research-article
Authors: Kyungchan Lim, Yonghwi Kwon, and Doowon Kim
IMC '23: Proceedings of the 2023 ACM on Internet Measurement Conference
October 2023
Pages 162 - 180
Published: 24 October 2023 Publication History
- 1citation
- 134
- Downloads
Metrics
Total Citations1Total Downloads134Last 12 Months134
Last 6 weeks12
New Citation Alert added!
This alert has been successfully added and will be sent to:
You will be notified whenever a record that you have chosen has been cited.
To manage your alert preferences, click on the button below.
Manage my Alerts
New Citation Alert!
Please log in to your account
Get Access
- Get Access
- References
- Media
- Tables
- Share
Abstract
Modern Websites rely on various client-side web resources, such as JavaScript libraries, to provide end-users with rich and interactive web experiences. Unfortunately, anecdotal evidence shows that improperly managed client-side resources could open up attack surfaces that adversaries can exploit. However, there is still a lack of a comprehensive understanding of the updating practices among web developers and the potential impact of inaccuracies in Common Vulnerabilities and Exposures (CVE) information on the security of the web ecosystem. In this paper, we conduct a longitudinal (four-year) measurement study of the security practices and implications on client-side resources (e.g., JavaScript libraries and Adobe Flash) across the Web. Specifically, we first collect a large-scale dataset of 157.2M webpages of Alexa Top 1M websites for four years in the wild. Analyzing the dataset, we find an average of 41.2% of websites (in each year of the four years) carry at least one vulnerable client-side resource (e.g., JavaScript or Adobe Flash). We also reveal that vulnerable JavaScript library versions are frequently observed in the wild, suggesting a concerning level of lagging update practice in the wild. On average, we observe 531.2 days with 25,337 websites of the window of vulnerability due to the unpatched client-side resources from the release of security patches. Furthermore, we manually investigate the fidelity of CVE (Common Vulnerabilities and Exposures) reports on client-side resources, leveraging PoC (Proof of Concept) code. We find that 13 CVE reports (out of 27) have incorrect vulnerable version information, which may impact security-related tasks such as security updates.
References
[1]
1997. ECMA-262, 1st edition, June 1997. https://www.ecma-international.org/ wp-content/uploads/ECMA-262_1st _edition_ june_1997.pdf. (Accessed on 05/26/2023).
[2]
2008. CVE-2008-4401: ActionScript in Adobe Flash Player 9.0.124.0 and earlier does not require user interaction in conjunction with (1) the F. https: //www.cvedetails.com/cve/CVE-2008--4401/. (Accessed on 05/26/2023).
[3]
2011. CVE-2011-0577: Unspecified vulnerability in Adobe Flash Player be- fore 10.2.152.26 allows remote attackers to execute arbitrary code. https: //www.cvedetails.com/cve/CVE-2011-0577/. (Accessed on 05/26/2023).
[4]
2011. CVE-2011-0578: Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory co. https:// www.cvedetails.com/cve/CVE-2011-0578/. (Accessed on 05/26/2023).
[5]
2011. CVE-2011-0607: Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service. https://www.cvedetails.com/ cve/CVE-2011-0607/. (Accessed on 05/26/2023).
[6]
2011. CVE-2011-0608 : Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service. https://www.cvedetails.com/ cve/CVE-2011-0608/. (Accessed on 05/26/2023).
[7]
2011. jQuery 1.2 Released | Official jQuery Blog. https://blog.jquery.com/2007/ 09/10/jquery-1-2-released/#jQuery_ 1.1 _Compatibility_Plugin. (Accessed on 05/26/2023).
[8]
2012. CVE-2012-5054: Integer overflow in the copyRawDataTo method in the Matrix3D class in Adobe Flash Player before 11.4.402.265 allows remo. https://www.cvedetails.com/cve/CVE-2012--5054/. (Accessed on 05/26/2023).
[9]
2013. Cross-site Scripting (XSS) in jquery-migrate | Snyk. https:// security.snyk.io/vuln/npm:jquery-migrate:20130419. (Accessed on 05/26/2023).
[10]
2013. JS Bin - Collaborative JavaScript Debugging. https://jsbin.com/UQEgAsO/ 3/edit?html,output. (Accessed on 05/26/2023).
[11]
2013. XSS · Issue #36 · jquery/jquery-migrate. https://github.com/jquery/jquery- migrate/issues/36. (Accessed on 05/26/2023).
[12]
2014. CVE-2014-0510 : Heap-based buffer overflow in Adobe Flash Player 12.0.0.77 allows remote attackers to execute arbitrary code and bypass. https: //www.cvedetails.com/cve/CVE-2014-0510/. (Accessed on 05/26/2023).
[13]
2014. Full Disclosure: XSS Reflected JQuery 1.4.2 - Create object option in runtime client-side. https://seclists.org/fulldisclosure/2014/Sep/10. (Accessed on 05/26/2023).
[14]
2014. Scanning Alexa Top 100,000 for JavaScript libraries with known vulerabil- ities. https://erlend.oftedal.no/blog/static-142.html. (Accessed on 05/26/2023).
[15]
2015. XSS Vulnerability on closeText option of Dialog jQuery UI · Issue #281 · jquery/api.jqueryui.com. https://github.com/jquery/api.jqueryui.com/issues/ 281. (Accessed on 05/26/2023).
[16]
2016. CVE-2016-1019: Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause a denial of service (application crash) or po. https: //www.cvedetails.com/cve/CVE-2016-1019/. (Accessed on 05/26/2023).
[17]
2016. swfobject/swfobject: An open source Javascript framework for detecting the Adobe Flash Player plugin and embedding Flash (swf) files. https: //github.com/swfobject/swfobject. (Accessed on 05/26/2023).
[18]
2017. 77% of 433,000 Sites Use Vulnerable JavaScript Libraries. https://snyk.io/ blog/77-percent-of-sites-still-vulnerable/. (Accessed on 05/26/2023).
[19]
2017. CVE-2017-3083: Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable use after free vulnerability in the Primetime SDK. https: //www.cvedetails.com/cve/CVE-2017--3083/. (Accessed on 05/26/2023).
[20]
2017. CVE-2017-3084: Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable use after free vulnerability in the advertising m. https: //www.cvedetails.com/cve/CVE-2017--3084/. (Accessed on 05/26/2023).
[21]
2017. Flash Player is no longer available - Google Chrome Help. https:// support.google.com/chrome/answer/6258784?hl=en. (Accessed on 05/26/2023).
[22]
2017. JS Bin - Collaborative JavaScript Debugging. https://jsbin.com/qalekeroke/ edit?html,output. (Accessed on 05/26/2023).
[23]
2018. CVE-2012-6708: jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differen. https: //www.cvedetails.com/cve/CVE-2012-6708/?q=CVE-2012-6708. (Accessed on 05/26/2023).
[24]
2018. CVE-2015-9251: jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed wi. https:// www.cvedetails.com/cve/CVE-2015-9251/. (Accessed on 05/26/2023).
[25]
2018. JS Bin - Collaborative JavaScript Debugging. https://jsbin.com/palokaxina/ edit?html,output. (Accessed on 05/26/2023).
[26]
2018. JS Bin - Collaborative JavaScript Debugging. https://jsbin.com/ xeminoniku/edit?html,output. (Accessed on 05/26/2023).
[27]
2019. Compatibility Issue with JQuery 3.4.x | WebDataRocks. https://www.webdatarocks.com/question/compatibility-issue-with-jquery-3-4-x-2/. (Accessed on 05/26/2023).
[28]
2019. CVE-2019--11358 : jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) becaus. https: //www.cvedetails.com/cve/CVE-2019--11358/. (Accessed on 05/26/2023).
[29]
2020. Cross-site Scripting (XSS) in jquery | CVE-2020-7656 | Snyk. https: //security.snyk.io/vuln/SNYK-JS-JQUERY-569619. (Accessed on 05/26/2023).
[30]
2020. CVE-2020--11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanit. https: //www.cvedetails.com/cve/CVE-2020-11022/. (Accessed on 05/26/2023).
[31]
2020. CVE-2020--11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanit. https: //www.cvedetails.com/cve/CVE-2020-11022/. (Accessed on 05/26/2023).
[32]
2020. CVE-2020-11023: In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from. https: //www.cvedetails.com/cve/CVE-2020-11023/. (Accessed on 05/26/2023).
[33]
2020. Safari 14 and flash player - Apple Community. https:// discussions.apple.com/thread/251900220. (Accessed on 05/26/2023).
[34]
2021. Compatibility issues with latest jQuery 3.5.1. https://datatables.net/ forums/discussion/67375/compatibility-issues-with-latest-jquery-3-5-1. (Accessed on 05/26/2023).
[35]
2021. CVE-2020-27511: An issue was discovered in the stripTags and unescapeHTML components in Prototype 1.7.3 where an attacker can cause a Re. https://www.cvedetails.com/cve/CVE-2020--27511/?q=CVE-2020--27511. (Accessed on 05/26/2023).
[36]
2021. End of support for Adobe Flash | Firefox Help. https://support.mozilla.org/ en-US/kb/end-support-adobe-flash. (Accessed on 05/26/2023).
[37]
2021. Update on Adobe Flash Player End of Support - Microsoft Edge Blog. https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/. (Accessed on 05/26/2023).
[38]
2021. Vulnerable Javascript Library. https://beaglesecurity.com/blog/ vulnerability/vulnerable-javascript-library.html. (Accessed on 05/26/2023).
[39]
2022. Commits · js-cookie/js-cookie. https://github.com/js-cookie/js-cookie/ commits/main. (Accessed on 05/26/2023).
[40]
2022. CVE - CVE. https://cve.mitre.org/index.html. (Accessed on 05/26/2023).
[41]
2022. CVE security vulnerability database. Security vulnerabilities, exploits, references and more. https://www.cvedetails.com/index.php. (Accessed on 05/26/2023).
[42]
2022. Digital 2022: Global Overview Report - DataReportal - Global Digital Insights. https://datareportal.com/reports/digital-2022-global-overview-report. (Accessed on 05/26/2023).
[43]
2022. HTML attribute: crossorigin - HTML: HyperText Markup Language | MDN. https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/ crossorigin. (Accessed on 05/26/2023).
[44]
2022. js-cookie/js-cookie: A simple, lightweight JavaScript API for handling browser cookies. https://github.com/js-cookie/js-cookie. (Accessed on 05/26/2023).
[45]
2022. NVD - Vulnerabilities. https://nvd.nist.gov/vuln. (Accessed on 05/26/2023).
[46]
2022. Request.credentials - Web APIs | MDN. https://developer.mozilla.org/en- US/docs/Web/API/Request/credentials. (Accessed on 05/26/2023).
[47]
2023. Browser Support | jQuery. https://jquery.com/browser-support/. (Accessed on 05/26/2023).
[48]
2023. jQuery vs Bootstrap - What Is The Difference? - Remarkable Coder. https://remarkablecoder.com/jquery-vs-bootstrap. (Accessed on 05/26/2023).
[49]
2023. UPDATE: Adobe Flash Player end of support on December 31, 2020 - Microsoft Lifecycle | Microsoft Learn. https://learn.microsoft.com/en-us/lifecycle/ announcements/update-adobe-flash-support. (Accessed on 05/26/2023).
[50]
2023. Vulnerability DB | Snyk. https://security.snyk.io/vuln. (Accessed on 05/26/2023).
[51]
2023. wappalyzer/wappalyzer: Identify technology on websites. (Accessed on 05/26/2023).
[52]
360. 2023. 360 Browser. https://browser.360.cn/ee/mac/index.html. (Accessed on 05/26/2023).
[53]
Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle L Mazurek, and Christian Stransky. 2016. You get where you're looking for: The impact of information sources on code security. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 289--305.
[54]
Adguard. 2023. AdguardFilters/specific.txt at master · AdguardTeam/Ad- guardFilters. https://github.com/AdguardTeam/AdguardFilters/blob/master/ SpywareFilter/sections/specific.txt. (Accessed on 05/26/2023).
[55]
Adobe. 2017. Control access to scripts | Host web page. https://helpx.adobe.com/ flash/kb/control-access-scripts-host-web.html. (Accessed on 05/26/2023).
[56]
Adobe. 2021. Adobe Flash Player End of Life. https://www.adobe.com/products/ flashplayer/end-of-life.html. (Accessed on 05/26/2023).
[57]
Adobe. 2021. Create HTML5 Canvas documents in Animate. https://helpx.adobe.com/animate/using/creating-publishing-html5-canvas-document.html. (Accessed on 05/26/2023).
[58]
Adobe. 2022. Best practices to convert/publish existing Flash-based projects to HTML5 in Captivate. https://helpx.adobe.com/captivate/kb/best-practices- convert-flash-html5-captivate.html. (Accessed on 05/26/2023).
[59]
National Security Agency. 2019. CSA - CONTINUED USE OF ADOBE FLASH INVITES COMPROMISE.PDF. https://media.defense.gov/2019/Sep/25/2002186834/-1/-1/0/CSA%20-%20CONTINUED%20USE%20OF%20ADOBE% 20FLASH%20INVITES%20COMPROMISE.PDF. (Accessed on 05/26/2023).
[60]
Pieter Agten, Steven Van Acker, Yoran Brondsema, Phu H. Phung, Lieven Desmet, and Frank Piessens. 2012. JSand: Complete Client-Side Sandboxing of Third-Party JavaScript without Browser Modifications. In Proceedings of the 28th Annual Computer Security Applications Conference (Orlando, Florida, USA) (ACSAC '12). Association for Computing Machinery, New York, NY, USA, 1--10. https://doi.org/10.1145/2420950.2420952
Digital Library
[61]
Danny E. Alvarez, Daniel B. Correa, and Fernando I. Arango. 2016. An analysis of XSS, CSRF and SQL injection in colombian software and web site development. In 2016 8th Euro American Conference on Telematics and Information Systems (EATIS). 1--5. https://doi.org/10.1109/EATIS.2016.7520140
Digital Library
[62]
Adam Barth, Collin Jackson, and John C Mitchell. 2008. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM conference on Computer and communications security. 75--88.
Digital Library
[63]
Bootstrap. 2023. Bootstrap · The most popular HTML, CSS, and JS library in the world. https://getbootstrap.com/. (Accessed on 05/26/2023).
[64]
William J Buchanan, Scott Helme, and Alan Woodward. 2018. Analysis of the adoption of security headers in HTTP. IET Information Security 12, 2 (2018), 118--126.
Digital Library
[65]
cdnjs. 2023. cdnjs - The #1 free and open source CDN built to make life easier for developers. https://cdnjs.com/. (Accessed on 05/26/2023).
[66]
Chromium. 2021. Flash Roadmap. https://www.chromium.org/flash- roadmap/#TOC-Flash-Support-Removed-from-Chromium-Target:-Chrome-87-Dec-2020-. (Accessed on 05/26/2023).
[67]
Nurullah Demir, Tobias Urban, Kevin Wittek, and Norbert Pohlmann. 2021. Our (in)Secure Web: Understanding Update Behavior of Websites and Its Impact on Security. In Passive and Active Measurement. Springer International Publishing, Cham, 76--92.
[68]
Ying Dong, Wenbo Guo, Yueqi Chen, Xinyu Xing, Yuqing Zhang, and Gang Wang. 2019. Towards the Detection of Inconsistencies in Public Security Vul- nerability Reports. In USENIX Security Symposium. 869--885.
[69]
Carlos Duarte, Inês Matos, João Vicente, Ana Salvado, Carlos M. Duarte, and Luís Carriço. 2016. Development Technologies Impact in Web Accessibility. In Proceedings of the 13th International Web for All Conference (Montreal, Canada) (W4A '16). Association for Computing Machinery, New York, NY, USA, Article 6, 4 pages. https://doi.org/10.1145/2899475.2899498
Digital Library
[70]
J. Emigh. 2006. New Flash player rises in the Web-video market. Computer 39, 2 (2006), 14--16. https://doi.org/10.1109/MC.2006.66
Digital Library
[71]
F-Secure. 2011. News from the Lab Archive: January 2004 to September 2015. https://archive.f-secure.com/weblog/archives/00002226.html. (Accessed on 05/26/2023).
[72]
GitHub. 2021. Update regex for striptags method to prevent regex dos by jwestbrook · Pull Request #349 · prototypejs/prototype. https://github.com/ prototypejs/prototype/pull/349. (Accessed on 05/26/2023).
[73]
Google. 2017. Saying goodbye to Flash in Chrome. https://www.blog.google/ products/chrome/saying-goodbye-flash-chrome/. (Accessed on 05/26/2023).
[74]
Hao He, Lulu Chen, and Wenpu Guo. 2017/03. Research on Web Applica- tion Vulnerability Scanning System based on Fingerprint Feature. In Proceedings of the 2017 International Conference on Mechanical, Electronic, Control and Automation Engineering (MECAE 2017). Atlantis Press, 150--155. https: //doi.org/10.2991/mecae-17.2017.27
[75]
Isotope. 2023. Isotope - Filter & sort magical layouts. https:// isotope.metafizzy.co/. (Accessed on 05/26/2023).
[76]
jQuery. 2023. jQuery. https://jquery.com/. (Accessed on 05/26/2023).
[77]
jquery cookie. 2015. carhartl/jquery-cookie: No longer maintained, super-seded by JS Cookie:. https://github.com/carhartl/jquery-cookie. (Accessed on 05/26/2023).
[78]
jquery migrate. 2023. jquery/jquery-migrate: A development tool to help migrate away from APIs and features that have been or will be removed from jQuery core. https://github.com/jquery/jquery-migrate. (Accessed on 05/26/2023).
[79]
jQuery UI. 2023. jQuery UI. https://jqueryui.com/. (Accessed on 05/26/2023).
[80]
jsDelivr. 2023. jsDelivr - A free, fast, and reliable CDN for open source. https: //www.jsdelivr.com/. (Accessed on 05/26/2023).
[81]
Gregg Keizer. 2011. RSA hackers exploited Flash zero-day bug | Computerworld. https://www.computerworld.com/article/2507619/rsa-hackers- exploited-flash-zero-day-bug.html. (Accessed on 05/26/2023).
[82]
Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. 2018. Thou shalt not depend on me: Analysing the use of outdated javascript libraries on the web. arXiv preprint arXiv:1811.00918 (2018).
[83]
Sebastian Lekies, Ben Stock, and Martin Johns. 2013. 25 Million Flows Later: Large-Scale Detection of DOM-Based XSS. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (Berlin, Germany) (CCS '13). Association for Computing Machinery, New York, NY, USA, 1193--1204. https://doi.org/10.1145/2508859.2516703
Digital Library
[84]
Ada Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner. 2016. Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX. https://www.usenix.org/ conference/usenixsecurity16/technical-sessions/presentation/lerner
[85]
Fabian Marquardt and Lennart Buhl. 2021. Déjà Vu? Client-Side Fingerprinting and Version Detection of Web Application Software. In 2021 IEEE 46th Con- ference on Local Computer Networks (LCN). 81--89. https://doi.org/10.1109/ LCN52139.2021.9524885
[86]
Modernizr. 2023. Modernizr: the feature detection library for HTML5/CSS3. https://modernizr.com/. (Accessed on 05/26/2023).
[87]
Moment. 2023. Moment.js | Home. https://momentjs.com/. (Accessed on 05/26/2023).
[88]
Mozilla. 2021. End of support for Adobe Flash | Firefox Help. https: //support.mozilla.org/en-US/kb/end-support-adobe-flash. (Accessed on 05/26/2023).
[89]
Mozilla. 2022. Subresource Integrity - Web security | MDN. https:// developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity. (Accessed on 05/26/2023).
[90]
Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2012. You are what you include: large-scale evaluation of remote javascript inclusions. In Proceedings of the 2012 ACM conference on Computer and communications security. 736--747.
Digital Library
[91]
NIST. 2018. NVD - CVE-2018--9206. https://nvd.nist.gov/vuln/detail/CVE-2018-9206. (Accessed on 05/26/2023).
[92]
Frolin Ocariza, Kartik Bajaj, Karthik Pattabiraman, and Ali Mesbah. 2013. An Empirical Study of Client-Side JavaScript Bugs. In 2013 ACM / IEEE International Symposium on Empirical Software Engineering and Measurement. 55--64. https: //doi.org/10.1109/ESEM.2013.18
[93]
Polyfill. 2023. Polyfill.io. https://polyfill.io/v3/. (Accessed on 05/26/2023).
[94]
Popper. 2023. Tooltip & Popover Positioning Engine. https://popper.js.org/. (Accessed on 05/26/2023).
[95]
Prototype. 2015. Prototype JavaScript framework: a foundation for ambitious web applications. http://prototypejs.org/. (Accessed on 05/26/2023).
[96]
Nur Aini Rakhmawati, Sayekti Harits, Deny Hermansyah, and Muhammad Ar- iful Furqon. 2018. A Survey of Web Technologies Used in Indonesia Local Governments. SISFO Vol 7 No 3 7 (2018).
[97]
RequireJS. 2018. RequireJS. https://requirejs.org/. (Accessed on 05/26/2023).
[98]
Gregor Richards, Sylvain Lebresne, Brian Burg, and Jan Vitek. 2010. An Analysis of the Dynamic Behavior of JavaScript Programs. SIGPLAN Not. 45, 6 (jun 2010), 1--12. https://doi.org/10.1145/1809028.1806598
Digital Library
[99]
Sebastian Roth, Timothy Barron, Stefano Calzavara, Nick Nikiforakis, and Ben Stock. 2020. Complex security policy? a longitudinal analysis of deployed content security policies. In Proceedings of the 27th Network and Distributed System Security Symposium (NDSS).
[100]
Prateek Saxena, Steve Hanna, Pongsin Poosankam, and Dawn Song. 2010. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In NDSS.
[101]
IMQ Minded Security. 2013. IMQ Minded Security Blog: "jQuery Migrate"' is a Sink, too?! https://blog.mindedsecurity.com/2013/04/jquery-migrate-is-sink- too.html. (Accessed on 09/05/2023).
[102]
Statcounter. 2023. Browser Market Share Worldwide. https: //gs.statcounter.com/browser-market-share/desktop/worldwide. (Accessed on 05/26/2023).
[103]
statista. 2023. Internet usage worldwide - statistics & facts. https:// www.statista.com/topics/1145/internet-usage-worldwide/. (Accessed on 05/26/2023).
[104]
Marius Steffens, Marius Musch, Martin Johns, and Ben Stock. 2021. Who's hosting the block party? studying third-party blockage of csp and sri. In Network and Distributed Systems Security (NDSS) Symposium 2021.
[105]
Ben Stock, Martin Johns, Marius Steffens, and Michael Backes. 2017. How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 971--987. https://www.usenix.org/conference/ usenixsecurity17/technical-sessions/presentation/stock
[106]
Yuta Takata, Hiroshi Kumagai, and Masaki Kamizono. 2021. The Uncontrolled Web: Measuring Security Governance on the Web. IEICE Transactions on Infor- mation and Systems 104, 11 (2021), 1828--1838.
[107]
Underscore. 2022. Underscore.js. https://underscorejs.org/. (Accessed on 05/26/2023).
[108]
Semantic Versioning. 2023. Semantic Versioning 2.0.0. https://semver.org/. (Accessed on 05/26/2023).
[109]
Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2007. Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS, Vol. 2007. 12.
[110]
W3. 2016. Subresource Integrity. https://www.w3.org/TR/SRI/#cross-origin-data-leakage. (Accessed on 05/26/2023).
[111]
W3.org. 2023. HTML Standard. https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element. (Accessed on 05/26/2023).
[112]
Whatwg. 2023. HTML Standard. https://html.spec.whatwg.org/multipage/urls-and-fetching.html#cors-settings-attributes. (Accessed on 05/26/2023).
[113]
WordPress. 2022. Enable jQuery Migrate Helper - WordPress plugin. https://wordpress.org/plugins/enable-jquery-migrate-helper/. (Accessed on 05/26/2023).
[114]
WordPress. 2022. Enable jQuery Migrate Helper - WordPress plugin. https: //wordpress.org/plugins/enable-jquery-migrate-helper/#description. (Accessed on 05/26/2023).
[115]
WordPress. 2023. Configuring Automatic Background Updates. https: //wordpress.org/support/article/configuring-automatic-background-updates/. (Accessed on 05/26/2023).
[116]
Qiushi Wu and Kangjie Lu. 2021. On the feasibility of stealthily introducing vulnerabilities in open-source software via hypocrite commits. In Proc. Oakland.
[117]
Chuan Yue and Haining Wang. 2009. Characterizing Insecure Javascript Practices on the Web. In Proceedings of the 18th International Conference on World Wide Web (Madrid, Spain) (WWW '09). Association for Computing Machinery, New York, NY, USA, 961--970. https://doi.org/10.1145/1526709.1526838
Digital Library
[118]
ZDNET. 2018. Zero-day in popular jQuery plugin actively exploited for at least three years | ZDNET. https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/. (Accessed on 05/26/2023).
[119]
ZDNET. 2021. Flash version distributed in China after EOL is installing adware | ZDNET. https://www.zdnet.com/article/flash-version-distributed-in-china- after-eol-is-installing-adware/. (Accessed on 05/26/2023).
Cited By
View all
- Lim KPark JKim DChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Phishing Vs. Legit: Comparative Analysis of Client-Side Resources of Phishing and Target Brand WebsitesProceedings of the ACM on Web Conference 202410.1145/3589334.3645535(1756-1767)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645535
Index Terms
A Longitudinal Study of Vulnerable Client-side Resources and Web Developers' Updating Behaviors
Security and privacy
Software and application security
Web application security
Recommendations
- Client-side cross-site scripting protection
Web applications are becoming the dominant way to provide access to online services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is ...
Read More
- POSTER: trend of online flash XSS vulnerabilities
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Flash objects are widely embedded in web pages, supporting Rich Internet Applications using ActionScript. However, according to our survey, many Flash objects are seriously exposed to Cross-site Scripting vulnerabilities as they are usually coded ...
Read More
- Enlargement of vulnerable web applications for testing
There are two main kinds of vulnerable web applications, usual applications developed with a specific aim and applications which are vulnerable by design. On one hand, the usual applications are those that are used everywhere and on a daily basis, and ...
Read More
Comments
Information & Contributors
Information
Published In
IMC '23: Proceedings of the 2023 ACM on Internet Measurement Conference
October 2023
746 pages
ISBN:9798400703829
DOI:10.1145/3618257
- General Chairs:
- Marie-José Montpetit
McGill University, Canada
, - Aris Leivadeas
École de Technologie Supérieure, Canada
, - Program Chairs:
- Steve Uhlig
Queen Mary University of London, United Kingdom
, - Mobin Javed
Lahore University of Management Sciences, Pakistan
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [emailprotected].
Sponsors
- SIGCOMM: ACM Special Interest Group on Data Communication
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 24 October 2023
Permissions
Request permissions for this article.
Check for updates
Author Tags
- adobe flash
- cve
- javascript library
- web security
Qualifiers
- Research-article
Funding Sources
Conference
IMC '23
Sponsor:
- SIGCOMM
Acceptance Rates
Overall Acceptance Rate 277 of 1,083 submissions, 26%
Contributors
Other Metrics
View Article Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations
1
Total Citations
134
Total Downloads
- Downloads (Last 12 months)134
- Downloads (Last 6 weeks)12
Other Metrics
View Author Metrics
Citations
Cited By
View all
- Lim KPark JKim DChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Phishing Vs. Legit: Comparative Analysis of Client-Side Resources of Phishing and Target Brand WebsitesProceedings of the ACM on Web Conference 202410.1145/3589334.3645535(1756-1767)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645535
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in
Full Access
Get this Publication
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderMedia
Figures
Other
Tables
