Talks and Poster Presentations (with Proceedings-Entry):
M. Squarcina, M. Tempesta, L. Veronese, S. Calzavara, M. Maffei:
"Can I Take Your Subdomain? Exploring Same-Site Attacks in the Modern Web";
Talk: 30th USENIX Security Symposium,
Online;
2021-08-11
- 2021-08-13; in: "30th USENIX Security Symposium",
30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021,
(2021),
2917
- 2934.
English abstract:
Related-domain attackers control a sibling domain of their target web application, e.g., as the result of a subdomain takeover. Despite their additional power over traditional web attackers, related-domain attackers received only limited attention by the research community. In this paper we define and quantify for the first time the threats that related-domain attackers pose to web application security. In particular, we first clarify the capabilities that related-domain attackers can acquire through different attack vectors, showing that different instances of the related-domain attacker concept are worth attention. We then study how these capabilities can be abused to compromise web application security by focusing on different angles, including: cookies, CSP, CORS, postMessage and domain relaxation. By building on this framework, we report on a large-scale security measurement on the top 50k domains from the Tranco list that led to the discovery of vulnerabilities in 887, sites, where we quantified the threats posed by related-domain attackers to popular web applications.
Keywords:
Related-domain attacker, web security, same-site, subdomain
Electronic version of the publication:
https://publik.tuwien.ac.at/files/publik_296683.pdf
Created from the Publication Database of the Vienna University of Technology.