Abstract |
The World Wide Web has seen widespread adoption in the past decades, becoming an indispensable tool for our everyday activities. Undoubtedly, its prevalence can be largely attributed to its continuous evolution and the constant emergence of new functionalities and
services. As a result, along with these new, convenient and often complex features, the Web
ecosystem’s complexity increases as well. At the same time, an increasing number of sensitive functionalities is being offered to users and a vast amount of private, sensitive information is circulated constantly. Unfortunately, this draws the attention of malicious actors
who aim to gain access to such sensitive information and functionalities for their own nefarious purposes and profit, ultimately hurting users’ privacy and safety. To make matters
worse, the intricate nature of the Web provides attackers with a multitude of potential vantage points for launching attacks. It is therefore crucial to robustly secure Web applications
and their assets, so as to mitigate such malicious acts and their implications.
Thankfully, the research community has proposed various defense mechanisms and
countermeasures, as well as detection techniques for uncovering security issues and vulnerabilities. However, the ever-increasing complexity of the Web can often diminish existing
approaches’ effectiveness significantly or render them completely unsuitable. Moreover,
the sheer scale of the Web, the vastly diverse and often closed-source Web applications and
the complex interdependencies that drive them, hinder the efficacy of approaches that require a priori knowledge or specialized input to achieve their respective goal.
In this dissertation, we demonstrate that these intricacies of the Web and their inherent
challenges, mandate automated, black-box solutions to be properly tackled. By proposing
and extensively evaluating such novel approaches, covering various fronts of Web security
and privacy, we showcase their significant benefits and improvements over prior systems.
Most importantly, our systems adopt a context-agnostic modus operandi, i.e., they do not
require any a priori knowledge or processing in their respective domain of operation.
Specifically, we initially propose a scanner-agnostic middleware framework which aims
to transparently enhance existing black-box vulnerability scanners, by addressing their core
limitations and improving their effectiveness both in terms of code coverage and vulnerability detection. Next, we design a fully automated, website-agnostic, black-box auditing
framework for uncovering authentication and authorization flaws in Web applications and
carry out the first large-scale study on such flaws to date. Finally, we address the problem
of robust and real-time third-party script attribution, a crucial prerequisite for countless
security and privacy countermeasures, by designing a novel, script-agnostic pipeline.
|