Journal in Computer Virology

, Volume 4, Issue 3, pp 161–178 | Cite as

On JavaScript Malware and related threats

Web page based attacks revisited
Original Paper

Abstract

The term JavaScript Malware describes attacks that abuse the web browser’s capabilities to execute malicious script-code within the victim’s local execution context. Unlike related attacks, JavaScript Malware does not rely on security vulnerabilities in the web browser’s code but instead solely utilizes legal means in respect to the applying specification documents. Such attacks can either invade the user’s privacy, explore and exploit the LAN, or use the victimized browser as an attack proxy. This paper documents the state of the art concerning this class of attacks, sums up relevant protection approaches, and provides directions for future research.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Alcorn, W.: Inter-protocol communication. Whitepaper, http://www.ngssoftware.com/research/papers/InterProtocolCommunication.pdf (11/13/06), August 2006
  2. 2.
    Alcorn, W.: Inter-protocol exploitation. Whitepaper, NGSSoftware Insight Security Research (NISR), http://www.ngssoftware.com/research/papers/InterProtocolExploitation.pdf, March 2007
  3. 3.
    Alshanetsky, I.: Network scanning with http without javascript. [online], http://ilia.ws/archives/145-Network-Scanning-with-HTTP-without-JavaScript.html (09/11/07), November 2006
  4. 4.
    Bortz, A., Boneh, D., Nandy, P.: Exposing private information by timing web applications. In: WWW 2007, 2007Google Scholar
  5. 5.
    Burns, J.: Cross site reference forgery—an introduction to a common web application weakness. Whitepaper, http://www.isecpartners.com/documents/XSRF_Paper.pdf, 2005
  6. 6.
    Byrne, D.: Anti-dns pinning and java applets. Posting to the Bugtraq mailing list, http://seclists.org/fulldisclosure/2007/Jul/0159.html, July 2007
  7. 7.
    Mozilla Developer Center.: Liveconnect. [online], http://developer.mozilla.org/en/docs/LiveConnect (08/08/07), 2007
  8. 8.
    Chess, B., O’Neil, Y.T., West, J.: Javascript hijacking. [whitepaper], Fortify Software, http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf, March 2007
  9. 9.
    Christey, S., Martin, R.A.: Vulnerability type distributions in cve, version 1.1. [online], http://cwe.mitre.org/documents/vuln-trends/index.html (09/11/07), May 2007
  10. 10.
    Clover, A.: Css visited pages disclosure. Posting to the Bugtraq mailing list, http://seclists.org/bugtraq/2002/Feb/0271.html, February 2002
  11. 11.
    Adobe Coperation. Adobe flash. [online] http://www.adobe.com/products/flash/flashpro/
  12. 12.
    Duong, T.N.: Zombilizing the browser via flash player 9. talk at the VNSecurity 2007 conference, http://vnhacker.blogspot.com/2007/08/zombilizing-web-browsers-via-flash.html, August 2007
  13. 13.
    Endler, D.: The evolution of cross-site scripting attacks. Whitepaper, iDefense Inc., http://www.cgisecurity.com/lib/XSS.pdf, May 2002
  14. 14.
    Esser, S.: Bruteforcing http auth in firefox with javascript. [online], http://blog.php-security.org/archives/56-Bruteforcing-HTTP-Auth-in-Firefox-with-JavaScript.html (08/31/07), December~2006
  15. 15.
    Esser, S.: Javascript/html portscanning and http auth. [online], http://blog.php-security.org/archives/54-JavaScriptHTML-Portscanning-and-HTTP-Auth.html (08/27/07), November 2006
  16. 16.
    Felten, E.W., Schneider, M.A.: Timing attacks on web privacy. In: Proceedings of the 9th ACM Conference on Computer and Communication Security (CCS ’02), 2000Google Scholar
  17. 17.
    Glass, E.: The ntlm authentication protocol. [online], http://davenport.sourceforge.net/ntlm.html (03/13/06), 2003
  18. 18.
    AVM Gmbh. Fritz! box. [online], product website, http://www.avm.de/en/Produkte/FRITZBox/index.html (09/06/07)
  19. 19.
    Google. Google translate. [online service], http://www.google.com/translate_t (09/11/07)
  20. 20.
    Grossman, J.: I know if you’re logged-in, anywhere. [online], http://jeremiahgrossman.blogspot.com/2006/12/i-know-if-youre-logged-in-anywhere.html (08/08/07), December 2006
  21. 21.
    Grossman, J.: I know where you’ve been. [online], http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html, August 2006
  22. 22.
    Grossman, J.: Javascript malware, port scanning, and beyond. Posting to the websecurity mailing list, http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00097.html, July 2006
  23. 23.
    Grossman, J., Hansen, R., Petkov, P., Rager, A.: Cross Site Scripting Attacks: Xss Exploits and Defense. Syngress, 2007Google Scholar
  24. 24.
    Grossman, J., Niedzialkowski, T.C.: Hacking intranet websites from the outside. Talk at Black Hat USA 2006, http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grossman.pdf, August 2006
  25. 25.
    Hallaraker, O., Vigna, G.: Detecting malicious javascript code in mozilla. In: Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems (ICECCS), pp. 85–94, June 2005Google Scholar
  26. 26.
    Hansen, R.: Detecting firefox extentions. [online], http://ha.ckers.org/blog/20060823/detecting-firefox-extentions/ (08/08/07), August 2006
  27. 27.
    Hansen, R.: Detecting states of authentication with protected images. [online], http://ha.ckers.org/blog/20061108/detecting-states-of-authentication-with-protected-images/ (08/31/07), November 2006
  28. 28.
    Hansen, R.: Hacking intranets via brute force. [online], http://ha.ckers.org/blog/20061228/hacking-intranets-via-brute-force/, December 2006
  29. 29.
    Hansen, R.: List of common internal domain names. [online], http://ha.ckers.org/fierce/hosts.txt (09/06/07), March 2007
  30. 30.
    Hegaret, P.L., Whitmer, R., Wood, L.: Document object model (dom). W3C recommendation, http://www.w3.org/DOM/, January 2005
  31. 31.
    Hoffman, B.: Javascript malware for a gray goo tomorrow! Talk at the Shmoocon’07, http://www.spidynamics.com/spilabs/education/presentations/Javascript_malware.pdf, March 2007
  32. 32.
    Apple Inc.: Dynamic html and xml: The xmlhttprequest object. [online], http://developer.apple.com/internet/webcontent/xmlhttpreq.html (08/08/07), June 2005
  33. 33.
    InformAction.: Noscript firefox extension. Software, http://www.noscript.net/whats, 2006
  34. 34.
    Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D.: Protecting browsers from dns rebinding attack. In: Proceedings of the 14th ACM Conference on Computer and Communication Security (CCS ’07), October 2007Google Scholar
  35. 35.
    Jackson, C., Bortz, A., Boneh, D., Mitchell, J.C.: Protecting browser state from web privacy attacks. In: Proceedings of the 15th ACM World Wide Web Conference (WWW 2006), 2006Google Scholar
  36. 36.
    Jackson, C., Bortz, A., Boneh, D., Mitchell, J.C.: Safehistory. software, http://www.safehistory.com/, 2006
  37. 37.
    Jakobsson, M., Stamm, S.: Invasive browser sniffing and countermeasures. In: Proceedings of the 15th Annual World Wide Web Conference (WWW2006), 2006Google Scholar
  38. 38.
    Johns, M.: Sessionsafe: implementing xss immune session handling. In: European Symposium on Research in Computer Security (ESORICS 2006), September 2006Google Scholar
  39. 39.
    Johns, M.: (somewhat) breaking the same-origin policy by undermining dns-pinning. Posting to the Bugtraq mailinglist, http://www.securityfocus.com/archive/107/443429/30/180/threaded, August 2006
  40. 40.
    Johns, M., Kanatoko.: Using java in anti dns-pinning attacks (firefox and opera). [online], http://shampoo.antville.org/stories/1566124/ (08/27/07), February 2007
  41. 41.
    Johns, M., Winter, J.: Requestrodeo: client side protection against session riding. In: Frank Piessens, editor, OWASP Conference 2006, Report CW448, pp. 5–17. Departement Computerwetenschappen, Katholieke Universiteit Leuven, May 2006Google Scholar
  42. 42.
    Johns, M., Winter, J.: Protecting the intranet against “javascript malware” and related attacks. In: Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2007), July 2007Google Scholar
  43. 43.
    Kaminsky, D.: Black ops 2007: Design reviewing the web. talk at the Black Hat 2007 conference, http://www.doxpara.com/?q=node/1149, August 2007
  44. 44.
    Kanatoko.: Stealing information using anti-dns pinning: Online demonstration. [online], http://www.jumperz.net/index.php?i=2&a=1&b=7 (30/01/07), 2006
  45. 45.
    Kanatoko.: Anti-dns pinning + socket in flash. [online], http://www.jumperz.net/index.php?i=2&a=3&b=3 (19/01/07), January 2007
  46. 46.
    Karlof, C., Shankar, U., Tygar, J.D., Wagner, D.: Dynamic pharming attacks and the locked same-origin policies for web browsers. In: Proceedings of the 14th ACM Conference on Computer and Communication Security (CCS ’07), October 2007Google Scholar
  47. 47.
    Kindermann, L.: My address java applet. [online], http://reglos.de/myaddress/MyAddress.html (11/08/06), 2003
  48. 48.
    Kishor.: Ie—guessing the names of the fixed drives on your computer. [online], http://wasjournal.blogspot.com/2007/07/ie-guessing-names-of-fixed-drives-on.html (08/31/07), July 2007
  49. 49.
    SPI Labs.: Detecting, analyzing, and exploiting intranet applications using javascript. Whitepaper, http://www.spidynamics.com/assets/documents/JSportscan.pdf, July 2006
  50. 50.
    SPI Labs.: Stealing search engine queries with javascript. Whitepaper, http://www.spidynamics.com/assets/documents/JS_SearchQueryTheft.pdf, 2006
  51. 51.
    Lam, V.T., Antonatos, S., Akritidis, P., Anagnostakis, K.G.: Puppetnets: misusing web browsers as a distributed attack infrastructure. In: Proceedings of the 13th ACM Conference on Computer and Communication Security (CCS ’06), pp. 221–234, 2006Google Scholar
  52. 52.
    Lamarre, J.: Ajax without xmlhttprequest, frame, iframe, java or flash. [online], http://zingzoom.com/ajax/ajax_with_image.php (02/02/2006), September 2005
  53. 53.
    Ludwig, A.: Macromedia flash player 8 security. Whitepaper, Macromedia, http://www.adobe.com/devnet/flashplayer/articles/flash_player_8_security.pdf, September 2005
  54. 54.
    McFeters, N., Rios, B.: Uri use and abuse. Whitepaper, http://www.xs-sniper.com/nmcfeters/URI_Use_and_Abuse.pdf, July 2007
  55. 55.
    Meer, H., Slaviero, M.: It’s all about the timing... Whitepaper, http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf, August 2007
  56. 56.
    Megacz, A.: Firewall circumvention possible with all browsers. Posting to the Bugtraq mailing list, http://seclists.org/bugtraq/2002/Jul/0362.html, July 2002
  57. 57.
    Meschkat, S.: Json rpc—cross site scripting and client side web services. Talk at the 23C3 Congress, http://events.ccc.de/congress/2006/Fahrplan/attachments/1198-jsonrpcmesch.pdf, December 2006
  58. 58.
    Microsoft.: Microsoft silverlight. [online], http://www.microsoft.com/silverlight/ (09/14/07), 2007
  59. 59.
    Mueller, M.: Sun’s response to the dns spoofing attack. [online], http://www.cs.princeton.edu/sip/news/sun-02-22-96.html (09/09/07), February 1996
  60. 60.
    Project, M.: Mozilla port blocking. [online], http://www.mozilla.org/projects/netlib/PortBanning.html (11/13/06), 2001
  61. 61.
    Rios, B.K., McFeters, N.: Slipping past the firewall. Talk at the HITBSecConf2007 conference, http://conference.hitb.org/hitbsecconf2007kl/agenda.htm, September 2007
  62. 62.
    Ruderman, J.: The same origin policy. [online], http://www.mozilla.org/projects/security/components/same-origin.html (01/10/06), August 2001
  63. 63.
    Samy.: Technical explanation of the myspace worm. [online], http://namb.la/popular/tech.html (01/10/06), October 2005
  64. 64.
    Schreiber, T.: Session riding—a widespread vulnerability in today’s web applications. Whitepaper, SecureNet GmbH, http://www.securenet.de/papers/Session_Riding.pdf, December 2004
  65. 65.
    Princeton University Secure Internet Programming Group. Dns attack scenario. [online], http://www.cs.princeton.edu/sip/news/dns-scenario.html, February 1996
  66. 66.
    Sethumadhavan, R.: Microsoft Internet explorer local file accesses vulnerability. Posting to the full disclosure mailing list, http://seclists.org/fulldisclosure/2007/Feb/0434.html, February 2007
  67. 67.
    Soref, J.: Dns: spoofing and pinning. [online], http://viper.haque.net/~timeless/blog/11/ (14/11/06), September 2003
  68. 68.
    Stamm, S., Ramzan, Z., Jakobsson, M.: Drive-by pharming. Technical Report 641, Indiana University Computer Science, December 2006Google Scholar
  69. 69.
    Stuttard, D.: Dns pinning and web proxies. NISR whitepaper, http://www.ngssoftware.com/research/papers/DnsPinningAndWebProxies.pdf, 2007
  70. 70.
    Topf, J.: The html form protocol attack. Whitepaper, http://www.remote.org/jochen/sec/hfpa/hfpa.pdf, August 2001
  71. 71.
    Vzloman, S., Hansen, R.: Enumerate windows users in js. [online], http://ha.ckers.org/blog/20070518/enumerate-windows-users-in-js/ (08/08/07), May 2007
  72. 72.
    Vzloman, S., Hansen, R.: Read firefox settings (poc). [online], http://ha.ckers.org/blog/20070516/read-firefox-settings-poc/ (08/08/07), May 2007
  73. 73.
    Winter, J., Johns, M.: Localrodeo: Client side protection against javascript malware. [online], http://databasement.net/labs/localrodeo (01/02/07), January 2007

Copyright information

© Springer-Verlag France 2007

Authors and Affiliations

  1. 1.Security in Distributed Systems (SVS), Department of InformaticsUniversity of HamburgHamburgGermany

Personalised recommendations