The Web is arguably the most popular platform for information exchange today. To allow for a better user experience, much functionality is shifted towards the client. This shift also increases the complexity of client-side code and hence the attack surface (Stock et al., 2017). This can be exhibited in increased vulnerabilities such as Client-Side Cross-Site Scripting. We therefore develop novels methods to find such flaws at scale (Lekies et al., 2013), (Steffens et al., 2019), (Steffens and Stock, 2020), analyze their nature (Stock et al., 2015), and develop and evaluate potential solutions (Stock et al., 2014), (Musch et al., 2019), (Klein et al., 2022). Furthermore, our work considers other threat models, such as through the compromise of trusted third-party sites (Meiser et al., 2021).
Of particular focus is CSP, a way of mitigating a range of attacks to limit a site's susceptibility to XSS, Clickjacking, or TLS downgrading attacks. Our group has already conducted numerous studies on the subject, ranging from historic analyses of CSP deployment (Roth et al., 2020), inconsistencies in framing control through CSP and XFO (Calzavara et al., 2020) as well as inconsistencies within the same origin (Calzavara et al., 2021) to bypasses through script gadgets (Roth et al., 2020) and the inability of sites to deploy CSP because of their third-party script providers (Steffens et al., 2021).
Although detection of many types of web-based flaws has been in the focus of researchers over the previous years, notifying affected parties barely got any attention. In one research line, we try to identify potential channels for notification and evaluate their effectiveness (Stock et al., 2016). Also, we try to improve not only on technical measures like avoiding spam filters, but also try to understand the human aspects of a notification, such as how different wording might influence the success of a notification (Stock et al., 2018). Furthermore, our group investigates how to improve mechanisms such as CSP to make them more usable (Roth et al., 2021).
With its prevalence in the browser, JavaScript also makes for a prime target for attackers. Therefore, our group researches new ways of detecting malicious JavaScript in the wild. Specifically, this subsumes work in which we automatically generate signatures for exploit kits, alleviating the burden of malware analysists (Stock et al., 2016). In addition, our work focusses on detection of malicious JavaScript in general through methods of machine learning (Fass et al., 2018; Fass et al., 2019) and novel ways of bypassing existing static analysis tools (Fass et al., 2019).
Peer-reviewed publications with contributions by members of the Secure Web Applications Group: