Security 2024 Queries (#3671)

* Add 2022 queries

* Add updated bot detection query (issue HSTS technology)

* Query update

* Update Cryptominer + Crypto query

* Port all cookie queries

* CSP + CORP porting

* More porting

* Many updated queries

* Update many queries

* Update all remaining queries

* Remove 2024 prefix

* Add header value distributions (some headers)

* Add Timing-Allow-Origin Header Usage

No real security header as it can only worsen security (MDN classifies it as CORS header) thus not included in all queries, e.g., not included in feature_adoption_by_country.sql)

* Add OAC queries

* Add document.domain query

* HTML Sanitization query

* Security Features by category

* Add server-timing query

* Update security.txt query

* Improve security.text query

* Only consider "real" security.txt files for query

* Add some insights into security.txt data (FPs vs FNs)

* Fix typo

* SQLfluff fix

* Fix typo

* Add a limit

* Improve Note document.domain

* Update cryptominer time period

* Add missing lowercasing

* Update note

* Remove trailing whitespace

* Add two more queries

* Fix typo

* Add WSS CSP query

* Iframes attributes: change to custom_metrics + add more dates

* Update server-timing parsing

* FIx st query + add sampling data

* Add Server-Timing overview query

* Lint

* Add query to measure use of disallowed CSP directives in <meta>

* Fix linting issue

---------

Co-authored-by: Gertjan Franken <gertjan.franken@kuleuven.be>

Author: JannisBush

sql/2024/security/README.md

@@ -14,9 +14,9 @@
 - [📄 Planning doc][~google-doc]
 - [📊 Results sheet][~google-sheets]
 - [📝 Markdown file][~chapter-markdown]
-- [:book: 2021 chapter][~2021-chapter]
+- [:book: 2022 chapter][~2022-chapter]
 
 [~google-doc]: https://docs.google.com/document/d/1jBGxgkBDIi9nDQ-n2eVFkwDZXk_9rQkLiKfnHkknsAs/edit
 [~google-sheets]: https://docs.google.com/spreadsheets/d/1b9IEGbfQjKCEaTBmcv_zyCyWEsq35StCa-dVOe6V1Cs/edit#gid=1778117656
 [~chapter-markdown]: https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/src/content/en/2024/security.md
-[~2021-chapter]: https://almanac.httparchive.org/en/2021/security
+[~2022-chapter]: https://almanac.httparchive.org/en/2022/security

sql/2024/security/bot_detection.sql

@@ -0,0 +1,38 @@
+#standardSQL
+# Section: Attack Preventions - Bot protection services
+# Question: Which bot protection services are used most often on mobile and desktop sites?
+# Notes: The Wappalyzer 'Security' category mostly contains bot protection services such as reCAPTCHA and Cloudflare Bot Management
+# Issue: Due to some updates to wappalyzer the 'Security' category now also contains 'HSTS' (security header) and 'Really Simple SSL & Security' in significant numbers. Do we want to filter them out?
+SELECT
+  client,
+  t.technology,
+  COUNT(0) AS freq,
+  total,
+  COUNT(0) / total AS pct
+FROM
+  `httparchive.all.pages`,
+  UNNEST(technologies) AS t,
+  UNNEST(t.categories) AS category
+JOIN (
+  SELECT
+    client,
+    COUNT(0) AS total
+  FROM
+    `httparchive.all.pages`
+  WHERE
+    date = '2024-06-01' AND
+    is_root_page
+  GROUP BY
+    client)
+USING
+  (client)
+WHERE
+  date = '2024-06-01' AND
+  category = 'Security' AND
+  is_root_page
+GROUP BY
+  client,
+  total,
+  t.technology
+ORDER BY
+  pct DESC

sql/2024/security/clear-site-data_value_prevalence.sql

@@ -0,0 +1,30 @@
+#standardSQL
+# Section: Attack preventions - Preventing attacks using Clear-Site-Data
+# Question: Which Clear-Site-Data header values are most prevalent?
+# Notes: Many used values are still invalid (without quotes). We only count each host-value pair once.
+SELECT
+  client,
+  csd_header,
+  SUM(COUNT(DISTINCT host)) OVER (PARTITION BY client) AS total_csd_headers,
+  COUNT(DISTINCT host) AS freq,
+  COUNT(DISTINCT host) / SUM(COUNT(DISTINCT host)) OVER (PARTITION BY client) AS pct
+FROM (
+  SELECT
+    client,
+    NET.HOST(url) AS host,
+    response_headers.value AS csd_header
+  FROM
+    `httparchive.all.requests`,
+    UNNEST(response_headers) AS response_headers
+  WHERE
+    date = '2024-06-01' AND
+    is_root_page AND
+    # AND is_main_document # (Uncomment to only run on the main document response; majority of CSD headers are set on them)
+    LOWER(response_headers.name) = 'clear-site-data')
+GROUP BY
+  client,
+  csd_header
+ORDER BY
+  pct DESC
+LIMIT
+  100

sql/2024/security/coep_header_prevalence.sql

@@ -0,0 +1,30 @@
+#standardSQL
+# Section: Attack Preventions - Preventing attacks using Cross-Origin policies
+# Question: Which are the most common COEP values?
+# Note: Considers headers of main document responses
+SELECT
+  client,
+  coep_header,
+  SUM(COUNT(DISTINCT host)) OVER (PARTITION BY client) AS total_coep_headers,
+  COUNT(DISTINCT host) AS freq,
+  COUNT(DISTINCT host) / SUM(COUNT(DISTINCT host)) OVER (PARTITION BY client) AS pct
+FROM (
+  SELECT
+    client,
+    NET.HOST(url) AS host,
+    response_headers.value AS coep_header
+  FROM
+    `httparchive.all.requests`,
+    UNNEST(response_headers) AS response_headers
+  WHERE
+    date = '2024-06-01' AND
+    is_root_page AND
+    is_main_document AND
+    LOWER(response_headers.name) = 'cross-origin-embedder-policy')
+GROUP BY
+  client,
+  coep_header
+ORDER BY
+  pct DESC
+LIMIT
+  100

sql/2024/security/cookie_age_negative.sql

@@ -0,0 +1,130 @@
+#standardSQL
+# Section: Cookies - Cookie Age
+# Question: How many cookies (total, hosts, pages) have negative Max-Age, Expires and real age (Max-Age has precedence over Expires) attributes?
+# Note: Query is expensive and slow (14TB). Query is inefficient (We create a result array of length 1 for each cookie-attribute for each cookie and then unnest it again; We could instead not use arrays and skip the unnesting).
+# Note: Some of the percentages are quite different to the old query; one of both might be broken (difficult to compare as both cannot operate on a shared dataset)
+CREATE TEMPORARY FUNCTION getCookieAgeValues(cookie_value STRING, epochOfRequest NUMERIC)
+RETURNS STRING DETERMINISTIC
+LANGUAGE js AS '''
+  const regexMaxAge = new RegExp(/max-age\\s*=\\s*(?<value>-*[0-9]+)/i);
+  const regexExpires = new RegExp(/expires\\s*=\\s*(?<value>.*?)(;|$)/i);
+  const cookieValues = [cookie_value];
+  const result = {
+      "maxAge": [],
+      "expires": [],
+      "realAge": []
+  };
+  cookieValues.forEach(cookie => {
+      let maxAge = null;
+      let expires = null;
+      if (regexMaxAge.exec(cookie)) {
+          maxAge = Number(regexMaxAge.exec(cookie)[1]);
+          result["maxAge"].push(maxAge);
+      }
+      if (regexExpires.exec(cookie)) {
+          expires = Math.round(Number(new Date(regexExpires.exec(cookie)[1])) / 1000) - epochOfRequest;
+          result["expires"].push(Number.isSafeInteger(expires) ? expires : null);
+      }
+      if (maxAge) {
+          result["realAge"].push(maxAge);
+      } else if (expires) {
+          result["realAge"].push(expires);
+      }
+  });
+  return JSON.stringify(result);
+''';
+
+WITH age_values AS (
+  SELECT
+    client,
+    page,
+    NET.HOST(url) AS host,
+    getCookieAgeValues(response_headers.value, CAST(JSON_QUERY(summary, '$.startedDateTime') AS NUMERIC)) AS values
+  FROM
+    `httparchive.all.requests`,
+    UNNEST(response_headers) AS response_headers
+  WHERE
+    date = '2024-06-01' AND
+    is_root_page AND
+    LOWER(response_headers.name) = 'set-cookie'
+),
+
+max_age_values AS (
+  SELECT
+    client,
+    COUNTIF(SAFE_CAST(max_age_value AS NUMERIC) <= 0) AS count_negative_max_age,
+    SUM(COUNT(0)) OVER (PARTITION BY client) AS total_max_age_cookies,
+    COUNT(DISTINCT IF(SAFE_CAST(max_age_value AS NUMERIC) <= 0, page, NULL)) AS num_max_age_pages,
+    COUNT(DISTINCT page) AS total_max_age_pages,
+    COUNT(DISTINCT IF(SAFE_CAST(max_age_value AS NUMERIC) <= 0, host, NULL)) AS num_max_age_hosts,
+    COUNT(DISTINCT host) AS total_max_age_hosts
+  FROM age_values,
+    UNNEST(JSON_QUERY_ARRAY(values, '$.maxAge')) AS max_age_value
+  GROUP BY
+    client
+  ORDER BY
+    client
+),
+
+expires_values AS (
+  SELECT
+    client,
+    COUNTIF(SAFE_CAST(expires_value AS NUMERIC) <= 0) AS count_negative_expires,
+    SUM(COUNT(0)) OVER (PARTITION BY client) AS total_expires_cookies,
+    COUNT(DISTINCT IF(SAFE_CAST(expires_value AS NUMERIC) <= 0, page, NULL)) AS num_expires_pages,
+    COUNT(DISTINCT page) AS total_expires_pages,
+    COUNT(DISTINCT IF(SAFE_CAST(expires_value AS NUMERIC) <= 0, host, NULL)) AS num_expires_hosts,
+    COUNT(DISTINCT host) AS total_expires_hosts
+  FROM age_values,
+    UNNEST(JSON_QUERY_ARRAY(values, '$.expires')) AS expires_value
+  GROUP BY
+    client
+  ORDER BY
+    client
+),
+
+real_age_values AS (
+  SELECT
+    client,
+    COUNTIF(SAFE_CAST(real_age_value AS NUMERIC) <= 0) AS count_negative_real_age,
+    SUM(COUNT(0)) OVER (PARTITION BY client) AS total_real_age_cookies,
+    COUNT(DISTINCT IF(SAFE_CAST(real_age_value AS NUMERIC) <= 0, page, NULL)) AS num_real_age_pages,
+    COUNT(DISTINCT page) AS total_real_age_pages,
+    COUNT(DISTINCT IF(SAFE_CAST(real_age_value AS NUMERIC) <= 0, host, NULL)) AS num_real_age_hosts,
+    COUNT(DISTINCT host) AS total_real_age_hosts
+  FROM age_values,
+    UNNEST(JSON_QUERY_ARRAY(values, '$.realAge')) AS real_age_value
+  GROUP BY
+    client
+  ORDER BY
+    client
+)
+
+SELECT
+  client,
+  count_negative_max_age,
+  count_negative_max_age / total_max_age_cookies AS pct_negative_max_age,
+  num_max_age_pages,
+  num_max_age_pages / total_max_age_pages AS pct_max_age_pages,
+  num_max_age_hosts,
+  num_max_age_hosts / total_max_age_hosts AS pct_max_age_hosts,
+  count_negative_expires,
+  count_negative_expires / total_expires_cookies AS pct_negative_expires,
+  num_expires_pages,
+  num_expires_pages / total_expires_pages AS pct_expires_pages,
+  num_expires_hosts,
+  num_expires_hosts / total_expires_hosts AS pct_expires_hosts,
+  count_negative_real_age,
+  count_negative_real_age / total_real_age_cookies AS pct_negative_real_age,
+  num_real_age_pages,
+  num_real_age_pages / total_real_age_pages AS pct_real_age_pages,
+  num_real_age_hosts,
+  num_real_age_hosts / total_real_age_hosts AS pct_real_age_hosts
+FROM
+  max_age_values
+JOIN expires_values
+USING (client)
+JOIN real_age_values
+USING (client)
+ORDER BY
+  client

sql/2024/security/cookie_age_percentiles.sql

@@ -0,0 +1,118 @@
+#standardSQL
+# Section: Cookies - Cookie Age
+# Question: How long are cookies valid? (Max-Age, Expires, Real Age)
+# Note: Only incorporates values that are larger than 0; cookies set over all all requests on the root_page
+# Note: Could be combined with the other cookie queries to run the expensive response_header unnesting only once?
+CREATE TEMPORARY FUNCTION getCookieAgeValues(cookie_value STRING, epochOfRequest NUMERIC)
+RETURNS STRING DETERMINISTIC
+LANGUAGE js AS '''
+  const regexMaxAge = new RegExp(/max-age\\s*=\\s*(?<value>-*[0-9]+)/i);
+  const regexExpires = new RegExp(/expires\\s*=\\s*(?<value>.*?)(;|$)/i);
+  const cookieValues = [cookie_value];
+  const result = {
+      "maxAge": [],
+      "expires": [],
+      "realAge": []
+  };
+  cookieValues.forEach(cookie => {
+      let maxAge = null;
+      let expires = null;
+      if (regexMaxAge.exec(cookie)) {
+          maxAge = Number(regexMaxAge.exec(cookie)[1]);
+          result["maxAge"].push(maxAge);
+      }
+      if (regexExpires.exec(cookie)) {
+          expires = Math.round(Number(new Date(regexExpires.exec(cookie)[1])) / 1000) - epochOfRequest;
+          result["expires"].push(Number.isSafeInteger(expires) ? expires : null);
+      }
+      if (maxAge) {
+          result["realAge"].push(maxAge);
+      } else if (expires) {
+          result["realAge"].push(expires);
+      }
+  });
+  return JSON.stringify(result);
+''';
+
+WITH age_values AS (
+  SELECT
+    client,
+    getCookieAgeValues(response_headers.value, CAST(JSON_QUERY(summary, '$.startedDateTime') AS NUMERIC)) AS values
+  FROM
+    `httparchive.all.requests`,
+    UNNEST(response_headers) AS response_headers
+  WHERE
+    date = '2024-06-01' AND
+    is_root_page AND
+    LOWER(response_headers.name) = 'set-cookie'
+),
+
+max_age_values AS (
+  SELECT
+    client,
+    percentile,
+    APPROX_QUANTILES(SAFE_CAST(max_age_value AS NUMERIC), 1000 IGNORE NULLS)[OFFSET(percentile * 10)] AS max_age
+  FROM age_values,
+    UNNEST(JSON_QUERY_ARRAY(values, '$.maxAge')) AS max_age_value,
+    UNNEST([10, 25, 50, 75, 90, 100]) AS percentile
+  WHERE
+    SAFE_CAST(max_age_value AS NUMERIC) > 0
+  GROUP BY
+    percentile,
+    client
+  ORDER BY
+    percentile,
+    client
+),
+
+expires_values AS (
+  SELECT
+    client,
+    percentile,
+    APPROX_QUANTILES(SAFE_CAST(expires_value AS NUMERIC), 1000 IGNORE NULLS)[OFFSET(percentile * 10)] AS expires
+  FROM age_values,
+    UNNEST(JSON_QUERY_ARRAY(values, '$.expires')) AS expires_value,
+    UNNEST([10, 25, 50, 75, 90, 100]) AS percentile
+  WHERE
+    SAFE_CAST(expires_value AS NUMERIC) > 0
+  GROUP BY
+    percentile,
+    client
+  ORDER BY
+    percentile,
+    client
+),
+
+real_age_values AS (
+  SELECT
+    client,
+    percentile,
+    APPROX_QUANTILES(SAFE_CAST(real_age_value AS NUMERIC), 1000 IGNORE NULLS)[OFFSET(percentile * 10)] AS real_age
+  FROM age_values,
+    UNNEST(JSON_QUERY_ARRAY(values, '$.realAge')) AS real_age_value,
+    UNNEST([10, 25, 50, 75, 90, 100]) AS percentile
+  WHERE
+    SAFE_CAST(real_age_value AS NUMERIC) > 0
+  GROUP BY
+    percentile,
+    client
+  ORDER BY
+    percentile,
+    client
+)
+
+SELECT
+  client,
+  percentile,
+  max_age,
+  expires,
+  real_age
+FROM
+  max_age_values
+JOIN expires_values
+USING (client, percentile)
+JOIN real_age_values
+USING (client, percentile)
+ORDER BY
+  client,
+  percentile