Tens of thousands of Google Chrome extensions accessible from the official Chrome Online Store manipulate security headers on major websites, posing the danger of web attacks for visitors.
Although the security headers are little known, they are a vital aspect of the present internet ecosystem. A key component of website security is the HTTP security header. When implemented, it protects users against the kinds of attacks most probably happening on the website. These headers protect XSS, injection code, clickjacking, etc.
In many other cases, as per the research team, they examined CSP and other security headers, deactivated Chrome extensions “to introduce additional seemingly benign functionalities on the visited web page,” and didn’t even look like it was nefarious in purpose. That is because Chrome’s framework forces extensions in the name of security to do that, paradoxically. Standard extension code could access the DOM page, but no scripts on the page can interact.
While not all websites have security headers, many of today’s leading Web services commonly incorporate them to protect their customers against attacks, as they frequently face more web-based attacks than conventional sites, because of their larger size.
Although website managers are configuring their security headers, this does not mean that security headers are still in existence at the client-side where such things can be detected and prevented by attackers with a mid-range attack scheme, malware executing on an operating system, or browser extensions.
Researchers at the CISPA Helmholtz Centre stated that they were trying to evaluate the number of Chrome extensions that have been damaged by the security for the first time headers.
The research team has studied 186,434 Chrome extensions, which were accessible last year on the official Chrome Web Store, using a custom infrastructure they particularly developed for the research.
Their analysis discovered that 2,485 extensions intercepted and altered at least one safety header used by the most famous today’s Top 100 websites. The study focused on the four most prevalent safety headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame Options, and X-Content-Type Options.
While 2485 extensions had disabled at least one, researchers found that 553 were deactivated by all 4 safety headers studied during their investigation.
CSP, a security header created to enable site owners to regulate what internet resources a page can charge inside a browser as well as a standard defense to prevent websites and browsers from XSS and dataset injections, was the most widely blocked header for security concerns.
Source: E hacking news dot com