• Starts: 1:00 pm on Friday, December 6, 2024
  • Ends: 3:00 pm on Friday, December 6, 2024

ECE PhD Thesis Defense: Beliz Kaleli

Title: Measuring and Improving the Security of the Web

Presenter: Beliz Kaleli

Advisors: Professor Gianluca Stringhini, Professor Manuel Egele

Chair: TBA

Committee: Professor Gianluca Stringhini, Professor Manuel Egele, Professor Rabia Yazicigil, Professor Sharon Goldberg.

Google Scholar Link: https://scholar.google.com/citations?user=A84Y2noAAAAJ

Abstract: As technology advances, people increasingly rely on websites for various aspects of their lives, such as shopping and banking. To meet user demands, Web application developers continuously add new functionalities. For instance, social media platforms like LinkedIn make URLs in posts clickable. As websites grow in complexity, maintenance becomes challenging, often leading to inadvertent vulnerabilities during feature rollouts. Communities such as OWASP raise awareness of major Web threats, and organizations like W3C develop standards to promote the Web's long-term security. However, the complexity of these standards may lead to insecure configurations. Hence, the introduction of new features and standards may result in bad practices that can introduce vulnerabilities.

In my research, I identify potential threats, measure their pervasiveness, formulate defense strategies, and develop automated mitigation tools. In my first contribution, I uncover a potential vulnerability that causes sensitive data leakage via the link sharing feature of online collaboration services. I find that widely-used services are vulnerable due to improper Referrer Policy use and limited browser support. In my second contribution, I present an attack scenario involving data leakage through browser features. I analyze the Feature Policy standard, revealing its low adoption on the Web, and find that misleading information in Chromium-based browsers may increase user susceptibility to the attack. In my third contribution, I present a threat model where the unintentional URLs created via the automatic link rendering feature on social media can be exploited. I evaluate link rendering behavior across platforms to illustrate the issue and develop a browser extension to mitigate unintended URL creation. In my fourth contribution, I develop a server-side cross-site scripting (XSS) mitigation system that safely configures the Content Security Policy header, addressing its complexity and slow adoption. I demonstrate that my system effectively protects against all types of XSS without disrupting common website functionalities. In my fifth contribution, I address the lack of understanding of Web vulnerability scanning behaviors. I develop a detection system that monitors scanning patterns across nearly 100,000 networks and conduct the first large-scale longitudinal study of scanning activity. My analysis provides new insights into scanning behavior and traffic trends.

Location:
CDS 1646