Journal of the Korea Institute of Information Security & Cryptology (정보보호학회논문지)

Korea Institute of Information Security and Cryptology (한국정보보호학회)
권호 표지
DOI QR코드

DOI QR Code

Threat Diagnosis and Security Verification of Services Using Server-Side Browsers

서버 측 브라우저를 활용한 서비스들의 보안 위협 진단 및 안전성 검증

  • Min-sang Lee (Sungkyunkwan University) ;
  • Hyoung-kee Choi (Sungkyunkwan University)
  • 이민상 (성균관대학교) ;
  • 최형기 (성균관대학교)
  • Received : 2024.06.12
  • Accepted : 2024.07.25
  • Published : 2024.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

The browser is utilized to render web pages in programs that perform tasks such as data extraction, format conversion, and development testing on web pages. Online services that utilize browsers can cause security issues if browser information is exposed or used in an unsafe manner. This paper presents security requirements for the safe use of browsers and explains the security threats that arise if these requirements are not met. Through evaluation, the security verification of commercial web applications is conducted, and the vulnerabilities that allow browsers to be exploited as attack tools are analyzed.

브라우저는 웹페이지를 렌더링하여 데이터 추출, 형식 변환 그리고 개발 테스트 등의 기능을 수행하는 프로그램에서 활용된다. 브라우저를 활용하는 온라인 서비스는 브라우저 정보가 노출되거나 안전하지 않은 상태로 사용될 때 보안 문제를 야기한다. 본 논문에서는 안전한 브라우저 사용을 위해 취할 수 있는 보안 요구사항을 제시하고, 이를 만족하지 않을 시 발생하는 보안 위협을 설명한다. 실험을 통해 상용 웹 애플리케이션의 안정성을 검증하고, 브라우저가 공격 도구로 악용되는 취약 사례를 분석한다.

Keywords

References

  1. M. Musch, R. Kirchner, M. Boll and M. Johns, "Server-side browsers: exploring the web's hidden attack surface," Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security, pp. 1168-1181, May. 2022.
  2. Wave, "Web accessibility evaluation tools," https://wave.webaim.org, Aug.2024.
  3. PDF24, "Free PDF solutions for all PDF problems," https://tools.pdf24.org, Aug. 2024.
  4. Tranco, "A research-oriented top sites ranking hardened against manipulation- 06 November 2023," https://tranco-list.eu, Nov. 2023.
  5. OWASP, "Owasp top 10," https://owasp.org/www-project-top-ten, Aug. 2024.
  6. OWASP, "Server-side request forgery prevention cheat sheet," https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html, Aug. 2024.
  7. Similarweb, "Check and analyze any website," https://www.similarweb.com, Aug. 2024.
  8. URLScan, "URL and website scanner," https://urlscan.io, Aug. 2024.
  9. Glitch, "The friendly community where everyone builds the web," https://glitch.com, Aug. 2024.
  10. Github, "Sources used in the research," https://github.com/zzyo1/server-side-browsers, Aug. 2024.
  11. AccuWebHosting, "Web server information tool," https://www.accuwebhosting.com/resources/show-web-server-detail, Aug. 2024.
  12. Xurlfind3r, "Passive urls discovery utility," https://github.com/hueristiq/xurlfind3r, Aug. 2024.
  13. Cloudflare, "What is browser isolation," https://www.cloudflare.com/learning/access-management/what-is-browser-isolation, Aug. 2024.
  14. H. Choi, S. Hong, S. Cho and Y.-G. Kim, "Hxd: hybrid xss detection by using a headless browser," Proceedings of the 2017 4th International Conference on Computer Applications and Information Processing Technology, pp. 1-4, Aug. 2017.
  15. C. Lv, L. Zhang, F. Zeng and J. Zhang, "Adaptive random testing for xss vulnerability," Proceedings of the 2019 26th Asia-Pacific Software Engineering Conference, pp. 63-69, Dec. 2019.
  16. Chromium, "Clickjacking rce of chrome headless with remote debugging," https://issues.chromium.org/issues/40056642, Jul. 2021.
  17. G. Pellegrino, O. Catakoglu, D. Balzarotti, and C. Rossow, "Uses and abuses of server-side requests," Proceedings of the 2016 International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 393-414,Sep. 2016.
  18. B. Jabiyev, O. Mirzaei, A. Kharraz, and E. Kirda, "Preventing server-side request forgery attacks," Proceedings of the 36th Annual ACM Symposium on Applied Computing, pp. 1626-1635, Mar. 2021.