Top

Published in:

2015 | OriginalPaper | Chapter

Abusing Browser Address Bar for Fun and Profit - An Empirical Investigation of Add-On Cross Site Scripting Attacks

Authors : Yinzhi Cao, Chao Yang, Vaibhav Rastogi, Yan Chen, Guofei Gu

Published in: International Conference on Security and Privacy in Communication Networks

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Add-on JavaScript originating from users’ inputs to the browser brings new functionalities such as debugging and entertainment, however it also leads to a new type of cross-site scripting attack (defined as add-on XSS by us), which consists of two parts: a snippet of JavaScript in clear text, and a spamming sentence enticing benign users to input the previous JavaScript. In this paper, we focus on the most common add-on XSS, the one caused by browser address bar JavaScript. To measure the severity, we conduct three experiments: (i) analysis on real-world traces from two large social networks, (ii) a user study by means of recruiting Amazon Mechanical Turks [4], and (iii) a Facebook experiment with a fake account. We believe as the first systematic and scientific study, our paper can ring a bell for all the browser vendors and shed a light for future researchers to find an appropriate solution for add-on XSS.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter JumpBox – A Seamless Browser Proxy for Tor Pluggable Transports

next chapter Characterizing Google Hacking: A First Large-Scale Quantitative Study

Although sharing the keyword “add-on”, add-on JavaScript and browser add-on are two different concepts.

Safari is the default web browsers for Mac Users, which “accounted for 62.17 % of mobile web browsing traffic and 5.43 % of desktop traffic in October 2011, giving a combined market share of 8.72 %” [7].

Opera owns over 270 million users worldwide [2].

On June, 2012, the unique users of Sogou Browser are 90 million [20].

Maxthon ranked 97 in PCWorlds the 100 Best Products on year 2011 [1].

100 best products of 2011. http://www.pcworld.com/product/collection/9806/2011-best-tech.html

Ad network mobile theory announces record revenue growth in 2012. http://www.opera.com/press/releases/2012/06/11/

Alexa Top Websites. http://www.alexa.com/topsites

Amazon mechanical turk. https://requester.mturk.com/

Chrome for mobile. https://www.google.com/intl/en/chrome/browser/mobile/#utm_campaign=en&utm_source=en-ha-na-us-bk&utm_medium=ha

Content Security Policy - Mozilla. http://people.mozilla.com/bsterne/content-security-policy/index.html

The end of an era: Internet explorer drops below 50. http://arstechnica.com/information-technology/2011/11/the-end-of-an-era-internet-explorer-drops-below-50-percent-of-web-usage/

Facebook tokens abused in free ticket spam campaign. http://news.softpedia.com/news/Facebook-Tokens-Abused-in-Free-Ticket-Spam-Campaign-225411.shtml

Facebook usage: How often do different types of users access facebook? http://blog.coherentia.com/index.php/2009/08/facebook-usage-how-often-do-different-types-of-users-access-facebook/

10.

Fly images with javascript. http://www.vincentchow.net/345/fly-images-with-javascript

11.

Javascript alert not working in firefox 6. http://stackoverflow.com/questions/6643414/javascript-alert-not-working-in-firefox-6

12.

Javascript console. http://www.squarefree.com/shell/

13.

Javascript shell. http://www.squarefree.com/shell/

14.

Maxthon browser. http://www.maxthon.com/

15.

Opera browser. http://www.opera.com

16.

Over-usage of administator of tieba’s power - in Chinese. http://law.shangdu.com/post/p.asp?/=101394

17.

Safari. http://www.apple.com/safari/

18.

Social engineering issue with javascript urls. https://bugzilla.mozilla.org/show_bug.cgi?id=527530

19.

Sogou browser. http://ie.sogou.com/

20.

Sogou revenue soars 123% in q2 2012. http://www.iresearchchina.com/views/4443.html

21.

Survey monkey. http://www.surveymonkey.com

22.

Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy, pp. 387–401. IEEE Computer Society, Washington, DC (2008)

23.

Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008) CrossRef

24.

Cao, Y., Yegneswaran, V., Porras, P., Chen, Y.: PathCutter: severing the self-propagation path of XSS JavaScript worms in social web networks. In: Proceedings of the 19th Annual Network & Distributed System Security Symposium (2012)

25.

Chong, S., Vikram, K., Myers, A.C.: SIF: enforcing confidentiality and integrity in web applications. In: USENIX Security Symposium (2007)

26.

Gao, H., Chen, Y., Lee, K., Palsetia, D., Choudhary, A.: Towards online spam filtering in social networks. In: Proceedings of the 19th Annual Network & Distributed System Security Symposium (2012)

27.

Gao, H., Hu, J., Wilson, C., Li, Z., Chen, Y., Zhao, B.Y.: Detecting and characterizing social spam campaigns. In: Proceedings of the 10th Annual Conference on Internet Measurement, IMC 2010 (2010)

28.

Grier, C., Thomas, K., Paxson, V., Zhang, M.: @spam: the underground on 140 characters or less. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010 (2010)

29.

Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., Kuo, S.-Y.: Securing web application code by static analysis and runtime protection. In: WWW: Conference on World Wide Web (2004)

30.

Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, pp. 601–610. ACM, New York (2007)

31.

Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities (short paper). In: SP: IEEE Symposium on Security and Privacy (2006)

32.

Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: SAC: ACM Symposium on Applied Computing (2006)

33.

Lee, K., Caverlee, J., Webb, S.: Uncovering social spammers: social honeypots + machine learning. In: Proceedings of the 33rd International ACM SIGIR Conference on Research and Development in Information Retrieval, SIGIR 2010 (2010)

34.

Livshits, B., Cui, W.: Spectator: detection and containment of javascript worms. In: ATC: USENIX Annual Technical Conference (2008)

35.

Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium, vol. 14, p. 18. USENIX Association, Berkeley (2005)

36.

Martin, M., Lam, M.S.: Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In: Proceedings of the 17th Conference on Security Symposium, pp. 31–43. USENIX Association, Berkeley (2008)

37.

Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: Network and Distributed System Security Symposium (2009)

38.

Sambamurthy, V., Tanniru, M. (eds.): A Renaissance of Information Technology for Sustainability and Global Competitiveness. 17th Americas Conference on Information Systems, AMCIS 2011, Detroit, Michigan, USA, August 4–8 2011. Association for Information Systems (2011)

39.

Song, D.: Machine learning & security and privacy: Experiences and lessons. http://tsig.fujitsulabs.com/~aisec2011/Program.html

40.

Sun, F., Xu, L., Su, Z.: Client-side detection of XSS worms by monitoring payload propagation. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 539–554. Springer, Heidelberg (2009) CrossRef

41.

Ter Louw, M., Venkatakrishnan, V.: Blueprint: precise browser-neutral prevention of cross-site scripting attacks. In: 30th IEEE Symposium on Security and Privacy (2009)

42.

Thomas, K., Grier, C., Ma, J., Paxson, V., Song, D.: Design and evaluation of a real-time url spam filtering service. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP 2011 (2011)

43.

Weinberg, Z., Chen, E.Y., Jayaraman, P.R., Jackson, C.: I still know what you visited last summer: leaking browsing history via user interaction and side channel attacks. In: IEEE Symposium on Security and Privacy (2011)

44.

Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: USENIX Security Symposium (2006)

45.

Xu, W., Zhang, F., Zhu, S.: Toward worm detection in online social networks. In: Proceedings of the 26th Annual Computer Security Applications Conference (New York, NY, USA, 2010), ACSAC 2010, pp. 11–20. ACM (2010)

46.

Yang, C., Harkreader, R.C., Gu, G.: Die free or live hard? empirical evaluation and new design for fighting evolving twitter spammers. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 318–337. Springer, Heidelberg (2011) CrossRef

47.

Zhou, Y., Evans, D.: Why aren’t http-only cookies more widely deployed? In: W2SP: Web 2.0 Security and Privacy (2010)

Title: Abusing Browser Address Bar for Fun and Profit - An Empirical Investigation of Add-On Cross Site Scripting Attacks
Authors: Yinzhi Cao
Chao Yang
Vaibhav Rastogi
Yan Chen
Guofei Gu
Publisher: Springer International Publishing
Book: International Conference on Security and Privacy in Communication Networks
Print ISBN: 978-3-319-23828-9

Electronic ISBN: 978-3-319-23829-6

Copyright Year: 2015
DOI: https://doi.org/10.1007/978-3-319-23829-6_45

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner