Tobias Lauinger

Why Is CSP Failing? Trends and Challenges in CSP Adoption

Content Security Policy (CSP) has been proposed as a principled and robust browser security mechanism against content injection attacks such as XSS. When configured correctly, CSP renders malicious code injection and data exfiltration exceedingly difficult for attackers. However, despite the promise of these security benefits and being implemented in almost all major browsers, CSP adoption is minuscule—our measurements show that CSP is deployed in enforcement mode on only 1% of the Alexa Top 100.

Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web.

Web developers routinely rely on third-party Java-Script libraries such as jQuery to enhance the functionality of their sites. However, if not properly maintained, such dependencies can create attack vectors allowing a site to be compromised. In this paper, we conduct the first comprehensive study of client-side JavaScript library usage and the resulting security implications across the Web. Using data from over 133 k websites, we show that 37% of them include at least one library with a known vulnerability; the time lag behind the newest release of a library is measured in the order of years. In order to better understand why websites use so many vulnerable or outdated libraries, we track causal inclusion relationships and quantify different scenarios. We observe sites including libraries in ad hoc and often transitive ways, which can lead to different versions of the same library being loaded into the same document at the same time. Furthermore, we find that libraries included transitively, or via ad and tracking code, are more likely to be vulnerable. This demonstrates that not only website administrators, but also the dynamic architecture and developers of third-party services are to blame for the Webs poor state of library management. The results of our work underline the need for more thorough approaches to dependency management, code maintenance and third-party code inclusion on the Web.

WHOIS Lost in Translation: (Mis)Understanding Domain Name Expiration and Re-Registration

Internet domain names expire when not renewed and may be claimed by a new owner. To date, despite existing work on abuses of residual trust after domain ownership changes, it is not well understood how often and how fast re-registrations occur, and the underlying processes are often over-simplified in scientific literature, leading to a potential bias in those studies. While in principle registration data is available in Whois databases, scalability issues and data ambiguities make re-registrations a challenging subject of study in practice. By focusing on domains about to be deleted, we were able to track 7.4 M com, net, org, biz and name domains over up to ten months to gather data for a survival analysis of re-registrations. Our results show that expiration processes may vary, and that many re-registrations happen soon after deletion, especially for older domains. We also discuss intricacies of Whois data to aid in avoiding potential pitfalls, as fast domain ownership changes combined with hidden domain states may pose challenges to operational and research communities.

Paying for piracy? an analysis of one-click hosters' controversial reward schemes

One-Click Hosters (OCHs) such as Rapidshare and now defunct Megaupload are popular services where users can upload and store large files. Uploaders can then share the files with friends or make them publicly available by publishing the download links in separate directories, so-called direct download or streaming sites. While OCHs have legitimate use cases, they are also frequently used to distribute pirated content. Many OCHs operate affiliate programmes to financially reward the uploaders of popular files. These affiliate programmes are controversial for allegedly financing piracy, and they were prominently cited in the criminal indictment that lead to the shutdown of Megaupload, once among the worlds 100 largest web sites. In this paper, we provide insights into how much money uploaders of pirated content could earn on a range of direct download and streaming sites. While the potential earnings of a few uploaders are non-negligible, for most uploaders these amounts are so low that they cannot rationally explain profit-oriented behaviour.

Holiday Pictures or Blockbuster Movies? Insights into Copyright Infringement in User Uploads to One-Click File Hosters

According to copyright holders, One-Click Hosters OCHs such as Megaupload are frequently used to host and distribute copyright infringing content. This has spurred numerous initiatives by legislators, law enforcement and content producers. Due to a lack of representative data sets that properly capture private uses of OCHs such as sharing holiday pictures among friends, to date, there are no reliable estimates of the proportion of legitimate and infringing files being uploaded to OCHs. This situation leaves the field to the partisan arguments brought forward by copyright owners and OCHs. In this paper, we provide empirical data about the uses and misuses of OCHs by analysing six large data sets containing file metadata that we extracted from a range of popular OCHs. We assess the status of these files with regard to copyright infringement and show that at least 26% to 79% of them are potentially infringing. Perhaps surprising after the shutdown by the FBI for alleged copyright infringement, we found Megaupload to have the second highest proportion of legitimate files in our study.

Large-Scale Analysis of Style Injection by Relative Path Overwrite

Relative Path Overwrite (RPO) is a recent technique to inject style directives into sites even when no style sink or markup injection vulnerability is present. It exploits differences in how browsers and web servers interpret relative paths (i.e., path confusion) to make a HTML page reference itself as a stylesheet; a simple text injection vulnerability along with browsers» leniency in parsing CSS resources results in an attacker»s ability to inject style directives that will be interpreted by the browser. Even though style injection may appear less serious a threat than script injection, it has been shown that it enables a range of attacks, including secret exfiltration. In this paper, we present the first large-scale study of the Web to measure the prevalence and significance of style injection using RPO. Our work shows that around 9% of the sites in the Alexa Top 10,000 contain at least one vulnerable page, out of which more than one third can be exploited. We analyze in detail various impediments to successful exploitation, and make recommendations for remediation. In contrast to script injection, relatively simple countermeasures exist to mitigate style injection. However, there appears to be little awareness of this attack vector as evidenced by a range of popular Content Management Systems (CMSes) that we found to be exploitable.

Thou Shalt Not Depend on Me

Most websites use JavaScript libraries, and many of them are known to be vulnerable. Understanding the scope of the problem, and the many unexpected ways that libraries are included, are only the first steps toward improving the situation. The goal here is that the information included in this article will help inform better tooling, development practices, and educational efforts for the community.