Leon Trampert
Hey! I am a PhD student at Saarland University working for the CISPA Helmholtz Center for Information Security under the supervision of Dr. Michael Schwarz and Prof. Christian Rossow. I like to explore unintended security and privacy implications introduced by new Web standards. As such, I play around with up-and-coming Web features such as WebAssembly or WebUSB.
My Interests
Recent Highlight
Honey, I Cached our Security Tokens
In order to mitigate the effect of Web attacks, modern browsers support a plethora of different security mechanisms. Mechanisms such as anti-Cross-Site Request Forgery (CSRF) tokens, or nonces in a Content Security policy rely on a random number that must only be used once. Notably, those Web security mechanisms are shipped through HTML tags or HTTP response headers from the server to the client side.
To decrease the server load and the traffic that is burdened on the own server infrastructure, many Web applications are served via a Content Delivery Network (CDN), which caches certain responses from the server to deliver them to multiple clients. This, however, does not only affect the content, but also the settings of the security mechanisms deployed via HTML meta tags or HTTP headers. If those are also cached, their content is fixed and the security tokens are no longer random for each request.
Even if the responses are not cached, operators may re-use tokens, as generating random numbers that are unique for each request introduces additional complexity for preserving the state on the server-side.
Re-usage of Security Tokens in the Wild
You can read one of my latest works about the implications of server-side caches on randomness-based security mechanisms on the Web. We investigated the Tranco Top 10.000 Web sites for their use of such mechanisms, and if the deployment actually served random tokens distributed over multiple requests.
Our findings indicate that 10-15% of sites that deploy randomness-based security mechanisms do not distribute random tokens, most of which are introduced by misconfigured CDNs.
You can read our paper linked below for more interesting information!