WEKO3
アイテム
Understanding the Breakdown of Same-origin Policies in Web Services That Rehost Websites
https://ipsj.ixsq.nii.ac.jp/records/239374
https://ipsj.ixsq.nii.ac.jp/records/23937452394879-9390-4f41-9e47-8cb53a36beb9
| 名前 / ファイル | ライセンス | アクション |
|---|---|---|
IPSJ-JNL6509020.pdf (1.2 MB)
2026年9月15日からダウンロード可能です。
|
Copyright (c) 2024 by the Information Processing Society of Japan
|
|
| 非会員:¥0, IPSJ:学会員:¥0, 論文誌:会員:¥0, DLIB:会員:¥0 | ||
| Item type | Journal(1) | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 公開日 | 2024-09-15 | |||||||||||||
| タイトル | ||||||||||||||
| タイトル | Understanding the Breakdown of Same-origin Policies in Web Services That Rehost Websites | |||||||||||||
| タイトル | ||||||||||||||
| 言語 | en | |||||||||||||
| タイトル | Understanding the Breakdown of Same-origin Policies in Web Services That Rehost Websites | |||||||||||||
| 言語 | ||||||||||||||
| 言語 | eng | |||||||||||||
| キーワード | ||||||||||||||
| 主題Scheme | Other | |||||||||||||
| 主題 | [特集:サプライチェーンを安全にするサイバーセキュリティ技術] Web, browser, same-origin policy, service worker | |||||||||||||
| 資源タイプ | ||||||||||||||
| 資源タイプ識別子 | http://purl.org/coar/resource_type/c_6501 | |||||||||||||
| 資源タイプ | journal article | |||||||||||||
| 著者所属 | ||||||||||||||
| NTT Social Informatics Laboratories | ||||||||||||||
| 著者所属 | ||||||||||||||
| NTT Social Informatics Laboratories | ||||||||||||||
| 著者所属 | ||||||||||||||
| NTT Social Informatics Laboratories | ||||||||||||||
| 著者所属 | ||||||||||||||
| Waseda University/NICT/RIKEN AIP | ||||||||||||||
| 著者所属(英) | ||||||||||||||
| en | ||||||||||||||
| NTT Social Informatics Laboratories | ||||||||||||||
| 著者所属(英) | ||||||||||||||
| en | ||||||||||||||
| NTT Social Informatics Laboratories | ||||||||||||||
| 著者所属(英) | ||||||||||||||
| en | ||||||||||||||
| NTT Social Informatics Laboratories | ||||||||||||||
| 著者所属(英) | ||||||||||||||
| en | ||||||||||||||
| Waseda University / NICT / RIKEN AIP | ||||||||||||||
| 著者名 |
Takuya, Watanabe
× Takuya, Watanabe
× Eitaro, Shioji
× Mitsuaki, Akiyama
× Tatsuya, Mori
|
|||||||||||||
| 著者名(英) |
Takuya, Watanabe
× Takuya, Watanabe
× Eitaro, Shioji
× Mitsuaki, Akiyama
× Tatsuya, Mori
|
|||||||||||||
| 論文抄録 | ||||||||||||||
| 内容記述タイプ | Other | |||||||||||||
| 内容記述 | Intermediary web services such as web proxies, translators, and archives have become pervasive as a means to enhance the openness of the web. These services aim to remove the intrinsic obstacles to web access; i.e., access blocking, language barriers, and missing websites. In this study, we refer to these services as web rehosting services and make the first exploration of their security flaws. Web rehosting services use a single domain name to rehost several websites that have distinct domain names; this characteristic makes web rehosting services intrinsically vulnerable to violating the same origin policy if not operated carefully. Based on the intrinsic vulnerability of web rehosting services, we demonstrate that an attacker can perform five different types of attacks that target users of web rehosting services: persistent man-in-the-middle attack, abusing privileges to access various resources, stealing credentials, stealing browser history, and session hijacking/injection. Our extensive analysis of 21 web rehosting services, which have more than 200 million accesses per day, revealed that these attacks are feasible. In response to this observation, we provide effective countermeasures against each type of attack. Through our efforts, several major web services have successfully completed improvements to make their architecture more secure. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.32(2024) (online) DOI http://dx.doi.org/10.2197/ipsjjip.32.801 ------------------------------ |
|||||||||||||
| 論文抄録(英) | ||||||||||||||
| 内容記述タイプ | Other | |||||||||||||
| 内容記述 | Intermediary web services such as web proxies, translators, and archives have become pervasive as a means to enhance the openness of the web. These services aim to remove the intrinsic obstacles to web access; i.e., access blocking, language barriers, and missing websites. In this study, we refer to these services as web rehosting services and make the first exploration of their security flaws. Web rehosting services use a single domain name to rehost several websites that have distinct domain names; this characteristic makes web rehosting services intrinsically vulnerable to violating the same origin policy if not operated carefully. Based on the intrinsic vulnerability of web rehosting services, we demonstrate that an attacker can perform five different types of attacks that target users of web rehosting services: persistent man-in-the-middle attack, abusing privileges to access various resources, stealing credentials, stealing browser history, and session hijacking/injection. Our extensive analysis of 21 web rehosting services, which have more than 200 million accesses per day, revealed that these attacks are feasible. In response to this observation, we provide effective countermeasures against each type of attack. Through our efforts, several major web services have successfully completed improvements to make their architecture more secure. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.32(2024) (online) DOI http://dx.doi.org/10.2197/ipsjjip.32.801 ------------------------------ |
|||||||||||||
| 書誌レコードID | ||||||||||||||
| 収録物識別子タイプ | NCID | |||||||||||||
| 収録物識別子 | AN00116647 | |||||||||||||
| 書誌情報 |
情報処理学会論文誌 巻 65, 号 9, 発行日 2024-09-15 |
|||||||||||||
| ISSN | ||||||||||||||
| 収録物識別子タイプ | ISSN | |||||||||||||
| 収録物識別子 | 1882-7764 | |||||||||||||
| 公開者 | ||||||||||||||
| 言語 | ja | |||||||||||||
| 出版者 | 情報処理学会 | |||||||||||||
