Skip to content Skip to navigation
University of Warwick
  • Study
  • |
  • Research
  • |
  • Business
  • |
  • Alumni
  • |
  • News
  • |
  • About

University of Warwick
Publications service & WRAP

Highlight your research

  • WRAP
    • Home
    • Search WRAP
    • Browse by Warwick Author
    • Browse WRAP by Year
    • Browse WRAP by Subject
    • Browse WRAP by Department
    • Browse WRAP by Funder
    • Browse Theses by Department
  • Publications Service
    • Home
    • Search Publications Service
    • Browse by Warwick Author
    • Browse Publications service by Year
    • Browse Publications service by Subject
    • Browse Publications service by Department
    • Browse Publications service by Funder
  • Help & Advice
University of Warwick

The Library

  • Login
  • Admin

DOMtegrity : ensuring web page integrity against malicious browser extensions

Tools
- Tools
+ Tools

Toreini, Ehsan, Shahandashti, Siamak F., Mehrnezhad, Maryam and Hao, Feng (2019) DOMtegrity : ensuring web page integrity against malicious browser extensions. International Journal of Information Security, 18 . pp. 801-814. doi:10.1007/s10207-019-00442-1

[img]
Preview
PDF
WRAP-DOMtegrity-ensuring-web-page-integrity-browser-Hao-2019.pdf - Published Version - Requires a PDF viewer.
Available under License Creative Commons Attribution 4.0.

Download (1067Kb) | Preview
[img] PDF
WRAP-DOMtegrity-ensuring-web-page-malicious-extensions-Hao-2019 (1).pdf - Accepted Version
Embargoed item. Restricted access to Repository staff only - Requires a PDF viewer.

Download (1806Kb)
Official URL: https://doi.org/10.1007/s10207-019-00442-1

Request Changes to record.

Abstract

In this paper, we address an unsolved problem in the real world: how to ensure the integrity of the web content in a browser in the presence of malicious browser extensions? The problem of exposing confidential user credentials to malicious extensions has been widely understood, which has prompted major banks to deploy two-factor authentication. However, the importance of the “integrity” of the web content has received little attention. We implement two attacks on real-world online banking websites and show that ignoring the “integrity” of the web content can fundamentally defeat two-factor solutions. To address this problem, we propose a cryptographic protocol called DOMtegrity to ensure the end-to-end integrity of the DOM structure of a web page from delivering at a web server to the rendering of the page in the user’s browser. DOMtegrity is the first solution that protects DOM integrity without modifying the browser architecture or requiring extra hardware. It works by exploiting subtle yet important differences between browser extensions and in-line JavaScript code. We show how DOMtegrity prevents the earlier attacks and a whole range of man-in-the-browser attacks. We conduct extensive experiments on more than 14,000 real-world extensions to evaluate the effectiveness of DOMtegrity.

Item Type: Journal Article
Divisions: Faculty of Science > Computer Science
Journal or Publication Title: International Journal of Information Security
Publisher: Springer
ISSN: 1615-5262
Official Date: December 2019
Dates:
DateEvent
December 2019Published
11 June 2019Available
27 May 2019Accepted
Volume: 18
Page Range: pp. 801-814
DOI: 10.1007/s10207-019-00442-1
Status: Peer Reviewed
Publication Status: Published
Publisher Statement: This is a post-peer-review, pre-copyedit version of an article published in International Journal of Information Security. The final authenticated version is available online at:https://doi.org/10.1007/s10207-019-00442-1
Access rights to Published version: Open Access
Related URLs:
  • Publisher

Request changes or add full text files to a record

Repository staff actions (login required)

View Item View Item
twitter

Email us: wrap@warwick.ac.uk
Contact Details
About Us