Exploring Tracking Techniques and Other Privacy-Invasive Attacks on the Modern Web

Modern web browsers are essential gateways to the Internet, providing users access to a wide range of services and information. To support the complexity of modern web applications, browsers continuously adopt new features and advanced functionalities to enhance the user experience. However, despite these benefits, they often introduce inherent privacy and security risks. This work investigates how core browser features and mechanisms are exploited for privacy-invasive attacks and evaluates the effectiveness of deployed protection mechanisms in real-world settings. We first explore the properties and functionality of favicons to detect design-level flaws that enable persistent user tracking. Leveraging these properties, we demonstrate a novel fingerprinting technique that allows websites to re-identify users across visits without relying on traditional client-side methods. We then focus on the browser extension ecosystem and propose extension-detection techniques, each targeting a distinct behavioral property that can be leveraged for user tracking: (i) modifications triggered by user interactions, (ii) behaviors during the extension life cycle, and (iii) variation introduced through personalization. Our analysis utilizes publicly available datasets from prior studies and a collection of extensions from the Google Chrome Web Store spanning multiple time periods, detecting a significant number of fingerprintable extensions that were overlooked by prior approaches. Finally, we assess browser-specific security defenses by analyzing the Content Security Policy (CSP), a widely adopted standard for restricting injection attacks and enforcing origin-based access control. Using large-scale data collected from publicly accessible websites, we identify misconfigurations and overly permissive policies that allow attackers to compromise the privacy and integrity of both websites and users.