- This event has passed.
January 14 3:00 pm - 5:00 pm EST
Sajjad Arshad, PhD student
However, included content can introduce security risks to users of these websites, unbeknownst to both website operators and users. In addition, the browser’s interpretation of the resource URLs may be very different from how the web server resolves the URL to determine which resource should be returned to the browser. The URL may not correspond to an actual server-side file system structure at all, or the web server may internally rewrite parts of the URL. This semantic disconnect between web browsers and web servers in interpreting relative paths (path confusion) could be exploited by Relative Path Overwrite (RPO). On the other hand, even tough extensions provide useful additional functionality for web browsers, they are also an increasingly popular vector for attacks. Due to the high degree of privilege extensions can hold, extensions have been abused to inject advertisements into web pages that divert revenue from content publishers and potentially expose users to malware.
In this thesis, I propose novel research into understanding and mitigating the security risks of content inclusion in web browsers to protect website publishers as well as their users. First, I introduce an in-browser approach called Excision to automatically detect and block malicious third-party content inclusions as web pages are loaded into the user’s browser or during the execution of browser extensions. Then, I propose OriginTracer, an in-browser approach to highlight extension-based content modification of web pages. Finally, I present the first in-depth study of style injection vulnerability using RPO and discuss potential countermeasures.
About the Speaker
Sajjad Arshad is a PhD student in Systems Security Lab (NEU SecLab). His research is concerned with improving the security of computer systems through application of secure design principles and integration of defensive techniques such as attack detection, prevention, and recovery. Some domains he is active in are conducting web security & privacy measurements, developing static & dynamic analysis techniques for detection of algorithmic complexity vulnerabilities in Java programs, systems security (e.g, CFI, binary exploitation, pwning, reverse engineering), and malware analysis (e.g., Botnet, Ransomware). Specifically, his research focuses on large-scale web security measurement, primarily using browser instrumentation and distributed crawling.
- William Robertson, Northeastern University (advisor)
- Engin Kirda, Northeastern University (co-advisor)
- Guevara Noubir, Northeastern University (internal)
- Gianluca Stringhini, Boston University (external)