%0 Conference Proceedings
%T When Your Browser Becomes the Paper Boy
%+ University of Passau
%A Parra Rodriguez, Juan, D.
%A Brehm, Eduard
%A Posegga, Joachim
%Z Part 2: Failures of Security Management
%< avec comité de lecture
%( IFIP Advances in Information and Communication Technology
%B 33th IFIP International Conference on ICT Systems Security and Privacy Protection (SEC)
%C Poznan, Poland
%Y Lech Jan Janczewski
%Y Mirosław Kutyłowski
%I Springer International Publishing
%3 ICT Systems Security and Privacy Protection
%V AICT-529
%P 94-107
%8 2018-09-18
%D 2018
%R 10.1007/978-3-319-99828-2_7
%K Content Security Policy (CSP)
%K Web Security
%K Browser Abuse
%Z Computer Science [cs]Conference papers
%X We present a scenario where browsers’ network and computation capabilities are used by an attacker without the user’s knowledge. For this kind of abuse, an attacker needs to trigger JavaScript code on the browser, e.g. through an advertisement. However, unlike other Web attacks, e.g. cross-site scripting, the attack can be executed isolated from the Origin of the site visited by the user.We demonstrate this by forcing common browsers to join an overlay network and perform onion routing for other peers in the network. An attacker can create and tear down such browser networks whenever needed and use them to avoid detection, complicate forensic analysis, and protect his identity. Based on a performance evaluation with real browsers, we ascertain that the network delivers messages in a timely manner under load while remaining unnoticed. From a more constructive point of view, we discuss how the current CSP specification and other mechanisms under discussion can help to protect users against this attack.
%G English
%Z TC 11
%2 https://inria.hal.science/hal-02023747/document
%2 https://inria.hal.science/hal-02023747/file/472722_1_En_7_Chapter.pdf
%L hal-02023747
%U https://inria.hal.science/hal-02023747
%~ IFIP
%~ IFIP-AICT
%~ IFIP-TC
%~ IFIP-TC11
%~ IFIP-SEC
%~ IFIP-AICT-529