Polymorphism as a Defense for Automated Attack of Websites

  • Xinran Wang
  • Tadayoshi Kohno
  • Bob Blakley
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8479)


We propose PolyRef, a method for a polymorphic defense to defeat automated attacks on web applications. Many websites are vulnerable to automated attacks. Basic anti-automation countermeasures such as Turing tests provide minimal efficacy and negatively impact the usability and the accessibility of the protected application. Motivated by the observation that many automated attacks rely on interaction with the publicly visible code transmitted to the browser, PolyRef proposes to make critical elements of the underlying webpage code polymorphic, rendering machine automation impractical to implement. We categorize the threats that rely on automation and the available anti-automation approaches. We present two techniques for using polymorphism as an anti-automation defense.


Content Delivery Network Authentication Credential Account Creation Automatic Static Analysis Automation Test Tool 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Belgisch gerecht ontdekt oplichting bij internetbankieren (2010)
  2. 2.
  3. 3.
  4. 4.
    Mykonos web security (2013),
  5. 5.
    Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 75–88. ACM, New York (2008)Google Scholar
  6. 6.
    Chu, Z., Gianvecchio, S., Koehl, A., Wang, H., Jajodia, S.: Blog or block: Detecting blog bots through behavioral biometrics. Comput. Netw. 57(3), 634–646 (2013)CrossRefGoogle Scholar
  7. 7.
    Chu, Z., Gianvecchio, S., Wang, H., Jajodia, S.: Who is tweeting on twitter: Human, bot, or cyborg? In: Proceedings of the 26th Annual Computer Security Applications Conference. ACM, New York (2010)Google Scholar
  8. 8.
    Crosby, S.A., Wallach, D.S.: Denial of service via algorithmic complexity attacks. In: Proceedings of the Usenix Security Symposium 2003, Berkeley, CA, USA, pp. 243–255. USENIX Association (2003)Google Scholar
  9. 9.
    Czeskis, A., Moshchuk, A., Kohno, T., Wang, H.J.: Lightweight server support for browser-based csrf protection. In: Proceedings of the 22nd International Conference on World Wide Web, WWW 2013 Companion, Republic and Canton of Geneva, Switzerland, pp. 273–284. International World Wide Web Conferences Steering Committee (2013)Google Scholar
  10. 10.
    Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  11. 11.
    Fontana, J.: Password’s rotten core not complexity but reuse (March 2013),
  12. 12.
    Gardner, P.A., Maffeis, S., Smith, G.D.: Towards a program logic for JavaScript. In: Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012, pp. 31–44. ACM, New York (2012)Google Scholar
  13. 13.
    Gianvecchio, S., Wu, Z., Xie, M., Wang, H.: Battle of botcraft: Fighting bots in online games with human observational proofs. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 256–268. ACM, New York (2009)Google Scholar
  14. 14.
    Gianvecchio, S., Xie, M., Wu, Z., Wang, H.: Measurement and classification of humans and bots in internet chat. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, pp. 155–169. USENIX Association, Berkeley (2008)Google Scholar
  15. 15.
    Heiderich, M.: Csrfx (2007),
  16. 16.
    Jensen, S.H., Jonsson, P.A., Møller, A.: Remedying the eval that men do. In: Proceedings of the 2012 International Symposium on Software Testing and Analysis, pp. 34–44. ACM, New York (2012)Google Scholar
  17. 17.
    Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Second IEEE Communications Society/CreateNet International Conference on Security and Privacy in Communication Networks. IEEE (2006)Google Scholar
  18. 18.
    Kee, T.: Beyond cookies: digital fingerprints may track personal devices (December 2010),
  19. 19.
    Miessler, D.: Bypassing WAF anti-automation using burp’s cookie jar (September 2013),
  20. 20.
    Ollmann, G.: Stopping automated application attack tools. Technical report, Black Hat Europe 2006 (2006)Google Scholar
  21. 21.
    Sheridan, E.: OWASP CSRFGuard project (2008),
  22. 22.
    von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: using hard ai problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  23. 23.
    Yan, J., El Ahmad, A.S.: Usability of CAPTCHAs or usability issues in CAPTCHA design. In: Proceedings of the 4th Symposium on Usable Privacy and Security, SOUPS 2008, pp. 44–52. ACM, New York (2008)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Xinran Wang
    • 1
  • Tadayoshi Kohno
    • 2
  • Bob Blakley
    • 3
  1. 1.Shape SecurityUSA
  2. 2.University of WashingtonUSA
  3. 3.CitigroupUSA

Personalised recommendations