E-Locus - Institutional Repository of the University of Crete

Home Collections Type of Work Doctoral theses

Doctoral theses

Search command : Author="Τσιαούσης" And Author="Ιωάννης"

Current Record: 3 of 2460

[Add to Basket]

Identifier

000466308

Title

Securing the modern web through novel black-box and context-agnostic techniques

Alternative Title

Ενισχύοντας την ασφάλεια του σύγχρονου διαδικτύου μέσω καινοτόμων τεχνικών μαύρου κουτιού και ανεξάρτητου πλαισίου λειτουργίας

Author

Δρακωνάκης, Κωνσταντίνος Ι

Thesis advisor

Ιωαννίδης, Σωτήρης

Reviewer

Polakis, Jason
Φατούρου, Παναγιώτα
Δημητρόπουλος, Ξενοφών
Πρατικάκης, Πολύβιος
Μαγκούτης, Κωνσταντίνος
Βασιλειάδης, Γιώργος

Abstract

The World Wide Web has seen widespread adoption in the past decades, becoming an indispensable tool for our everyday activities. Undoubtedly, its prevalence can be largely attributed to its continuous evolution and the constant emergence of new functionalities and services. As a result, along with these new, convenient and often complex features, the Web ecosystem’s complexity increases as well. At the same time, an increasing number of sensitive functionalities is being offered to users and a vast amount of private, sensitive information is circulated constantly. Unfortunately, this draws the attention of malicious actors who aim to gain access to such sensitive information and functionalities for their own nefarious purposes and profit, ultimately hurting users’ privacy and safety. To make matters worse, the intricate nature of the Web provides attackers with a multitude of potential vantage points for launching attacks. It is therefore crucial to robustly secure Web applications and their assets, so as to mitigate such malicious acts and their implications. Thankfully, the research community has proposed various defense mechanisms and countermeasures, as well as detection techniques for uncovering security issues and vulnerabilities. However, the ever-increasing complexity of the Web can often diminish existing approaches’ effectiveness significantly or render them completely unsuitable. Moreover, the sheer scale of the Web, the vastly diverse and often closed-source Web applications and the complex interdependencies that drive them, hinder the efficacy of approaches that require a priori knowledge or specialized input to achieve their respective goal. In this dissertation, we demonstrate that these intricacies of the Web and their inherent challenges, mandate automated, black-box solutions to be properly tackled. By proposing and extensively evaluating such novel approaches, covering various fronts of Web security and privacy, we showcase their significant benefits and improvements over prior systems. Most importantly, our systems adopt a context-agnostic modus operandi, i.e., they do not require any a priori knowledge or processing in their respective domain of operation. Specifically, we initially propose a scanner-agnostic middleware framework which aims to transparently enhance existing black-box vulnerability scanners, by addressing their core limitations and improving their effectiveness both in terms of code coverage and vulnerability detection. Next, we design a fully automated, website-agnostic, black-box auditing framework for uncovering authentication and authorization flaws in Web applications and carry out the first large-scale study on such flaws to date. Finally, we address the problem of robust and real-time third-party script attribution, a crucial prerequisite for countless security and privacy countermeasures, by designing a novel, script-agnostic pipeline.

Language

English

Subject

Black-box scanning

Cookie hijacking

Cybersecurity

Security

Session hijacking

Issue date

2024-07-26

Collection

School/Department--School of Sciences and Engineering--Department of Computer Science--Doctoral theses