Least Privilege Access for Persistent Storage Mechanisms in Web Browsers
- URL: http://arxiv.org/abs/2411.15416v1
- Date: Sat, 23 Nov 2024 02:25:43 GMT
- Title: Least Privilege Access for Persistent Storage Mechanisms in Web Browsers
- Authors: Gayatri Priyadarsini Kancherla, Dishank Goel, Abhishek Bichhawat,
- Abstract summary: Third-party scripts have unrestricted access to a user's private data stored in persistent storage like cookies, localstorage and IndexedDB.
We propose a mechanism to enforce fine-grained control of persistent storage objects.
- Score: 1.7995136786901533
- License:
- Abstract: Web applications often include third-party content and scripts to personalize a user's online experience. These scripts have unrestricted access to a user's private data stored in the browser's persistent storage like cookies, localstorage and IndexedDB, associated with the host page. Various mechanisms have been implemented to restrict access to these storage objects, e.g., content security policy, the HttpOnly attribute with cookies, etc. However, the existing mechanisms provide an all-or-none access and do not work in scenarios where web applications need to allow controlled access to cookies and localstorage objects by third-party scripts. If some of these scripts behave maliciously, they can easily access and modify private user information that are stored in the browser objects. The goal of our work is to design a mechanism to enforce fine-grained control of persistent storage objects. We perform an empirical study of persistent storage access by third-party scripts on Tranco's top 10,000 websites and find that 89.84% of all cookie accesses, 90.98% of all localstorage accesses and 72.49% of IndexedDB accesses are done by third-party scripts. Our approach enforces least privilege access for third-party scripts on these objects to ensure their security by attaching labels to the storage objects that specify which domains are allowed to read from and write to these objects. We implement our approach on the Firefox browser and show that it effectively blocks scripts from other domains, which are not allowed access based on these labels, from accessing the storage objects. We show that our enforcement results in some functionality breakage in websites with the default settings, which can be fixed by correctly labeling the storage objects used by the third-party scripts.
Related papers
- Extracting Database Access-control Policies From Web Applications [5.193592261722995]
It is difficult to divine what policy is embedded in application code and what data the application may access.
This paper tackles policy extraction: the task of extracting the access-control policy.
Ote is a policy extractor for Ruby-on-Rails web applications.
arXiv Detail & Related papers (2024-11-18T08:58:11Z) - Infogent: An Agent-Based Framework for Web Information Aggregation [59.67710556177564]
We introduce Infogent, a novel framework for web information aggregation.
Experiments on different information access settings demonstrate Infogent beats an existing SOTA multi-agent search framework by 7%.
arXiv Detail & Related papers (2024-10-24T18:01:28Z) - COOKIEGUARD: Characterizing and Isolating the First-Party Cookie Jar [14.314375420700504]
Third-party scripts write (or textitghost-write) first-party cookies in the browser's cookie jar because they are included in the website's main frame.
Third-party scripts are able to access all first-party cookies, both the actual first-party cookies as well as the ghost-written first-party cookies by different third-party scripts.
We propose name to introduce isolation between first-party cookies set by different third-party scripts in the main frame.
arXiv Detail & Related papers (2024-06-08T01:02:49Z) - Towards Browser Controls to Protect Cookies from Malicious Extensions [5.445001663133085]
Cookies are valuable targets of attacks that attempt to steal them and gain unauthorized access to user accounts.
Extensions are third-party HTML/JavaScript add-ons with access to several privileged APIs and can run on multiple websites at once.
We propose browser controls based on two new cookie attributes that protect cookies from malicious extensions: BrowserOnly and Tracked.
arXiv Detail & Related papers (2024-05-10T22:04:56Z) - AutoScraper: A Progressive Understanding Web Agent for Web Scraper Generation [54.17246674188208]
Web scraping is a powerful technique that extracts data from websites, enabling automated data collection, enhancing data analysis capabilities, and minimizing manual data entry efforts.
Existing methods, wrappers-based methods suffer from limited adaptability and scalability when faced with a new website.
We introduce the paradigm of generating web scrapers with large language models (LLMs) and propose AutoScraper, a two-stage framework that can handle diverse and changing web environments more efficiently.
arXiv Detail & Related papers (2024-04-19T09:59:44Z) - TaskWeaver: A Code-First Agent Framework [50.99683051759488]
TaskWeaver is a code-first framework for building LLM-powered autonomous agents.
It converts user requests into executable code and treats user-defined plugins as callable functions.
It provides support for rich data structures, flexible plugin usage, and dynamic plugin selection.
arXiv Detail & Related papers (2023-11-29T11:23:42Z) - Exploring Security Practices in Infrastructure as Code: An Empirical
Study [54.669404064111795]
Cloud computing has become popular thanks to the widespread use of Infrastructure as Code (IaC) tools.
scripting process does not automatically prevent practitioners from introducing misconfigurations, vulnerabilities, or privacy risks.
Ensuring security relies on practitioners understanding and the adoption of explicit policies, guidelines, or best practices.
arXiv Detail & Related papers (2023-08-07T23:43:32Z) - Uncovering Fingerprinting Networks. An Analysis of In-Browser Tracking
using a Behavior-based Approach [0.0]
This thesis explores the current state of browser fingerprinting on the internet.
We implement FPNET to identify fingerprinting scripts on large sets of websites by observing their behavior.
We track down companies like Google, Yandex, Maxmind, Sift, or FingerprintJS.
arXiv Detail & Related papers (2022-08-15T18:06:25Z) - SPAct: Self-supervised Privacy Preservation for Action Recognition [73.79886509500409]
Existing approaches for mitigating privacy leakage in action recognition require privacy labels along with the action labels from the video dataset.
Recent developments of self-supervised learning (SSL) have unleashed the untapped potential of the unlabeled data.
We present a novel training framework which removes privacy information from input video in a self-supervised manner without requiring privacy labels.
arXiv Detail & Related papers (2022-03-29T02:56:40Z) - Adversarial EXEmples: A Survey and Experimental Evaluation of Practical
Attacks on Machine Learning for Windows Malware Detection [67.53296659361598]
adversarial EXEmples can bypass machine learning-based detection by perturbing relatively few input bytes.
We develop a unifying framework that does not only encompass and generalize previous attacks against machine-learning models, but also includes three novel attacks.
These attacks, named Full DOS, Extend and Shift, inject the adversarial payload by respectively manipulating the DOS header, extending it, and shifting the content of the first section.
arXiv Detail & Related papers (2020-08-17T07:16:57Z) - Privacy-Preserving Script Sharing in GUI-based
Programming-by-Demonstration Systems [11.477824955297196]
An important concern in end user development (EUD) is accidentally embedding personal information in program artifacts when sharing them.
We present a new approach that can identify and obfuscate the potential personal information in GUI-based PBD scripts.
arXiv Detail & Related papers (2020-04-17T17:20:10Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.