Abstract
Most of the recent work on Web security focuses on preventing attacks that directly harm the browser’s host machine and user. In this paper we attempt to quantify the threat of browsers being indirectly misused for attacking third parties. Specifically, we look at how the existing Web infrastructure (e.g., the languages, protocols, and security policies) can be exploited by malicious or subverted Web sites to remotely instruct browsers to orchestrate actions including denial of service attacks, worm propagation, and reconnaissance scans. We show that attackers are able to create powerful botnet-like infrastructures that can cause significant damage. We explore the effectiveness of countermeasures including anomaly detection and more fine-grained browser security policies.
- ABC Electronic. 2006. ABCE Database. http://www.abce.org.uk/cgi-bin/gen5?runprog=abce/abce&noc=y.Google Scholar
- Alcorn, W. 2005. The cross-site scripting virus. http://www.bindshell.net/papers/xssv/xssv.html.Google Scholar
- Alexa Internet Inc. 2006. Global top 500. http://www.alexa.com/site/ds/top_500.Google Scholar
- Andersen, S. and Abella, V. 2004. Changes to functionality in Microsoft Windows XP Service Pack 2, Part 2: Network Protection Technologies. Microsoft TechNet. http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx.Google Scholar
- Anonymous. 2004. About the Alexa Toolbar and traffic monitoring service: How accurate is Alexa? http://www.mediacollege.com/internet/utilities/alexa/.Google Scholar
- Barrett, B. L. 2005. Home of the Webalizer. http://www.mrunix.net/webalizer.Google Scholar
- Berk, V., Bakos, G., and Morris., R. 2003. Designing a framework for active worm detection on global networks. In Proceedings of the IEEE International Workshop on Information Assurance (IWIA’03). Google ScholarDigital Library
- Berners-Lee, T., Masinter, L., and McCahill, M. 1994. Uniform Resource Locators (URL). RFC 1738. Google ScholarDigital Library
- Bortz, A., Boneh, D., and Nandy, P. 2007. Exposing private information by timing Web applications. In Proceedings of the 16th International World Wide Web Conference (WWW’07). Google ScholarDigital Library
- CERT. 2000. Advisory CA-2000-02: Malicious HTML tags embedded in client Web requests. http://www.cert.org/advisories/CA-2000-02.html.Google Scholar
- CERT. 2001a. Advisory CA-2001-19: “Code Red” worm exploiting buffer overflow in IIS indexing service DLL. http://www.cert.org/advisories/CA-2001-19.html.Google Scholar
- CERT. 2001b. Vulnerability Note VU#476267: Standard HTML form implementation contains vulnerability allowing malicious user to access SMTP, NNTP, POP3, and other services via crafted HTML page. http://www.kb.cert.org/vuls/id/476267.Google Scholar
- Chinchani, R. and Berg, E. V. D. 2005. A fast static analysis approach to detect exploit code inside network flows. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID’05).Google Scholar
- Chou, N., Ledesma, R., Teraguchi, Y., and Mitchell, J. 2004. Client-side defense against Web-based identity theft. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS’04).Google Scholar
- Claessens, J., Preneel, B., and Vandewalle, J. 2002. A tangled World Wide Web of security issues. First Monday 7, 3.Google ScholarCross Ref
- Cooke, E., Jahanian, F., and McPherson, D. 2005. The Zombie roundup: Understanding, detecting, and disrupting botnets. In Proceedings of the 1st USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI’05). Google ScholarDigital Library
- Felten, E. W., Balfanz, D., Dean, D., and Wallach, D. S. 1997. Web spoofing: An Internet con game. In Proceedings of the 20th National Information Systems Security Conference (NISSC’97). 95--103.Google Scholar
- Felten, E. W. and Schneider, M. A. 2000. Timing attacks on Web privacy. In Proceedings of the 7th ACM Conference on Computer and Communications Security (CCS’00). ACM Press, New York, NY, 25--32. Google ScholarDigital Library
- Garrett, J. J. 2005. Ajax: A new approach to Web applications. http://www.adaptivepath.com/publications/essays/archi-ves/000385.php.Google Scholar
- Gladychev, P., Patel, A., and O’Mahony, D. 1998. Cracking RC5 with Java applets. Concurrency: Prac. Exper. 10, 11--13, 1165--1171.Google Scholar
- Grossman, J. and Niedzialkowski, T. 2006. Hacking intranet Websites from the outside -- javascript malware just got a lot more dangerous. Black Hat Technical Security Conference.Google Scholar
- Healan, M. 2003. Referer spam. http://www.spywareinfo.com/articles/referer_spam/.Google Scholar
- Inc, W. 2006. Webtrends Web analytics and Web statistics. http://www.webtrends.com.Google Scholar
- Ioannidis, S. and Bellovin, S. M. 2001. Building a Secure Browser. In Proceedings of the Annual USENIX Technical Conference, Freenix Track (USENIX’01). Google ScholarDigital Library
- Jackson, C., Bortz, A., Boneh, D., and Mitchell, J. C. 2006. Protecting browser state from Web privacy attacks. In Proceedings of the International World Wide Web Conference (WWW’06). Google ScholarDigital Library
- Jim, T., Swamy, N., and Hicks, M. 2007. Defeating scripting attacks with browser-enforced embedded policies. In Proceedings of the 16th International World Wide Web Conference (WWW’07). Google ScholarDigital Library
- Keizer, G. 2005. Dutch botnet bigger than expected. http://informationweek.com/story/showArticle.jhtml?articleID=172303265.Google Scholar
- Kephart, J. O. and White, S. R. 1991. Directed-graph epidemiological models of computer viruses. In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy (SSP’91).Google Scholar
- Kohavi, R., Brodley, C., Frasca, B., Mason, L., and Zheng, Z. 2000. KDD-Cup 2000 organizers’ report: Peeling the onion. SIGKDD Explor. 2, 2, 86--98. Google ScholarDigital Library
- Korpela, E., Werthimer, D., Anderson, D., Cobb, J., and Lebofsky, M. 2001. SETI@home--Massively Distributed Computing for SETI. Comput. Sci. Eng. 3, 1, 78--83. Google ScholarDigital Library
- Kruegel, C., Kirda, E., Mutz, D., Robertson, W., and Vigna, G. 2005. Polymorphic worm detection using structural information of executables. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID’05).Google Scholar
- Kruegel, C. and Vigna, G. 2003. Anomaly detection of Web-based attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS’03). ACM Press, New York, NY, 251--261. Google ScholarDigital Library
- Lam, V. T., Antonatos, S., Akritidis, P., and Anagnostakis, K. G. 2005. PuppetNet project Web site. http://s3g.i2r.a-star.edu.sg/proj/puppetnets.Google Scholar
- Lam, V. T., Antonatos, S., Akritidis, P., and Anagnostakis, K. G. 2006. Puppetnets: Misusing Web browsers as a distributed attack infrastructure (extended version). Tech. rep. http://s3g.i2r.a-star.edu.sg/proj/puppetnets.Google ScholarDigital Library
- Li, J., Ehrenkranz, T., Kuenning, G., and Reiher, P. 2005. Simulation and analysis on the resiliency and efficiency of malnets. In Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation (PADS’05). IEEE Computer Society, Washington, DC, 262--269. Google ScholarDigital Library
- Little, J. D. C. 1961. A Proof of the Queueing Formula L = λW. Oper. Res. 9, 383--387.Google ScholarDigital Library
- Maone, G. 2006. Firefox add-ons: Noscript. https://addons.mozilla.org/firefox/722/.Google Scholar
- Moniz, D. and Moore, H. 2006. Six degrees of xssploitation. Black Hat Technical Security Conference.Google Scholar
- Mozilla.org. 2004. End User Guide: Automatic Proxy Configuration (PAC). http://www.mozilla.org/catalog/end-user/customizing/enduserPAC.html.Google Scholar
- Mozilla Port Blocking. 2004. http://mozilla.org/projects/netlib/PortBanning.html.Google Scholar
- Nachenberg, C. 1997. Computer virus-antivirus coevolution. Comm. ACM 40, 1, 46--51. Google ScholarDigital Library
- Paxson, V. 2001. An analysis of using reflectors for distributed denial-of-service attacks. Comput. Comm. Rev. 31, 3, 38--47. Google ScholarDigital Library
- Philippine Honeynet Project. Philippine Internet security monitor - First quarter of 2006. http://www.philippinehoneynet.org/docs/PISM20061Q.pdf.Google Scholar
- Polychronakis, M., Anagnostakis, K. G., and Markatos, E. P. 2006. Network-level polymorphic shellcode detection using emulation. In Proceedings of the GI/IEEE SIG SIDAR Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA’’06).Google Scholar
- Reis, C., Dunagan, J., Wang, H. J., Dubrovsky, O., and Esmeir, S. 2006. Browsershield: Vulnerability-driven filtering of dynamic html. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation (OSDI’06). Google ScholarDigital Library
- Rizzo, L. 1997. Dummynet: a simple approach to the evaluation of network protocols. Comput. Comm. Rev. 27, 1, 31--41. Google ScholarDigital Library
- Ross, B., Jackson, C., Miyake, N., Boneh, D., and Mitchell, J. C. 2005. Stronger password authentication using browser extensions. In Proceedings of the 14th Usenix Security Symposium (SECURITY’05). Google ScholarDigital Library
- Rubin, A. D. and Jr., D. E. G. 1998. A survey of Web security. IEEE Comput. 31, 9, 34--41. Google ScholarDigital Library
- Ruderman, J. 2001. The same origin policy. http://www.mozilla.org/projects/security/components/same-origin.html.Google Scholar
- Saroiu, S., Gummadi, P., and Gribble, S. 2002. A measurement study of peer-to-peer file sharing systems. In Proceedings of Multimedia Computing and Networking (MMCN’02).Google Scholar
- Schneier, B. 2005. Attack trends 2004 and 2005. Queue 3, 5. Google ScholarDigital Library
- Smith, F., Aikat, J., Kapur, J., and Jeffay, K. 2003. Variability in TCP round-trip times. In Proceedings of the 3rd ACM SIGCOMM Conference on Internet Measurement (ICM’03). Google ScholarDigital Library
- Stamm, S., Ramzan, Z., and Jakobson, M. 2006. Drive-by pharming. Tech. rep. TR641, Department of Computer Science, Indiana University.Google Scholar
- Staniford, S., Moore, D., Paxson, V., and Weaver, N. 2004. The top speed of flash worms. In Proceedings of the ACM Workshop on Rapid Malcode (WORM’04). Google ScholarDigital Library
- Staniford, S., Paxson, V., and Weaver, N. 2002. How to own the Internet in your spare time. In Proceedings of the 11th USENIX Security Symposium (SECURITY’02). 149--167. Google ScholarDigital Library
- Stunnix. 2006. Stunnix javascript obfuscator - obfuscate javascript source code. http://www.stunnix.com/prod/jo/overview.shtml.Google Scholar
- Symantec. 2005. Internet Threat Report: Trends for January 05-June 05. Volume VIII. http://www.symantec.com.Google Scholar
- TechWeb.com. 2004. Lycos strikes back at spammers with dos screensaver. http://www.techweb.com/wire/security/54201269.Google Scholar
- The Honeynet Project. 2005. Know your enemy: Tracking botnets. http://www.honeynet.org/papers/bots/.Google Scholar
- Topf, J. 2001. HTML Form Protocol Attack. http://www.remote.org/jochen/sec/hfpa/.Google Scholar
- VNExpress. 2005. Website of largest Vietnamese hacker group attacked by DDoS. http://vnexpress.net/Vietnam/Vi-tinh/2005/12/3B9E4A6D/.Google Scholar
- Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., and Vigna, G. 2007. Cross site scripting prevention with dynamic data tainting and static analysis. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS’07).Google Scholar
- Wang, D. 2005. HOWTO: ISAPI Filter which rejects requests from SF notify preproc headers based on HTTP Referer. http://blogs.msdn.com/david.wang.Google Scholar
- Wang, Y. and Wang, C. 2003. Modeling timing parameters for virus propagation on the internet. In Proceeding of the 1st ACM Workshop on Rapid Malcode (WORM’03). Google ScholarDigital Library
- Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., and Kin, S. 2006. Automated Web patrol with strider HoneyMonkeys: Finding Web sites that exploit browser vulnerabilities. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS’06).Google Scholar
- Weaver, N., Staniford, S., and Paxson, V. 2004. Very Fast Containment of Scanning Worms. In Proceedings of the 13th USENIX Security Symposium (SECURITY’04). 29--44. Google ScholarDigital Library
- Williams, A. T. and Heiser, J. 2004. Protect your PCs and servers from the bothet threat. Gartner Research, ID Number: G00124737.Google Scholar
- zone-h. 2006. Digital attacks archive. http://www.zone-h.org/en/defacements/.Google Scholar
- Zou, C. C., Gong, W., and Towsley, D. 2002. Code red worm propagation modeling and analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS’02). 138--147. Google ScholarDigital Library
Recommendations
Puppetnets: misusing web browsers as a distributed attack infrastructure
CCS '06: Proceedings of the 13th ACM conference on Computer and communications securityMost of the recent work on Web security focuses on preventing attacks that directly harm the browser's host machine and user. In this paper we attempt to quantify the threat of browsers being indirectly misused for attacking third parties. Specifically, ...
Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Financial Cryptography and Data SecurityA cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksWeb applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Comments