Automated verification of the Mixed Content policy by using Web Platform Tests

DSpace/Manakin Repository

Show simple item record

dc.contributor.advisor Calzavara, Stefano it_IT
dc.contributor.author Dalla Valle, Valentino <1999> it_IT
dc.date.accessioned 2023-10-02 it_IT
dc.date.accessioned 2024-02-21T12:18:11Z
dc.date.issued 2023-10-16 it_IT
dc.identifier.uri http://hdl.handle.net/10579/25496
dc.description.abstract As the reliance on web applications for critical tasks such as banking and shopping grows, ensuring user data and privacy protection becomes imperative. This thesis delves into the intricacies of web application security, emphasizing the pivotal role of browser client-side security mechanisms, particularly the Mixed Content policy. Managed by the World Wide Web Consortium (W3C), this policy addresses vulnerabilities introduced when HTTPS-loaded webpages request insecure resources, which can lead to exploitable attacks. The study proposes an automated methodology to verify the Mixed Content policy's implementation in web browsers using the Web Platform Test suite. The results show that the policy's implementation is not always compliant with the specification. In particular, exploitable vulnerabilities were found in two major web browsers. The vulnerabilities have been disclosed to the vendors and have been fixed, and one CVE was assigned with a base score of 8.8. To understand the presence of mixed content in the wild, a large-scale analysis of the top 100K websites was conducted, comparing the data obtained with information from 2015. The results show that despite the community effort to reduce the presence of mixed content, the issue is still present in a non-negligible number of websites. it_IT
dc.language.iso en it_IT
dc.publisher Università Ca' Foscari Venezia it_IT
dc.rights © Valentino Dalla Valle, 2023 it_IT
dc.title Automated verification of the Mixed Content policy by using Web Platform Tests it_IT
dc.title.alternative Automated verification of the Mixed Content policy by using Web Platform Tests it_IT
dc.type Master's Degree Thesis it_IT
dc.degree.name Informatica - computer science it_IT
dc.degree.level Laurea magistrale it_IT
dc.degree.grantor Dipartimento di Scienze Ambientali, Informatica e Statistica it_IT
dc.description.academicyear LM_2022/2023_sessione-autunnale it_IT
dc.rights.accessrights embargoedAccess it_IT
dc.thesis.matricno 874210 it_IT
dc.subject.miur INF/01 INFORMATICA it_IT
dc.description.note As the reliance on web applications for critical tasks such as banking and shopping grows, ensuring user data and privacy protection becomes imperative. This thesis delves into the intricacies of web application security, emphasizing the pivotal role of browser client-side security mechanisms, particularly the Mixed Content policy. Managed by the World Wide Web Consortium (W3C), this policy addresses vulnerabilities introduced when HTTPS-loaded webpages request insecure resources, which can lead to exploitable attacks. The study proposes an automated methodology to verify the Mixed Content policy's implementation in web browsers using the Web Platform Test suite. The results show that the policy's implementation is not always compliant with the specification. In particular, exploitable vulnerabilities were found in two major web browsers. The vulnerabilities have been disclosed to the vendors and have been fixed, and one CVE was assigned with a base score of 8.8. To understand the presence of mixed content in the wild, a large-scale analysis of the top 100K websites was conducted, comparing the data obtained with information from 2015. The results show that despite the community effort to reduce the presence of mixed content, the issue is still present in a non-negligible number of websites. it_IT
dc.degree.discipline it_IT
dc.contributor.co-advisor it_IT
dc.date.embargoend 2025-02-20T12:18:11Z
dc.provenance.upload Valentino Dalla Valle (874210@stud.unive.it), 2023-10-02 it_IT
dc.provenance.plagiarycheck Stefano Calzavara (stefano.calzavara@unive.it), 2023-10-16 it_IT


Files in this item

This item appears in the following Collection(s)

Show simple item record