Skip to main content
SpringerLink
Log in

DEMACRO: Defense against Malicious Cross-Domain Requests

  • Conference paper
Research in Attacks, Intrusions, and Defenses (RAID 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7462))

Included in the following conference series:

Abstract

In the constant evolution of theWeb, the simple always gives way to the more complex. Static webpages with click-through dialogues are becoming more and more obsolete and in their place, asynchronous JavaScript requests, Web mash-ups and proprietary plug-ins with the ability to conduct cross-domain requests shape the modern user experience. Three recent studies showed that a significant number ofWeb applications implement poor cross-domain policies allowing malicious domains to embed Flash and Silverlight applets which can conduct arbitrary requests to these Web applications under the identity of the visiting user. In this paper, we confirm the findings of the aforementioned studies and we design DEMACRO, a client-side defense mechanism which detects potentially malicious cross-domain requests and de-authenticates them by removing existing session credentials. Our system requires no training or user interaction and imposes minimal performance overhead on the user’s browser.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Adobe. Adobe - security bulletins and advisories

    Google Scholar 

  2. Adobe Systems Inc. Cross-domain policy file specification (January 2010), http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html

  3. Beato, F., Kohlweiss, M., Wouters, K.: Scramble! Your Social Network Data. In: Fischer-Hübner, S., Hopper, N. (eds.) PETS 2011. LNCS, vol. 6794, pp. 211–225. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  4. Burns, J.: Cross Site Request Forgery - An introduction to a common web application weakness. Whitepaper (2005), https://www.isecpartners.com/documents/XSRF_Paper.pdf

  5. Water and Stone: Open Source CMS Market Share Report (2010)

    Google Scholar 

  6. Egele, M., Moser, A., Kruegel, C., Kirda, E.: Pox: Protecting users from malicious facebook applications. In: Proceedings of the 3rd IEEE International Workshop on Security in Social Networks (SESOC), pp. 288–294 (2011)

    Google Scholar 

  7. Grossman, J.: crossdomain.xml statistics, http://jeremiahgrossman.blogspot.com/2006/10/crossdomainxml-statistics.html

  8. Grossman, J.: I used to know what you watched, on YouTube (September 2008), http://jeremiahgrossman.blogspot.com/2008/09/i-used-to-know-what-you-watched-on.html (accessed in January 2011)

  9. Jang, D., Venkataraman, A., Swaka, G.M., Shacham, H.: Analyzing the Cross-domain Policies of Flash Applications. In: Proceedings of the 5th Workshop on Web 2.0 Security and Privacy, W2SP (2011)

    Google Scholar 

  10. Johns, M., Lekies, S.: Biting the Hand That Serves You: A Closer Look at Client-Side Flash Proxies for Cross-Domain Requests. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 85–103. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  11. Johns, M., Winter, J.: RequestRodeo: Client Side Protection against Session Riding. In: Proceedings of the OWASP Europe 2006 Conference (2006)

    Google Scholar 

  12. Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A Client-Side Solution for Mitigating Cross Site Scripting Attacks. In: Security Track of the 21st ACM Symposium on Applied Computing (SAC) (April 2006)

    Google Scholar 

  13. Kontaxis, G., Antoniades, D., Polakis, I., Markatos, E.P.: An empirical study on the security of cross-domain policies in rich internet applications. In: Proceedings of the 4th European Workshop on Systems Security, EUROSEC (2011)

    Google Scholar 

  14. Lekies, S., Johns, M., Tighzert, W.: The state of the cross-domain nation. In: Proceedings of the 5th Workshop on Web 2.0 Security and Privacy, W2SP (2011)

    Google Scholar 

  15. Malaria - i’m in your browser, surfin your webs (2010), http://erlend.oftedal.no/blog/?blogid=107

  16. Nikiforakis, N., Meert, W., Younan, Y., Johns, M., Joosen, W.: SessionShield: Lightweight Protection against Session Hijacking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 87–100. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  17. Rich internet application (ria) market share, http://www.statowl.com/custom_ria_market_penetration.php

  18. Rios, B.B.: Cross domain hole caused by google docs, http://xs-sniper.com/blog/Google-Docs-Cross-Domain-Hole/

  19. Ruderman, J.: The Same Origin Policy (August 2001), http://www.mozilla.org/projects/security/components/same-origin.html (October 01, 2006)

  20. Russo, A., Sabelfeld, A., Chudnov, A.: Tracking Information Flow in Dynamic Tree Structures. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 86–103. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  21. De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W.: CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 18–34. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  22. Shahriar, H., Zulkernine, M.: Client-side detection of cross-site request forgery attacks. In: 2010 IEEE 21st International Symposium on Software Reliability Engineering (ISSRE), pp. 358–367 (2010)

    Google Scholar 

  23. Tang, S., Dautenhahn, N., King, S.T.: Fortifying web-based applications automatically. In: Proceedings of the 8th ACM Conference on Computer and Communications Security (2011)

    Google Scholar 

  24. Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: Proceedings of the 14th Annual Network and Distributed System Security Symposium, NDSS 2007 (2007)

    Google Scholar 

  25. W3C. Cross-Origin Resource Sharing, http://www.w3.org/TR/cors/

  26. The Cross-site Scripting FAQ, http://www.cgisecurity.com/xss-faq.html

  27. Zhou, Y., Evans, D.: Why Aren’t HTTP-only Cookies More Widely Deployed? In: Proceedings of 4th Web 2.0 Security and Privacy Workshop, W2SP 2010 (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. SAP Research, Germany

    Sebastian Lekies, Walter Tighzert & Martin Johns

  2. IBBT-DistriNet, KU Leuven, 3001, Leuven, Belgium

    Nick Nikiforakis & Frank Piessens

Authors
  1. Sebastian Lekies
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nick Nikiforakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Walter Tighzert
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Frank Piessens
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Martin Johns
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute Eurecom, 2229 Route des Cretes, 06560, Sophia Antipolis Cedex, France

    Davide Balzarotti

  2. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, M.C. 0401, 10027-7003, New York, NY, USA

    Salvatore J. Stolfo

  3. School of Computer Science, University of Birmingham, B15 2TT, Edgbaston, Birmingham, UK

    Marco Cova

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Lekies, S., Nikiforakis, N., Tighzert, W., Piessens, F., Johns, M. (2012). DEMACRO: Defense against Malicious Cross-Domain Requests. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2012. Lecture Notes in Computer Science, vol 7462. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33338-5_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33338-5_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33337-8

  • Online ISBN: 978-3-642-33338-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation