While there is a steady stream of news regarding major breaches and millions of user credentials compromised, it is logical to assume that, over time, the applications of the bigger players of the web are becoming more secure. However, as these applications become resistant to most prevalent attacks, adversaries may be tempted to move to easier, unprotected targets which still hold sensitive user data.

In this paper, we report on the state of security for more than 22,000 websites that originate in 28 EU countries. We first explore the adoption of countermeasures that can be used to defend against common attacks and serve as indicators of “security consciousness”. Moreover, we search for the presence of common vulnerabilities and weaknesses and, together with the adoption of defense mechanisms, use our findings to estimate the overall security of these websites. Among other results, we show how a website’s popularity relates to the adoption of security defenses and we report on the discovery of three, previously unreported, attack variations that attackers could have used to attack millions of users.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Bing Search API, http://datamarket.azure.com/dataset/bing/search

  2. Common Vulnerability Scoring System (CVSS), http://www.first.org/cvss

  3. Common Weakness Scoring System (CWSS), https://cwe.mitre.org/cwss/

  4. OWASP Top Ten Project, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

  5. Phantomjs: Headless webkit with javascript api, https://www.phantomjs.org/

  6. SSL Pulse, https://www.trustworthyinternet.org/ssl-pulse/

  7. sslyze, https://github.com/iSECPartners/sslyze

  8. Alarifi, A., Alsaleh, M., Al-Salman, A.: Security analysis of top visited arabic web sites. In: 2013 15th International Conference on Advanced Communication Technology (ICACT), pp. 173–178. IEEE (2013)

    Google Scholar 

  9. Balduzzi, M., Gimenez, C.T., Balzarotti, D., Kirda, E.: Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications. In: 18th Annual Network and Distributed System Security Symposium, San Diego, USA (2011)

    Google Scholar 

  10. Barth, A.: HTTP state management mechanism. IETF RFC (2011)

    Google Scholar 

  11. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM conference on Computer and communications security, CCS 2008, pp. 75–88. ACM, New York (2008)

    Google Scholar 

  12. Canali, D., Balzarotti, D., Francillon, A.: The role of web hosting providers in detecting compromised websites. In: Proceedings of the 22nd International Conference on World Wide Web, WWW 2013, pp. 177–188 (2013)

    Google Scholar 

  13. Chen, P., Nikiforakis, N., Huygens, C., Desmet, L.: A Dangerous Mix: Large-scale analysis of mixed-content websites. In: Proceedings of the 16th Information Security Conference, ISC 2013, Dallas, USA (2013)

    Google Scholar 

  14. Thai Duong and Juliano Rizzo. Here Come The ⊕ Ninjas (2011)

    Google Scholar 

  15. Hodges, J., Jackson, C., Barth, A.: HTTP strict transport security (HSTS). IETF RFC (2012)

    Google Scholar 

  16. Kals, S., Kirda, E., Kruegel, C., Jovanovic, N.: Secubat: a web vulnerability scanner. In: Proceedings of the 15th International Conference on World Wide Web, pp. 247–256. ACM (2006)

    Google Scholar 

  17. Lekies, S., Stock, B., Johns, M.: 25 million flows later: large-scale detection of dom-based xss. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1193–1204. ACM (2013)

    Google Scholar 

  18. Lundeen, R., Ou, J., Rhodes, T.: New ways i’m going to hack your web app. (2011)

    Google Scholar 

  19. Marlinspike, M.: New tricks for defeating ssl in practice. Blackhat (2009)

    Google Scholar 

  20. Microsoft: IE8 Security Part IV: The XSS Filter (2008)

    Google Scholar 

  21. Nikiforakis, N., Invernizzi, L., Kapravelos, A., Acker, S.V., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote javascript inclusions. In: Proceedings of the 2012 ACM Conference on Computer and Communications security, CCS 2012, pp. 736–747. ACM, New York (2012)

    Google Scholar 

  22. Nikiforakis, N., Younan, Y., Joosen, W.: HProxy: Client-side detection of SSL stripping attacks. In: Proceedings of the 7th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, DIMVA 2010 (2010)

    Google Scholar 

  23. Rizzo, J., Duong, T.: Crime: Compression ratio info-leak made easy. In: Ekoparty Security Conference (2012)

    Google Scholar 

  24. Ross, D., Gondrom, T.: HTTP Header X-Frame-Options. IETF RFC (2013)

    Google Scholar 

  25. Sellers, D.: ASP.NET 2.0 and the new HTTP-only property. MSDN Blogs (March 2006)

    Google Scholar 

  26. Son, S., Shmatikov, V.: The postman always rings twice: Attacking and defending postmessage in html5 websites

    Google Scholar 

  27. Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, pp. 921–930. ACM, New York (2010)

    Chapter  Google Scholar 

  28. Sterne, B., Barth, A.: Content Security Policy 1.0. W3C Candidate Recommendation (2012)

    Google Scholar 

  29. Vasek, M., Moore, T.: Identifying Risk Factors for Webserver Compromise. In: Proceedings of the Eighteenth International Conference on Financial Cryptography and Data Security, FC 2014 (2014)

    Google Scholar 

  30. West, M.: Play safely in sandboxed iframes (2013)

    Google Scholar 

  31. WhiteHat. Website Security Statistics Report, https://www.whitehatsec.com/resource/stats.html

  32. Zeller, W., Felten, E.W.: Cross-site request forgeries: Exploitation and prevention. The New York Times, 1–13 (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

van Goethem, T., Chen, P., Nikiforakis, N., Desmet, L., Joosen, W. (2014). Large-Scale Security Analysis of the Web: Challenges and Findings. In: Holz, T., Ioannidis, S. (eds) Trust and Trustworthy Computing. Trust 2014. Lecture Notes in Computer Science, vol 8564. Springer, Cham. https://doi.org/10.1007/978-3-319-08593-7_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-08593-7_8

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-08592-0

  • Online ISBN: 978-3-319-08593-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics