TY - GEN
T1 - Large-scale security analysis of the web
T2 - 7th International Conference on Trust and Trustworthy Computing, TRUST 2014
AU - Van Goethem, Tom
AU - Chen, Ping
AU - Nikiforakis, Nick
AU - Desmet, Lieven
AU - Joosen, Wouter
PY - 2014
Y1 - 2014
N2 - As the web expands in size and adoption, so does the interest of attackers who seek to exploit web applications and exfiltrate user data. While there is a steady stream of news regarding major breaches and millions of user credentials compromised, it is logical to assume that, over time, the applications of the bigger players of the web are becoming more secure. However, as these applications become resistant to most prevalent attacks, adversaries may be tempted to move to easier, unprotected targets which still hold sensitive user data. In this paper, we report on the state of security for more than 22,000 websites that originate in 28 EU countries. We first explore the adoption of countermeasures that can be used to defend against common attacks and serve as indicators of "security consciousness". Moreover, we search for the presence of common vulnerabilities and weaknesses and, together with the adoption of defense mechanisms, use our findings to estimate the overall security of these websites. Among other results, we show how a website's popularity relates to the adoption of security defenses and we report on the discovery of three, previously unreported, attack variations that attackers could have used to attack millions of users.
AB - As the web expands in size and adoption, so does the interest of attackers who seek to exploit web applications and exfiltrate user data. While there is a steady stream of news regarding major breaches and millions of user credentials compromised, it is logical to assume that, over time, the applications of the bigger players of the web are becoming more secure. However, as these applications become resistant to most prevalent attacks, adversaries may be tempted to move to easier, unprotected targets which still hold sensitive user data. In this paper, we report on the state of security for more than 22,000 websites that originate in 28 EU countries. We first explore the adoption of countermeasures that can be used to defend against common attacks and serve as indicators of "security consciousness". Moreover, we search for the presence of common vulnerabilities and weaknesses and, together with the adoption of defense mechanisms, use our findings to estimate the overall security of these websites. Among other results, we show how a website's popularity relates to the adoption of security defenses and we report on the discovery of three, previously unreported, attack variations that attackers could have used to attack millions of users.
UR - https://www.scopus.com/pages/publications/84904194604
U2 - 10.1007/978-3-319-08593-7_8
DO - 10.1007/978-3-319-08593-7_8
M3 - Conference contribution
AN - SCOPUS:84904194604
SN - 9783319085920
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 110
EP - 126
BT - Trust and Trustworthy Computing - 7th International Conference, TRUST 2014, Proceedings
PB - Springer Verlag
Y2 - 30 June 2014 through 2 July 2014
ER -