Pub Date : 1900-01-01DOI: 10.14722/madweb.2023.23087
Vik Vanderlinden, W. Joosen, M. Vanhoef
—Performing a remote timing attack typically entails the collection of many timing measurements in order to overcome noise due to network jitter. If an attacker can reduce the amount of jitter in their measurements, they can exploit timing leaks using fewer measurements. To reduce the amount of jitter, an attacker may use timing information that is made available by a server. In this paper, we exploit the use of the server-timing header, which was created for performance monitoring and in some cases exposes millisecond accurate information about server-side execution times. We show that the header is increasingly often used, with an uptick in adoption rates in recent months. The websites that use the header often host dynamic content of which the generation time can potentially leak sensitive information. Our new attack techniques, one of which collects the header timing values from an intermediate proxy, improve performance over standard attacks using roundtrip times. Experiments show that, overall, our new attacks (significantly) decrease the number of samples required to exploit timing leaks. The attack is especially effective against geographically distant servers.
{"title":"Can You Tell Me the Time? Security Implications of the Server-Timing Header","authors":"Vik Vanderlinden, W. Joosen, M. Vanhoef","doi":"10.14722/madweb.2023.23087","DOIUrl":"https://doi.org/10.14722/madweb.2023.23087","url":null,"abstract":"—Performing a remote timing attack typically entails the collection of many timing measurements in order to overcome noise due to network jitter. If an attacker can reduce the amount of jitter in their measurements, they can exploit timing leaks using fewer measurements. To reduce the amount of jitter, an attacker may use timing information that is made available by a server. In this paper, we exploit the use of the server-timing header, which was created for performance monitoring and in some cases exposes millisecond accurate information about server-side execution times. We show that the header is increasingly often used, with an uptick in adoption rates in recent months. The websites that use the header often host dynamic content of which the generation time can potentially leak sensitive information. Our new attack techniques, one of which collects the header timing values from an intermediate proxy, improve performance over standard attacks using roundtrip times. Experiments show that, overall, our new attacks (significantly) decrease the number of samples required to exploit timing leaks. The attack is especially effective against geographically distant servers.","PeriodicalId":205270,"journal":{"name":"Proceedings 2023 Workshop on Measurements, Attacks, and Defenses for the Web","volume":"38 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114623890","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1900-01-01DOI: 10.14722/madweb.2023.23074
J. Breton, A. Abdou
—The link between user security and web accessibility is a new but growing field of research. To understand the potential threat landscape for users that require accessibility tools to access the web, we created the WATER framework. WATER measures websites using three security-related base accessibility metrics. Upon analyzing 30,000 websites from three distinct popularity ranges, we discovered that the risk for information leakage and phishing attacks is higher for these users. Over half of the analyzed websites had an accessibility percentage of less than 75%, a statistic that exposes these websites to potential accessibility-related lawsuits. Our data suggests that the current WCAG 2.1 standards may need to be revised to avoid assigning Level AA conformance to websites that undermine the security of users requiring accessibility tools. We make the WATER framework publicly available in the hopes it can be used for future research.
{"title":"Applying Accessibility Metrics to Measure the Threat Landscape for Users with Disabilities","authors":"J. Breton, A. Abdou","doi":"10.14722/madweb.2023.23074","DOIUrl":"https://doi.org/10.14722/madweb.2023.23074","url":null,"abstract":"—The link between user security and web accessibility is a new but growing field of research. To understand the potential threat landscape for users that require accessibility tools to access the web, we created the WATER framework. WATER measures websites using three security-related base accessibility metrics. Upon analyzing 30,000 websites from three distinct popularity ranges, we discovered that the risk for information leakage and phishing attacks is higher for these users. Over half of the analyzed websites had an accessibility percentage of less than 75%, a statistic that exposes these websites to potential accessibility-related lawsuits. Our data suggests that the current WCAG 2.1 standards may need to be revised to avoid assigning Level AA conformance to websites that undermine the security of users requiring accessibility tools. We make the WATER framework publicly available in the hopes it can be used for future research.","PeriodicalId":205270,"journal":{"name":"Proceedings 2023 Workshop on Measurements, Attacks, and Defenses for the Web","volume":"36 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117115568","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1900-01-01DOI: 10.14722/madweb.2023.23034
Takahito Sakamoto, Takuya Murozono
—Software as a Service (SaaS) dies. Several SaaS die every day because it becomes too difficult to continue their business. SaaS lets website owners install a small amount of code, called a tag, on a website to extend its functionality of the website. However, sometimes that tag becomes a zombie. In this paper, we coordinate two studies to reveal the danger of the zombification of tags. (1) A research of domains used by dead SaaS tags. (2) An investigation of websites with dead tags. The results of our work show that of the 53 domains used with 49 dead SaaS tags, 18 domains have already been re-registered by a third party or are ready to be re-registered. We also scanned about 1.15 million websites of domestic companies and found 26 dead SaaS tags on approximately 18,000 websites. Finally, we found that three new SaaS tags have been abused by attackers, indicating the danger of zombification tags.
{"title":"Tag of the Dead: How Terminated SaaS Tags Become Zombies","authors":"Takahito Sakamoto, Takuya Murozono","doi":"10.14722/madweb.2023.23034","DOIUrl":"https://doi.org/10.14722/madweb.2023.23034","url":null,"abstract":"—Software as a Service (SaaS) dies. Several SaaS die every day because it becomes too difficult to continue their business. SaaS lets website owners install a small amount of code, called a tag, on a website to extend its functionality of the website. However, sometimes that tag becomes a zombie. In this paper, we coordinate two studies to reveal the danger of the zombification of tags. (1) A research of domains used by dead SaaS tags. (2) An investigation of websites with dead tags. The results of our work show that of the 53 domains used with 49 dead SaaS tags, 18 domains have already been re-registered by a third party or are ready to be re-registered. We also scanned about 1.15 million websites of domestic companies and found 26 dead SaaS tags on approximately 18,000 websites. Finally, we found that three new SaaS tags have been abused by attackers, indicating the danger of zombification tags.","PeriodicalId":205270,"journal":{"name":"Proceedings 2023 Workshop on Measurements, Attacks, and Defenses for the Web","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127654832","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1900-01-01DOI: 10.14722/madweb.2023.23011
H. Jonker, S. Karsch, Benjamin Krumnow, Godfried Meesters
—Online vendors typically offer different stores to sell their items, such as desktop site, mobile site, country-specific sites, etc. Online rumours and news media reports persist that item prices between such views differ. While several academic works have investigated price differentiation, to date, no systematic method for analysing this question was put forth. We devise an approach to investigate such store-based price differentiation, based on three pillars: a framework that can perform cross-store data acquisition synchronously, a method to perform cross-store item matching, and constraints to limit client-side noise factors. We test our method in an initial case study to investigate store effects on flight pricing. We gather pricing data of 824 flights from 15 stores (incl. desktop sites, mobile apps, and mobile sites) over a 38-day period. Our experiment shows that price differences occur frequently. Moreover, even in a limited run we find strong indications of store-specific pricing for certain vendors. We conclude that (i) a larger study into store-based price differentiation is needed to better gauge this effect; (ii) future research in this general domain should take store-based differences into account in their study design.
{"title":"Are some prices more equal than others? Evaluating store-based price differentiation","authors":"H. Jonker, S. Karsch, Benjamin Krumnow, Godfried Meesters","doi":"10.14722/madweb.2023.23011","DOIUrl":"https://doi.org/10.14722/madweb.2023.23011","url":null,"abstract":"—Online vendors typically offer different stores to sell their items, such as desktop site, mobile site, country-specific sites, etc. Online rumours and news media reports persist that item prices between such views differ. While several academic works have investigated price differentiation, to date, no systematic method for analysing this question was put forth. We devise an approach to investigate such store-based price differentiation, based on three pillars: a framework that can perform cross-store data acquisition synchronously, a method to perform cross-store item matching, and constraints to limit client-side noise factors. We test our method in an initial case study to investigate store effects on flight pricing. We gather pricing data of 824 flights from 15 stores (incl. desktop sites, mobile apps, and mobile sites) over a 38-day period. Our experiment shows that price differences occur frequently. Moreover, even in a limited run we find strong indications of store-specific pricing for certain vendors. We conclude that (i) a larger study into store-based price differentiation is needed to better gauge this effect; (ii) future research in this general domain should take store-based differences into account in their study design.","PeriodicalId":205270,"journal":{"name":"Proceedings 2023 Workshop on Measurements, Attacks, and Defenses for the Web","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128909900","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1900-01-01DOI: 10.14722/madweb.2023.23043
T. Bondar, Hala Assal, A. Abdou
—In efforts to understand the reasons behind Internet-connected devices remaining vulnerable for a long time, previous literature analyzed the effectiveness of large-scale vul- nerability notifications on remediation rates. Herein we focus on the perspective of system administrators. Through an online sur- vey study with 89 system administrators worldwide, we investigate factors affecting their decisions to remediate or ignore a security vulnerability. We use Censys to find servers with vulnerable public-facing services, extract the abuse contact information from WHOIS, and email an invitation to fill out the survey. We found no evidence that awareness of the existence of a vulnerability affects remediation plans, which explains the consistently small remediation rates following notification campaigns conducted in previous research. More interestingly, participants did not agree on a specific factor as the primary cause for lack of remediation. Many factors appeared roughly equally important, including backwards compatibility, technical knowledge, available resources, and motive to remediate.
{"title":"Why do Internet Devices Remain Vulnerable? A Survey with System Administrators","authors":"T. Bondar, Hala Assal, A. Abdou","doi":"10.14722/madweb.2023.23043","DOIUrl":"https://doi.org/10.14722/madweb.2023.23043","url":null,"abstract":"—In efforts to understand the reasons behind Internet-connected devices remaining vulnerable for a long time, previous literature analyzed the effectiveness of large-scale vul- nerability notifications on remediation rates. Herein we focus on the perspective of system administrators. Through an online sur- vey study with 89 system administrators worldwide, we investigate factors affecting their decisions to remediate or ignore a security vulnerability. We use Censys to find servers with vulnerable public-facing services, extract the abuse contact information from WHOIS, and email an invitation to fill out the survey. We found no evidence that awareness of the existence of a vulnerability affects remediation plans, which explains the consistently small remediation rates following notification campaigns conducted in previous research. More interestingly, participants did not agree on a specific factor as the primary cause for lack of remediation. Many factors appeared roughly equally important, including backwards compatibility, technical knowledge, available resources, and motive to remediate.","PeriodicalId":205270,"journal":{"name":"Proceedings 2023 Workshop on Measurements, Attacks, and Defenses for the Web","volume":"32 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123678066","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1900-01-01DOI: 10.14722/madweb.2023.23017
Carl Magnus Bruhner, David Hasselquist, Niklas Carlsson
—In the age of the General Data Protection Regula- tion (GDPR) and the California Consumer Privacy Act (CCPA), privacy and consent control have become even more apparent for every-day web users. Privacy banners in all shapes and sizes ask for permission through more or less challenging designs and make privacy control more of a struggle than they help users’ privacy. In this paper, we present a novel solution expanding the Advanced Data Protection Control (ADPC) mechanism to bridge current gaps in user data and privacy control. Our solution moves the consent control to the browser interface to give users a seamless and hassle-free experience, while at the same time offering content providers a way to be legally compliant with legislation. Through an extensive review, we evaluate previous works and identify current gaps in user data control. We then present a blueprint for future implementation and suggest features to support privacy control online for users globally. Given browser support, the solution provides a tangible path to effectively achieve legally compliant privacy and consent control in a user-oriented manner that could allow them to again browse the web seamlessly.
{"title":"Bridging the Privacy Gap: Enhanced User Consent Mechanisms on the Web","authors":"Carl Magnus Bruhner, David Hasselquist, Niklas Carlsson","doi":"10.14722/madweb.2023.23017","DOIUrl":"https://doi.org/10.14722/madweb.2023.23017","url":null,"abstract":"—In the age of the General Data Protection Regula- tion (GDPR) and the California Consumer Privacy Act (CCPA), privacy and consent control have become even more apparent for every-day web users. Privacy banners in all shapes and sizes ask for permission through more or less challenging designs and make privacy control more of a struggle than they help users’ privacy. In this paper, we present a novel solution expanding the Advanced Data Protection Control (ADPC) mechanism to bridge current gaps in user data and privacy control. Our solution moves the consent control to the browser interface to give users a seamless and hassle-free experience, while at the same time offering content providers a way to be legally compliant with legislation. Through an extensive review, we evaluate previous works and identify current gaps in user data control. We then present a blueprint for future implementation and suggest features to support privacy control online for users globally. Given browser support, the solution provides a tangible path to effectively achieve legally compliant privacy and consent control in a user-oriented manner that could allow them to again browse the web seamlessly.","PeriodicalId":205270,"journal":{"name":"Proceedings 2023 Workshop on Measurements, Attacks, and Defenses for the Web","volume":"137 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133767753","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: