Abstract
Traditional Web applications seem vastly different from modern applications, which thrive on technological advances with dynamic content loading, background processing, and continuous data feeds. However, under the hood, these modern applications still rely on the same building blocks used by traditional applications. This chapter briefly introduces these building blocks as required background knowledge, followed by a discussion of several relevant client-side features. These include the browser’s security policies, which are all the more important today, the client-side extensibility features using plugins and browser extensions, and browser features aimed at enhancing the user experience, such as security indicators and private browsing modes.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Base64 encoding transforms the entered username and password into an alphanumeric string, which is easily reversed. The credentials are not encrypted, as is often mistakenly believed.
- 2.
The port is an optional URI component, and when omitted, the protocol’s default port is used, which is 80 for HTTP and 443 for HTTPS.
- 3.
Native code is also supported but discouraged since it requires different versions for different platforms.
References
Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., Preneel, B.: Fpdetective: dusting the web for fingerprinters. In: Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), pp. 1129–1140 (2013)
Agten, P., Van Acker, S., Brondsema, Y., Phung, P.H., Desmet, L., Piessens, F.: JSand: complete client-side sandboxing of third-party JavaScript without browser modifications. In: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC), pp. 1–10 (2012)
Austin, M.: Hacking facebook with HTML5. http://m-austin.com/blog/?p=19 (2010)
Barth, A.: HTTP state management mechanism. RFC Proposed Standard (RFC 6256) (2011)
Barth, A., Jackson, C.: Protecting browsers from frame hijacking attacks. http://seclab.stanford.edu/websec/frames/navigation/http://seclab.stanford.edu/websec/frames/navigation/ stanford.edu/websec/frames/navigation/ (2008)
Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. Commun. ACM 52(6), 83–91 (2009)
Belshe, M., Peon, R.: SPDY protocol. IETF Internet Draft (2012)
Belshe, M., Thomson, M., Melnikov, A., Peon, R.: Hypertext transfer protocol version 2.0. IETF Internet Draft (2014)
Berjon, R., Faulkner, S., Leithead, T., Navara, E.D., O’Connor, E., Pfeiffer, S., Hickson, I.: HTML 5.1 specification. W3C Working Draft (2014)
Berjon, R., Faulkner, S., Leithead, T., Navara, E.D., O’Connor, E., Pfeiffer, S., Hickson, I.: HTML 5.1 specification—the sandbox attribute. W3C Working Draft (2014)
Brewis, M.: How to add adobe flash to an android phone or tablet. http://www.pcadvisor.co.uk/how-to/google-android/3417930/flash-on-android/http://www.pcadvisor. http://www.pcadvisor.co.uk/how-to/google-android/3417930/flash-on-android/ co.uk/how-to/google-android/3417930/flash-on-android/ (2014)
Coates, M.: Putting users in control of plugins. https://blog.mozilla.org/security/2013/01/29/putting-users-in-control-of-plugins/https://blog.mozilla.org/security/2013/01/29/https://blog.mozilla.org/security/2013/01/29/putting-users-in-control-of-plugins/ putting-users-in-control-of-plugins/ (2013)
De Ryck, P., Decat, M., Desmet, L., Piessens, F., Joosen, W.: Security of web mashups: A survey. In: Proceedings of the 15th Nordic Conference on Secure IT Systems (NordSec), pp. 223–238 (2010)
Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the ACM CHI conference on human factors in computing systems (CHI), pp. 581–590 (2006)
Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC 5246bis (2014)
Dong, X., Tran, M., Liang, Z., Jiang, X.: Adsentry: Comprehensive and flexible confinement of javascript-based advertisements. In: Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC), pp. 297–306 (2011)
Eckersley, P.: How unique is your web browser? In: Proceedings of the 10th Privacy Enhancing Technologies Symposium (PETS), pp. 1–18 (2010)
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext transfer protocol—HTTP/1.1. RFC 2616 (1999)
Friedl, S., Popov, A.: Transport Layer Security (TLS) application layer protocol negotiation extension. RFC Proposed Standard (RFC 7301) (2014)
Heath, N.: Malicious Chrome and Firefox extensions found hijacking Facebook profiles. http://www.zdnet.com/malicious-chrome-and-firefox-extensions-found-hijacking-facebook-profiles-7000015277/ (2013)
Jacobs, F.: How reuters got compromised by the syrian electronic army. https://medium.com/@FredericJacobs/the-reuters-compromise-by-the-syrian-electronic-army-6bf570e1a85b (2014)
Keizer, G.: Google builds stronger Flash sandbox in Chrome. http://www.computerworld.com/s/article/9230094/Google_builds_stronger_Flash_sandbox_in_Chrome. (2012)
Kirk, J.: Yahoo’s malware-pushing ads linked to larger malware scheme. http://www.pcworld.com/article/2086700/yahoo-malvertising-attack-linked-to-larger-malware-scheme.html (2014)
Lerner, B., Elberty, L., Poole, N., Krishnamurthi, S.: Verifying Web browser extensions compliance with private-browsing mode. In: Proceedings of the 18th European Symposium on Research in Computer Security (ESORICS), pp. 57–74 (2013)
Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote Javascript inclusions. In: Proceedings of the 19th ACM conference on Computer and communications security, pp. 736–747 (2012)
Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In: Proceedings of the 34th IEEE Symposium on Security and Privacy (SP) (2013)
Rubenking, N.: Black hat briefing: building a million browser botnet for cheap. http://securitywatch.pcmag.com/security/314341-black-hat-briefing-building-a-million-browser-botnet-for-cheap (2013)
Schultze, S.: Web browser security user interfaces: Hard to get right and increasingly inconsistent. https://freedom-to-tinker.com/blog/sjs/web-browser-security-user-interfaces-hard-get-right-and-increasingly-inconsistent/https://freedom-to-tinker.com/blog/sjs/web-browser-security-user-interfaces- https://freedom-to-tinker.com/blog/sjs/web-browser-security-user-interfaces-hard-get-right-and-increasingly-inconsistent/ hard-get-right-and-increasingly-inconsistent/ (2011)
Ter Louw, M., Ganesh, K.T., Venkatakrishnan, V.: AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements. In: Proceedings of the 19th USENIX Security Symposium, pp. 371–388 (2010)
The GNOME Project: What’s this?—GNOME shell extensions. https://extensions.gnome.org/about/https://extensions.gnome. https://extensions.gnome.org/about/ org/about/ (2013)
US-CERT: Oracle Java Contains Multiple Vulnerabilities. Alert (TA13-064A) (2013)
Van Acker, S., Nikiforakis, N., Desmet, L., Joosen, W., Piessens, F.: Flashover: automated discovery of cross-site scripting vulnerabilities in rich internet applications. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS), pp. 12–13. ACM (2012)
Van Acker, S., Nikiforakis, N., Desmet, L., Piessens, F., Joosen, W.: Monkey-in-the-browser: malware and vulnerabilities in augmented browsing script markets. In: Proceedings of the 9th ACM symposium on Information, computer and communications security (ASIACCS), pp. 525–530. ACM (2014)
van Kesteren, A.: Cross-origin resource sharing. W3C Recommendation (2014)
van Kesteren, A., Aubourg, J., Song, J., Steen, H.R.M.: XMLHttpRequest. W3C Working Draft (2014)
Zalewski, M.: The Tangled Web: A Guide to Securing Modern Web Applications. San Francisco, No Starch Press (2012)
Zeckman, A.: New Google mobile alert: Websites using flash may not work on your device. http://searchenginewatch.com/article/2355766/New-Google-Mobile-Alert-Websites-Using-Flash-May-Not-Work-on-Your-Device (2014)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2014 Philippe De Ryck, Lieven Desmet, Frank Piessens, Martin Johns
About this chapter
Cite this chapter
Ryck, P., Desmet, L., Piessens, F., Johns, M. (2014). Traditional Building Blocks of the Web. In: Primer on Client-Side Web Security. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-12226-7_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-12226-7_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12225-0
Online ISBN: 978-3-319-12226-7
eBook Packages: Computer ScienceComputer Science (R0)