View in EDS

Spidering the Modern Web: Securing the Next Generation of Web Sites and Browser Extensions

Saved in:
Bibliographic Details
Title: Spidering the Modern Web: Securing the Next Generation of Web Sites and Browser Extensions
Authors: Olsson, Eric, 1994
Subject Terms: Vulnerability detection, Web application security, Browser extensions, Web application scanning
Description: Given the range of critical and sensitive services available on the Web, securing the web applications and browser extensions in this ecosystem is of paramount importance. However, this goal has not been achieved. Vulnerabilities in web applications remain undetected, and malicious browser extensions are still available in curated app stores. While black-box scanning is a promising method for detecting vulnerabilities in diverse web applications, crawling these increasingly client-side and stateful applications is challenging. To discover vulnerabilities in modern web applications, we develop two new scanning methods that take into account these challenges. We first propose a novel grey-box method, Spider-Scents, for detecting stored XSS vulnerabilities that avoids these challenges by relaxing the problem to finding unprotected outputs from the database. This method supplements an otherwise black-box scanner with the ability to directly inject payloads into the database. In our evaluation, we demonstrate that these code smells are highly related to complete vulnerabilities while showcasing the improved vulnerability detection and database coverage of our method. We then propose a new black-box scanner, SpiderSapien, with the aim to test deep states in modern web applications, by generating valid client-side actions and form inputs that could unlock previously untested functionality. In our evaluation, we show that SpiderSapien improves vulnerability detection and code coverage, while the LLM-powered method solves more diverse forms. Finally, we develop a framework to find fake reviews from the metadata of extensions on the Chrome Web Store. We identify how reviews can be faked, and propose five statistical methods to detect them. We demonstrate how these methods find fake reviews, and show how this can be used to find malicious extensions.
File Description: electronic
Access URL: https://research.chalmers.se/publication/546193
https://research.chalmers.se/publication/546193/file/546193_Fulltext.pdf
Database: SwePub
FullText Text:
  Availability: 0
CustomLinks:
  – Url: https://research.chalmers.se/publication/546193#
    Name: EDS - SwePub (s4221598)
    Category: fullText
    Text: View record in SwePub
  – Url: https://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=EBSCO&SrcAuth=EBSCO&DestApp=WOS&ServiceName=TransferToWoS&DestLinkType=GeneralSearchSummary&Func=Links&author=Olsson%20E
    Name: ISI
    Category: fullText
    Text: Nájsť tento článok vo Web of Science
    Icon: https://imagesrvr.epnet.com/ls/20docs.gif
    MouseOverText: Nájsť tento článok vo Web of Science
Header DbId: edsswe
DbLabel: SwePub
An: edsswe.oai.research.chalmers.se.4dfb8347.4f01.4f2b.b653.6d62de30a480
RelevancyScore: 987
AccessLevel: 6
PubType: Dissertation/ Thesis
PubTypeId: dissertation
PreciseRelevancyScore: 986.736389160156
IllustrationInfo
Items – Name: Title
  Label: Title
  Group: Ti
  Data: Spidering the Modern Web: Securing the Next Generation of Web Sites and Browser Extensions
– Name: Author
  Label: Authors
  Group: Au
  Data: <searchLink fieldCode="AR" term="%22Olsson%2C+Eric%22">Olsson, Eric</searchLink>, 1994
– Name: Subject
  Label: Subject Terms
  Group: Su
  Data: <searchLink fieldCode="DE" term="%22Vulnerability+detection%22">Vulnerability detection</searchLink><br /><searchLink fieldCode="DE" term="%22Web+application+security%22">Web application security</searchLink><br /><searchLink fieldCode="DE" term="%22Browser+extensions%22">Browser extensions</searchLink><br /><searchLink fieldCode="DE" term="%22Web+application+scanning%22">Web application scanning</searchLink>
– Name: Abstract
  Label: Description
  Group: Ab
  Data: Given the range of critical and sensitive services available on the Web, securing the web applications and browser extensions in this ecosystem is of paramount importance. However, this goal has not been achieved. Vulnerabilities in web applications remain undetected, and malicious browser extensions are still available in curated app stores. While black-box scanning is a promising method for detecting vulnerabilities in diverse web applications, crawling these increasingly client-side and stateful applications is challenging. To discover vulnerabilities in modern web applications, we develop two new scanning methods that take into account these challenges. We first propose a novel grey-box method, Spider-Scents, for detecting stored XSS vulnerabilities that avoids these challenges by relaxing the problem to finding unprotected outputs from the database. This method supplements an otherwise black-box scanner with the ability to directly inject payloads into the database. In our evaluation, we demonstrate that these code smells are highly related to complete vulnerabilities while showcasing the improved vulnerability detection and database coverage of our method. We then propose a new black-box scanner, SpiderSapien, with the aim to test deep states in modern web applications, by generating valid client-side actions and form inputs that could unlock previously untested functionality. In our evaluation, we show that SpiderSapien improves vulnerability detection and code coverage, while the LLM-powered method solves more diverse forms. Finally, we develop a framework to find fake reviews from the metadata of extensions on the Chrome Web Store. We identify how reviews can be faked, and propose five statistical methods to detect them. We demonstrate how these methods find fake reviews, and show how this can be used to find malicious extensions.
– Name: Format
  Label: File Description
  Group: SrcInfo
  Data: electronic
– Name: URL
  Label: Access URL
  Group: URL
  Data: <link linkTarget="URL" linkTerm="https://research.chalmers.se/publication/546193" linkWindow="_blank">https://research.chalmers.se/publication/546193</link><br /><link linkTarget="URL" linkTerm="https://research.chalmers.se/publication/546193/file/546193_Fulltext.pdf" linkWindow="_blank">https://research.chalmers.se/publication/546193/file/546193_Fulltext.pdf</link>
PLink https://erproxy.cvtisr.sk/sfx/access?url=https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=edsswe&AN=edsswe.oai.research.chalmers.se.4dfb8347.4f01.4f2b.b653.6d62de30a480
RecordInfo BibRecord:
  BibEntity:
    Languages:
      – Text: English
    Subjects:
      – SubjectFull: Vulnerability detection
        Type: general
      – SubjectFull: Web application security
        Type: general
      – SubjectFull: Browser extensions
        Type: general
      – SubjectFull: Web application scanning
        Type: general
    Titles:
      – TitleFull: Spidering the Modern Web: Securing the Next Generation of Web Sites and Browser Extensions
        Type: main
  BibRelationships:
    HasContributorRelationships:
      – PersonEntity:
          Name:
            NameFull: Olsson, Eric
    IsPartOfRelationships:
      – BibEntity:
          Dates:
            – D: 01
              M: 01
              Type: published
              Y: 2025
          Identifiers:
            – Type: issn-locals
              Value: SWEPUB_FREE
            – Type: issn-locals
              Value: CTH_SWEPUB
ResultId 1