Bernardo, P., Veronese, L., DALLA VALLE, V., Calzavara, S., Squarcina, M., Adão, P., & Maffei, M. (2024). Web Platform Threats: Automated Detection of Web Security Issues With WPT. In Proceedings of the 33rd USENIX Security Symposium (pp. 757–774). http://hdl.handle.net/20.500.12708/204362
web security; client-side security; browser security; formal verification; smt; web platform tests; web invariants
en
Abstract:
Client-side security mechanisms implemented by Web browsers, such as cookie security attributes and the Mixed Content policy, are of paramount importance to protect Web applications. Unfortunately, the design and implementation of such mechanisms are complicated and error-prone, potentially exposing Web applications to security vulnerabilities. In this paper, we present a practical framework to formally and automatically detect security flaws in client-side security mechanisms. In particular, we leverage Web Platform Tests (WPT), a popular cross-browser test suite, to automatically collect browser execution traces and match them against Web invariants, i.e., intended security properties of Web mechanisms expressed in first-order logic. We demonstrate the effectiveness of our approach by validating 9 invariants against the WPT test suite, discovering violations with clear security implications in 104 tests for Firefox, Chromium and Safari. We disclosed the root causes of these violations to browser vendors and standard bodies, which resulted in 8 individual reports and one CVE on Safari.
en
Project title:
Foundations and Tools for Client-Side Web Security: 771527 (Europäischer Forschungsrat (ERC)) Fixing the Broken Bridge Between Mobile Apps and the Web: ICT22-060 (WWTF Wiener Wissenschafts-, Forschu und Technologiefonds) Sicherheits- und Datenschutzgrundlagen von Blockchain-Technologien: COMET SBA-K1 (SBA Research gemeinnützige GmbH)
-
Project (external):
European Union’s Horizon 2020 research and in- novation programme DAIS - Uni- versità Ca’ Foscari Venezia MUR National Recovery and Resilience Plan funded by the European Union - NextGenerationEU Fundação para a Ciência e a Tecnologia (FCT)
-
Project ID:
grant agreement No 101034440 IRIDE program SERICS (PE00000014) project UIDB/50008/2020