Skip to main content
SpringerLink
Log in

Traditional Building Blocks of the Web

  • Chapter
  • First Online:
Primer on Client-Side Web Security

Part of the book series: SpringerBriefs in Computer Science ((BRIEFSCOMPUTER))

  • 1108 Accesses

Abstract

Traditional Web applications seem vastly different from modern applications, which thrive on technological advances with dynamic content loading, background processing, and continuous data feeds. However, under the hood, these modern applications still rely on the same building blocks used by traditional applications. This chapter briefly introduces these building blocks as required background knowledge, followed by a discussion of several relevant client-side features. These include the browser’s security policies, which are all the more important today, the client-side extensibility features using plugins and browser extensions, and browser features aimed at enhancing the user experience, such as security indicators and private browsing modes.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Base64 encoding transforms the entered username and password into an alphanumeric string, which is easily reversed. The credentials are not encrypted, as is often mistakenly believed.

  2. 2.

    The port is an optional URI component, and when omitted, the protocol’s default port is used, which is 80 for HTTP and 443 for HTTPS.

  3. 3.

    Native code is also supported but discouraged since it requires different versions for different platforms.

References

  1. Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., Preneel, B.: Fpdetective: dusting the web for fingerprinters. In: Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), pp. 1129–1140 (2013)

    Google Scholar 

  2. Agten, P., Van Acker, S., Brondsema, Y., Phung, P.H., Desmet, L., Piessens, F.: JSand: complete client-side sandboxing of third-party JavaScript without browser modifications. In: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC), pp. 1–10 (2012)

    Google Scholar 

  3. Austin, M.: Hacking facebook with HTML5. http://m-austin.com/blog/?p=19 (2010)

  4. Barth, A.: HTTP state management mechanism. RFC Proposed Standard (RFC 6256) (2011)

    Google Scholar 

  5. Barth, A., Jackson, C.: Protecting browsers from frame hijacking attacks. http://seclab.stanford.edu/websec/frames/navigation/http://seclab.stanford.edu/websec/frames/navigation/ stanford.edu/websec/frames/navigation/ (2008)

  6. Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. Commun. ACM 52(6), 83–91 (2009)

    Article  Google Scholar 

  7. Belshe, M., Peon, R.: SPDY protocol. IETF Internet Draft (2012)

    Google Scholar 

  8. Belshe, M., Thomson, M., Melnikov, A., Peon, R.: Hypertext transfer protocol version 2.0. IETF Internet Draft (2014)

    Google Scholar 

  9. Berjon, R., Faulkner, S., Leithead, T., Navara, E.D., O’Connor, E., Pfeiffer, S., Hickson, I.: HTML 5.1 specification. W3C Working Draft (2014)

    Google Scholar 

  10. Berjon, R., Faulkner, S., Leithead, T., Navara, E.D., O’Connor, E., Pfeiffer, S., Hickson, I.: HTML 5.1 specification—the sandbox attribute. W3C Working Draft (2014)

    Google Scholar 

  11. Brewis, M.: How to add adobe flash to an android phone or tablet. http://www.pcadvisor.co.uk/how-to/google-android/3417930/flash-on-android/http://www.pcadvisor. http://www.pcadvisor.co.uk/how-to/google-android/3417930/flash-on-android/ co.uk/how-to/google-android/3417930/flash-on-android/ (2014)

  12. Coates, M.: Putting users in control of plugins. https://blog.mozilla.org/security/2013/01/29/putting-users-in-control-of-plugins/https://blog.mozilla.org/security/2013/01/29/https://blog.mozilla.org/security/2013/01/29/putting-users-in-control-of-plugins/ putting-users-in-control-of-plugins/ (2013)

  13. De Ryck, P., Decat, M., Desmet, L., Piessens, F., Joosen, W.: Security of web mashups: A survey. In: Proceedings of the 15th Nordic Conference on Secure IT Systems (NordSec), pp. 223–238 (2010)

    Google Scholar 

  14. Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the ACM CHI conference on human factors in computing systems (CHI), pp. 581–590 (2006)

    Google Scholar 

  15. Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC 5246bis (2014)

    Google Scholar 

  16. Dong, X., Tran, M., Liang, Z., Jiang, X.: Adsentry: Comprehensive and flexible confinement of javascript-based advertisements. In: Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC), pp. 297–306 (2011)

    Google Scholar 

  17. Eckersley, P.: How unique is your web browser? In: Proceedings of the 10th Privacy Enhancing Technologies Symposium (PETS), pp. 1–18 (2010)

    Google Scholar 

  18. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext transfer protocol—HTTP/1.1. RFC 2616 (1999)

    Google Scholar 

  19. Friedl, S., Popov, A.: Transport Layer Security (TLS) application layer protocol negotiation extension. RFC Proposed Standard (RFC 7301) (2014)

    Google Scholar 

  20. Heath, N.: Malicious Chrome and Firefox extensions found hijacking Facebook profiles. http://www.zdnet.com/malicious-chrome-and-firefox-extensions-found-hijacking-facebook-profiles-7000015277/ (2013)

  21. Jacobs, F.: How reuters got compromised by the syrian electronic army. https://medium.com/@FredericJacobs/the-reuters-compromise-by-the-syrian-electronic-army-6bf570e1a85b (2014)

  22. Keizer, G.: Google builds stronger Flash sandbox in Chrome. http://www.computerworld.com/s/article/9230094/Google_builds_stronger_Flash_sandbox_in_Chrome. (2012)

  23. Kirk, J.: Yahoo’s malware-pushing ads linked to larger malware scheme. http://www.pcworld.com/article/2086700/yahoo-malvertising-attack-linked-to-larger-malware-scheme.html (2014)

  24. Lerner, B., Elberty, L., Poole, N., Krishnamurthi, S.: Verifying Web browser extensions compliance with private-browsing mode. In: Proceedings of the 18th European Symposium on Research in Computer Security (ESORICS), pp. 57–74 (2013)

    Google Scholar 

  25. Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote Javascript inclusions. In: Proceedings of the 19th ACM conference on Computer and communications security, pp. 736–747 (2012)

    Google Scholar 

  26. Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In: Proceedings of the 34th IEEE Symposium on Security and Privacy (SP) (2013)

    Google Scholar 

  27. Rubenking, N.: Black hat briefing: building a million browser botnet for cheap. http://securitywatch.pcmag.com/security/314341-black-hat-briefing-building-a-million-browser-botnet-for-cheap (2013)

  28. Schultze, S.: Web browser security user interfaces: Hard to get right and increasingly inconsistent. https://freedom-to-tinker.com/blog/sjs/web-browser-security-user-interfaces-hard-get-right-and-increasingly-inconsistent/https://freedom-to-tinker.com/blog/sjs/web-browser-security-user-interfaces- https://freedom-to-tinker.com/blog/sjs/web-browser-security-user-interfaces-hard-get-right-and-increasingly-inconsistent/ hard-get-right-and-increasingly-inconsistent/ (2011)

  29. Ter Louw, M., Ganesh, K.T., Venkatakrishnan, V.: AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements. In: Proceedings of the 19th USENIX Security Symposium, pp. 371–388 (2010)

    Google Scholar 

  30. The GNOME Project: What’s this?—GNOME shell extensions. https://extensions.gnome.org/about/https://extensions.gnome. https://extensions.gnome.org/about/ org/about/ (2013)

  31. US-CERT: Oracle Java Contains Multiple Vulnerabilities. Alert (TA13-064A) (2013)

    Google Scholar 

  32. Van Acker, S., Nikiforakis, N., Desmet, L., Joosen, W., Piessens, F.: Flashover: automated discovery of cross-site scripting vulnerabilities in rich internet applications. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS), pp. 12–13. ACM (2012)

    Google Scholar 

  33. Van Acker, S., Nikiforakis, N., Desmet, L., Piessens, F., Joosen, W.: Monkey-in-the-browser: malware and vulnerabilities in augmented browsing script markets. In: Proceedings of the 9th ACM symposium on Information, computer and communications security (ASIACCS), pp. 525–530. ACM (2014)

    Google Scholar 

  34. van Kesteren, A.: Cross-origin resource sharing. W3C Recommendation (2014)

    Google Scholar 

  35. van Kesteren, A., Aubourg, J., Song, J., Steen, H.R.M.: XMLHttpRequest. W3C Working Draft (2014)

    Google Scholar 

  36. Zalewski, M.: The Tangled Web: A Guide to Securing Modern Web Applications. San Francisco, No Starch Press (2012)

    Google Scholar 

  37. Zeckman, A.: New Google mobile alert: Websites using flash may not work on your device. http://searchenginewatch.com/article/2355766/New-Google-Mobile-Alert-Websites-Using-Flash-May-Not-Work-on-Your-Device (2014)

Download references

Author information

Authors and Affiliations

  1. iMinds-DistriNet, KU Leuven, Heverlee, Belgium

    Philippe De Ryck, Lieven Desmet & Frank Piessens

  2. SAP Research, Karlsruhe, Germany

    Martin Johns

Authors
  1. Philippe De Ryck
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lieven Desmet
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Frank Piessens
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Martin Johns
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Philippe De Ryck .

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Philippe De Ryck, Lieven Desmet, Frank Piessens, Martin Johns

About this chapter

Cite this chapter

Ryck, P., Desmet, L., Piessens, F., Johns, M. (2014). Traditional Building Blocks of the Web. In: Primer on Client-Side Web Security. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-12226-7_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-12226-7_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-12225-0

  • Online ISBN: 978-3-319-12226-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation