Safeguarding Users' Web Interactions

The Web plays an indispensable role in modern life, enabling countless interactions, from social engagement to critical business operations. However, these interactions expose users to a variety of security and privacy threats. This dissertation focuses on safeguarding users' Web interactions by addressing three key challenges: content injection vulnerabilities in web applications, privacy risks from browser extension fingerprinting, and Account Takeover (ATO) attacks carried out by fraud browsers, all of which directly impact users' safety. First, CONTEXT-AUDITOR introduces a novel technique to mitigate content injection vulnerabilities, including Cross-Site Scripting (XSS), scriptless attacks, and command injections. By detecting unintended context switches in the browser's parsing engine, CONTEXT-AUDITOR provides robust protection for web applications, ensuring that users' interactions with them remain secure. Second, Simulacrum enhances privacy protection by defending against DOM-based extension fingerprinting using the DOM Reality Shifting concept. It conceals browser extension behaviors from websites, preventing over 95% of vulnerable extensions from being fingerprinted. This approach directly addresses user privacy concerns, shielding them from tracking and profiling based on browser extensions. Finally, BROWSER POLYGRAPH provides a scalable, privacy-preserving solution to detect fraud browsers used in ATO attacks. By leveraging coarse-grained browser fingerprints, it identifies suspicious sessions, improving the accuracy of risk-based authentication systems and protecting users from fraudulent account compromises. In summary, this dissertation presents practical, deployable solutions that enhance the security and privacy of users' Web interactions. By safeguarding web applications, protecting user privacy, and defending against ATO fraud, these contributions play a key role in ensuring the safety of users in the increasingly adversarial Web ecosystem.