Automated verification of the Mixed Content policy by using Web Platform Tests

As the reliance on web applications for critical tasks such as banking and shopping grows, ensuring user data and privacy protection becomes imperative. This thesis delves into the intricacies of web application security, emphasizing the pivotal role of browser client-side security mechanisms, particularly the Mixed Content policy. Managed by the World Wide Web Consortium (W3C), this policy addresses vulnerabilities introduced when HTTPS-loaded webpages request insecure resources, which can lead to exploitable attacks. The study proposes an automated methodology to verify the Mixed Content policy's implementation in web browsers using the Web Platform Test suite. The results show that the policy's implementation is not always compliant with the specification. In particular, exploitable vulnerabilities were found in two major web browsers. The vulnerabilities have been disclosed to the vendors and have been fixed, and one CVE was assigned with a base score of 8.8. To understand the presence of mixed content in the wild, a large-scale analysis of the top 100K websites was conducted, comparing the data obtained with information from 2015. The results show that despite the community effort to reduce the presence of mixed content, the issue is still present in a non-negligible number of websites.