Skip to content
/ truster Public

Chrome extension that prevents the rendered web-pages from loading resources hosted in untrusted, writable S3 buckets

License

BSD-2-Clause license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

necst/truster

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
imgs
imgs
 
 
src
src
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
manifest.json
manifest.json
 
 

Repository files navigation

truster

truster is a Chrome extension that prevents the rendered web-pages from loading resources hosted in untrusted, writable S3 buckets.

What does it mean?

Websites often load assets (CSS, JS,..) hosted in AWS S3 buckets. Unfortunately, sometimes such buckets are misconfigured allowing unauthorized users to overwrite their files. This results in the possibility for attackers to inject malicious content (for instance malicious cryptomining JS) that gets delivered to the website's visitors. To protect from this threat, truster, communicating with our backend (https://bucketsec.necst.it/), verifies if the resources requested from the visited websites come from an untrusted, writable, bucket, preventing the loading of such resources.

Install

truster is now available on the Chrome store

Alternatively, truster can be installed from sources by enabling Chrome developer mode:

  • Go to chrome://extensions/.
  • Enable Developer mode by moving the slider at the top right corner.
  • Install truster clicking on the "Unload unpacked" button at the left top corner.

Howto

Once installed, truster runs in background without any required action. You can chose what to do when a visited website attempts to load untrusted resources (block/ask/warn) in the options page.

Research

truster is the outcome of a research study performed at the NECSTLab.

We present the findings of this study in the following research paper:

There's a Hole in that Bucket! A Large-scale Analysis of Misconfigured S3 Buckets [PDF]
Andrea Continella, Mario Polino, Marcello Pogliani, Stefano Zanero.
In Proceedings of the ACM Annual Computer Security Applications Conference (ACSAC), December 2018

If you use truster in a scientific publication, we would appreciate citations using this Bibtex entry:

@InProceedings{continella18:bucketsec,
  author =      {Andrea Continella and Mario Polino and Marcello Pogliani and Stefano Zanero},
  title =       {{There's a Hole in that Bucket! A Large-scale Analysis of Misconfigured S3 Buckets}},
  booktitle =   {Proceedings of the ACM Annual Computer Security Applications Conference (ACSAC)},
  month =       {December},
  year =        {2018}
}

About

Chrome extension that prevents the rendered web-pages from loading resources hosted in untrusted, writable S3 buckets

Resources

Readme

License

BSD-2-Clause license
Activity
Custom properties

Stars

2 stars

Watchers

5 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages