FYI: manipulation of security headers in browser extensions

[ from the latest Bulletproof TLS Newsletter
<https://www.feistyduck.com/bulletproof-tls-newsletter/issue_77_quic_graduates_to_rfc_9000>
]

First, Do No Harm: Studying the manipulation ofsecurity headers in browser
extensions <https://swag.cispa.saarland/papers/agarwal2021extensions.pdf>.
Shubham Agarwal, Ben Stock, Network and Distributed Systems Security (NDSS)
Symposium 2021, 21-24 February 2021, San Diego, CA, USA.

Abstract—Browser extensions are add-ons that aim to enhance
the functionality of native Web applications on the client side.
They intend to provide a rich end-user experience by leveraging
feature-rich privileged JavaScript APIs, otherwise inaccessible for
native applications. However, numerous large-scale investigations
have also reported that extensions often indulge in malicious
activities by exploiting access to these privileged APIs such as
ad injection, stealing privacy-sensitive data, user fingerprinting,
spying user activities on the Web, and malware distribution.

In this work, we instead focus on tampering with security
headers. To that end, we analyze over 186K Chrome extensions,
publicly available on the Chrome Web Store, to detect extensions
that actively intercept requests and responses and tamper with
their security headers by either injecting, dropping, or modifying
them, thereby undermining the security guarantees that these
headers typically provide. We propose an automated framework
to detect such extensions by leveraging a combination of static
and dynamic analysis techniques. We evaluate our proposed
methodology by investigating the extensions’ behavior against
Tranco Top 100 domains and domains targeted explicitly by the
extensions under test and report our findings. We observe that
over 2.4K extensions actively tamper with at least one security
header, undermining the purpose of the server-delivered, clientenforced
security headers.

[ ... ]

B. HTTP Security Headers

[ ... ]

... We focus on four widely-used,
security-critical headers deployed by popular
Web applications for this study, based on our observations from
recent academic and non-academic studies over adoptions of
various HTTP security headers such as by Buchanan et al. [6]
and other following works.

1) Content-Security Policy (CSP): ...

2) HTTP Strict-Transport-Security (HSTS): ...

3) X-Frame-Options: ...

4) X-Content-Type-Options: ...

Received on Monday, 7 June 2021 15:20:06 UTC