Research output per year
Research output per year
Muhammad Ikram, Rahat Masood, Gareth Tyson, Mohamed Ali Kaafar, Noha Loizon, Roya Ensafi
Research output: Contribution to journal › Article › peer-review
The web is a tangled mass of interconnected services, whereby websites import a range of external resources from various third-party domains. The latter can also load further resources hosted on other domains. For each website, this creates a dependency chain underpinned by a form of implicit trust between the first-party and transitively connected third parties. The chain can only be loosely controlled as first-party websites often have little, if any, visibility on where these resources are loaded from. This article performs a large-scale study of dependency chains in the web to find that around 50% of first-party websites render content that they do not directly load. Although the majority (84.91%) of websites have short dependency chains (below three levels), we find websites with dependency chains exceeding 30. Using VirusTotal, we show that 1.2% of these third parties are classified as suspicious - although seemingly small, this limited set of suspicious third parties have remarkable reach into the wider ecosystem. We find that 73% of websites under-study load resources from suspicious third parties, and 24.8% of first-party webpages contain at least three third parties classified as suspicious in their dependency chain. By running sandboxed experiments, we observe a range of activities with the majority of suspicious JavaScript codes downloading malware.
Original language | English |
---|---|
Article number | 8 |
Pages (from-to) | 1-27 |
Number of pages | 27 |
Journal | ACM Transactions on Privacy and Security (TOPS) |
Volume | 23 |
Issue number | 2 |
DOIs | |
Publication status | Published - Apr 2020 |
Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review
Research output: Contribution to conference › Paper › peer-review
Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review