Abstract
We propose PolyRef, a method for a polymorphic defense to defeat automated attacks on web applications. Many websites are vulnerable to automated attacks. Basic anti-automation countermeasures such as Turing tests provide minimal efficacy and negatively impact the usability and the accessibility of the protected application. Motivated by the observation that many automated attacks rely on interaction with the publicly visible code transmitted to the browser, PolyRef proposes to make critical elements of the underlying webpage code polymorphic, rendering machine automation impractical to implement. We categorize the threats that rely on automation and the available anti-automation approaches. We present two techniques for using polymorphism as an anti-automation defense.
Chapter PDF
References
Belgisch gerecht ontdekt oplichting bij internetbankieren (2010) http://www.hbvl.be/nieuws/economie/aid956766/belgisch-gerecht-ontdekt-grootschalige-bankfraude.aspx
BIG-IP application security manager (2013), http://www.f5.com/pdf/products/big-ip-application-security-manager-ds.pdf
Multi-factor authentication (2013), http://en.wikipedia.org/wiki/Multi-factor_authentication
Mykonos web security (2013), http://www.mykonossoftware.com
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 75–88. ACM, New York (2008)
Chu, Z., Gianvecchio, S., Koehl, A., Wang, H., Jajodia, S.: Blog or block: Detecting blog bots through behavioral biometrics. Comput. Netw. 57(3), 634–646 (2013)
Chu, Z., Gianvecchio, S., Wang, H., Jajodia, S.: Who is tweeting on twitter: Human, bot, or cyborg? In: Proceedings of the 26th Annual Computer Security Applications Conference. ACM, New York (2010)
Crosby, S.A., Wallach, D.S.: Denial of service via algorithmic complexity attacks. In: Proceedings of the Usenix Security Symposium 2003, Berkeley, CA, USA, pp. 243–255. USENIX Association (2003)
Czeskis, A., Moshchuk, A., Kohno, T., Wang, H.J.: Lightweight server support for browser-based csrf protection. In: Proceedings of the 22nd International Conference on World Wide Web, WWW 2013 Companion, Republic and Canton of Geneva, Switzerland, pp. 273–284. International World Wide Web Conferences Steering Committee (2013)
Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010)
Fontana, J.: Password’s rotten core not complexity but reuse (March 2013), http://www.zdnet.com/passwords-rotten-core-not-complexity-but-reuse-7000013019/
Gardner, P.A., Maffeis, S., Smith, G.D.: Towards a program logic for JavaScript. In: Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012, pp. 31–44. ACM, New York (2012)
Gianvecchio, S., Wu, Z., Xie, M., Wang, H.: Battle of botcraft: Fighting bots in online games with human observational proofs. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 256–268. ACM, New York (2009)
Gianvecchio, S., Xie, M., Wu, Z., Wang, H.: Measurement and classification of humans and bots in internet chat. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, pp. 155–169. USENIX Association, Berkeley (2008)
Heiderich, M.: Csrfx (2007), http://php-ids.org/category/csrfx/
Jensen, S.H., Jonsson, P.A., Møller, A.: Remedying the eval that men do. In: Proceedings of the 2012 International Symposium on Software Testing and Analysis, pp. 34–44. ACM, New York (2012)
Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Second IEEE Communications Society/CreateNet International Conference on Security and Privacy in Communication Networks. IEEE (2006)
Kee, T.: Beyond cookies: digital fingerprints may track personal devices (December 2010), http://econsultancy.com
Miessler, D.: Bypassing WAF anti-automation using burp’s cookie jar (September 2013), http://www.danielmiessler.com
Ollmann, G.: Stopping automated application attack tools. Technical report, Black Hat Europe 2006 (2006)
Sheridan, E.: OWASP CSRFGuard project (2008), http://www.owasp.org/index.php/CSRF_Guard
von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: using hard ai problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003)
Yan, J., El Ahmad, A.S.: Usability of CAPTCHAs or usability issues in CAPTCHA design. In: Proceedings of the 4th Symposium on Usable Privacy and Security, SOUPS 2008, pp. 44–52. ACM, New York (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Wang, X., Kohno, T., Blakley, B. (2014). Polymorphism as a Defense for Automated Attack of Websites. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds) Applied Cryptography and Network Security. ACNS 2014. Lecture Notes in Computer Science, vol 8479. Springer, Cham. https://doi.org/10.1007/978-3-319-07536-5_30
Download citation
DOI: https://doi.org/10.1007/978-3-319-07536-5_30
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07535-8
Online ISBN: 978-3-319-07536-5
eBook Packages: Computer ScienceComputer Science (R0)