TY - GEN
T1 - Securing Web Inputs Using Parallel Session Attachments
AU - Yang, Ziqi
AU - Xu, Ruite
AU - Lin, Qixiao
AU - Wu, Shikun
AU - Mao, Jian
AU - Liang, Zhenkai
N1 - Publisher Copyright:
© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2025.
PY - 2025
Y1 - 2025
N2 - Web applications have become a cornerstone of the critical cyber infrastructure powering our daily life. Untrusted browser environments, such as public computers and browsers with untrusted extensions, may expose sensitive data in web applications to attackers. One way to protect sensitive data in web sessions is to isolate it using a trusted environment, such as a trusted mobile phone. However, existing solutions either require modifications of web applications to incorporate the trusted environment, or require developers to manually pre-label sensitive data. To address these issues, we propose, WebTeleporter, a lightweight framework to protect users’ sensitive input through a trusted mobile environment. It attaches to the original web session an independent secure parallel session that isolates sensitive input without any change to web applications. WebTeleporter is highly flexible, such that users can choose to opt in to the secure environment at any time, and choose sensitive input to protect on demand. Our evaluation demonstrates that WebTeleporter is compatible with 11 popular web applications and frameworks. It can protect 99% of pages that contain sensitive input. It takes low overhead to deploy WebTeleporter, which is a one-time effort for various applications. WebTeleporter introduces negligible performance overhead, i.e., 13.9% increase in loading time, and 0.37% decrease in throughput.
AB - Web applications have become a cornerstone of the critical cyber infrastructure powering our daily life. Untrusted browser environments, such as public computers and browsers with untrusted extensions, may expose sensitive data in web applications to attackers. One way to protect sensitive data in web sessions is to isolate it using a trusted environment, such as a trusted mobile phone. However, existing solutions either require modifications of web applications to incorporate the trusted environment, or require developers to manually pre-label sensitive data. To address these issues, we propose, WebTeleporter, a lightweight framework to protect users’ sensitive input through a trusted mobile environment. It attaches to the original web session an independent secure parallel session that isolates sensitive input without any change to web applications. WebTeleporter is highly flexible, such that users can choose to opt in to the secure environment at any time, and choose sensitive input to protect on demand. Our evaluation demonstrates that WebTeleporter is compatible with 11 popular web applications and frameworks. It can protect 99% of pages that contain sensitive input. It takes low overhead to deploy WebTeleporter, which is a one-time effort for various applications. WebTeleporter introduces negligible performance overhead, i.e., 13.9% increase in loading time, and 0.37% decrease in throughput.
UR - https://www.scopus.com/pages/publications/85207574875
U2 - 10.1007/978-3-031-64954-7_10
DO - 10.1007/978-3-031-64954-7_10
M3 - 会议稿件
AN - SCOPUS:85207574875
SN - 9783031649530
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
SP - 189
EP - 208
BT - Security and Privacy in Communication Networks - 19th EAI International Conference, SecureComm 2023, Proceedings
A2 - Duan, Haixin
A2 - Debbabi, Mourad
A2 - de Carné de Carnavalet, Xavier
A2 - Luo, Xiapu
A2 - Au, Man Ho Allen
A2 - Du, Xiaojiang
PB - Springer Science and Business Media Deutschland GmbH
T2 - 19th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2023
Y2 - 19 October 2023 through 21 October 2023
ER -