Side-Channel Attack on Web
Counteracting Web Malvertising
Secure Computing on Hybrid Clouds
Secure Web Commerce
Mobile Fragmentation

CNS-1117106: TC: Small: Plugging Logic Loopholes in Hybrid Web Applications to Secure Web Commerce

Introduction

With the increasing popularity of third-party services integrated in hybrid web applications (including mobile apps), come new security challenges posed by the complexity in coordinating these individual services and the web client. Such complexity often brings in program logic flaws that can be exploited to induce inconsistencies among different services' internal states, causing the security control within these applications to fail. This project endeavors to gain an in-depth understanding about the scope and the magnitude of the security threat posed by the logic flaws in various hybrid web applications and mobile apps and the common design pitfalls that lead to such vulnerability. Based upon this understanding, it will study novel technologies to facilitate detection and patching of these flaws. This research involves industry collaborators and will also contribute to the improvement of security protection in other domains that utilize hybrid web applications.

Related paper

  • T. Li, X. Zhou, L. Xing, Y. Lee, M. Naveed, X. Wang and X. Han, 2014, Mayhem in the Push Clouds: Understanding and Mitigating Security Hazards in Mobile Push-Messaging Services. accepted by the 21st ACM Conference on Computer and Communications Security (CCS).
  • Z. Li, S. Alrwais, X. Wang and E. Alowaisheq, 2014 “Hunting the Red Fox Online: Understanding and Detection of Mass Redirect-Script Injections”. In Proceedings of the 35th IEEE Symposium on Security and Privacy (IEEE S&P).
  • M. Naveed, X. Zhou, S. Demetriou, X. Wang and C. Gunter, 2014 “Inside Job: Understanding and Mitigating the Threat of External Device Misbonding on Android”. In Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS).
  • R. Wang, L. Xing, X. Wang and S. Chen, 2013 “Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation”. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS).
  • Z. Li, S. Alrwais, Y. Xie, F. Yu and X. Wang, 2013 “Finding the Linchpins of the Dark Web: a Study on Topologically Dedicated Hosts on Malicious Web Infrastructures”. In Proceedings of the 34th IEEE Symposium on Security and Privacy (IEEE S&P).
  • L. Xing, Y. Chen, X. Wang and S. Chen, 2013 “InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations”. In Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS).
  • Z. Li, K. Zhang, Y. Xie, F. Yu and X. Wang, 2012 “Knowing Your Enemy: Understanding and Detecting Malicious Web Advertising”. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS).
  • R. Wang, S. Chen and X. Wang, 2012 “Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services”. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (IEEE S&P).
  • R. Wang, S. Chen, X. Wang, and S. Qadeer, 2011 “How to Shop for Free Online – Security Analysis of Cashier-as-a-Service Based Web Stores”. In Proceedings of the 32nd IEEE Symposium on Security and Privacy (IEEE S&P).

Code Release