Content Security for Web Applications

Sammanfattning: This thesis puts the focus on security problems related to web applications and web browsers by analyzing real-world web applications and modern client-side security mechanisms. For the latter, we mostly look at practical issues related to Content Security Policy (CSP) enforcement in web browsers. First, we inspect password meters and password generators implementations on the web in a large scale empirical study. After discussing current practices and security concerns, we develop a generic framework for integrating password meters and generators in a secure way. We implement this framework solely based on today's existing browser technologies and demonstrate its effectiveness with a real world password meter. Browsers come with frameworks to add functionality through browser extensions. By design, extensions are very powerful and can access and modify every part of visited web pages, from HTTP headers to a page's DOM. This also means security measures can be weakened or even removed completely. We investigate if and how browser extensions abuse their power by analyzing a large set of real-world browser extensions. We implement a mechanism which allows web servers to react to CSP header modifications by browser extensions. Last, we shed light on CSP in the context of data exfiltration and the dispute in the security community whether CSP is meant to protect from it. We analyze the practical implications through an empirical study on DNS and resource prefetching mechanisms in web browsers allowing data exfiltration in the face of CSP. Finally, we discuss different possible research directions to limit data exfiltration attacks in the future.