![]() , 6 Extensions breaking the Same Origin Policy-Types of authorized CORS requests , Sources (origins of webpages) and targets (web applications servers) of CORS requests allowed by extensions. , Top 3 most popular categories among extensions with the ability to manipulate HTTP headers , Most requested permissions among Chrome, Firefox and Opera extensions, p. , Data collection and analysis results overview , Top seven most popular logins in our dataset and their ranking according to Alexa , Top seven most popular extensions in our dataset and their popularity on Chrome Web Store, vol. Dataset, 124 7.2 Previous studies on measuring uniqueness based on browser extensions and our estimation of uniqueness , Matching arguments in an origin against arguments in a URL, p. , Dependencies in the wild, considering CSP1, CSP2, CSP3 and their implementations in browsers We consider only browsers which implementations are compliant with the specifications ![]() , Dependencies and rewriting rules for CSP2 and CSP3, according to the specifications. , 66 4.5 Dependencies and rewriting rules considering only CSP2 and CSP3 and their implementations in browsers Csp-core-syntax, 60 4.3 Formalization of Dependency-Free Policies (DF-CSP) considering CSP1, CSP2 and CSP3 versions and their implementations in browsers, p. , Potential CSP violations in pages with CSP , Sample of sites with CSP violations due to Same-Origin Policy, p. , Statistics CSP violations due to Same-Origin Policy, vol. , Excerpt of CSP directives and their descriptions ![]() The browser sends a header, and the server uses its dual to authorize or reject cross-origin requests, HTTP headers (excerpt) exchanged between the browser (client) and the server for In many cases, there is a one-to-one correspondence between the requests and responses headers. , 2 CORS headers exchanges between web browsers and servers. , Breaking legitimate CORS requests with credentials by changing Access-Control-Allow-Origin to * , Breaking legitimate CORS requests by adding multiple values to the Access-Control-Allow-Origin header , Categories of extensions manipulating CORS headers, p. , Distribution of users of extensions manipulating CORS headers, p. , Distribution of users of extensions with the capability to tamper with CORS headers , CORS requests workflow in presence of an extension with the capability to intercept and manipulate HTTP headers Extension, 156 8.4 A.com forces an attack by opening B.com thereby allowing A.com/content to load, execute and interact with extensions in order to exfiltrate user data to A , Browser extensions architecture-Communications with web applications, p. number of users-204 is the number of users used in , 136 7.13 Uniqueness of Chrome users based on their extensions only vs. ![]() , Anonymity sets for different numbers of attributes tested by general fingerprinting algorithm , 131 7.10 Comparison of fingerprint pattern size (targeted) and the total number of detected attributes (detected) for unique users , Anonymity sets for users with respect to the number of detected extensions 130 D Ext contains users, who have installed at least one detected extension and D Log contains users, who have at least one login detected Users, 127 7.5 Distribution of anonymity set sizes for 16,393 users based on detected extensions and logins , Evolution of detected extensions in Chrome A user visits a benign website which embeds third party code (the attacker' script) from It also detects that the user is logged into LinkdedIn through a CSP violation, Detection of browser extensions and Web logins. Then the script detects that the user is logged into Facebook when it successfully loads Facebook favicon.ico. , The script detects an icon of Adblock extension and concludes that Adblock is installed. , Testing 485 carefully selected extensions provides a very similar uniqueness result to testing all 16,743 extensions , Preventing trackers from combining in-context and cross-context tracking, vol. , Overhead introduced by applying CSP to content , Performance overhead of deploying the monitor , Differences in CSP directives for same-origin and relaxed origin pages, p. , Differences in CSP directives for parent and iframe pages, p. , Evolution of CSP adoption among top 10,000 Alexa Sites between, 2016.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |