Author:

Abstract:

As the web keeps on expanding, so does the interest of attackers whoseek to exploit users and services for profit. The last years, users havewitnessed that it is hard for a month to pass without news of somemajor web-application break-in and the subsequent exfiltration of private or financial data. At the same time, attackers constantly register rogue domains, using them to perform phishing attacks, collect private user information, and exploit vulnerable browsers and plugins.In this dissertation, we approach the increasingly serious problem ofcybercrime from two different and complementary standpoints. First, we investigate large groups of web applications, seeking to discover systematic vulnerabilities across them. We analyze the workings of referrer-anonymizing services, file hosting services, remote JavaScript inclusions and web-based device fingerprinting, exploring their interactions with users and third-parties, as wellas their consequences on a user's security and privacy. Through a series of automated and manual experiments we uncover many, previously unknown, issues that could readily be used to exploit vulnerable services and compromise user data.Second, we study existing, well-known, web application attacks and propose client-side countermeasures, that can strengthen the securityof a user's browsing environment without the collaboration, or even awareness, of the web application. We propose countermeasures to defend against session hijacking, SSL stripping, andmalicious, plugin-originating, cross-domain requests. Our countermeasures involve near-zero interaction with the user after their installation, have a minimal performance overhead, and do not assume the existence of trusted third-parties.