International Conference on Security and Privacy in Communication Systems

International Conference on Security and Privacy in Communication Networks pp 582-601 | Cite as

Abusing Browser Address Bar for Fun and Profit - An Empirical Investigation of Add-On Cross Site Scripting Attacks

  • Yinzhi Cao
  • Chao Yang
  • Vaibhav Rastogi
  • Yan Chen
  • Guofei Gu
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 152)


Add-on JavaScript originating from users’ inputs to the browser brings new functionalities such as debugging and entertainment, however it also leads to a new type of cross-site scripting attack (defined as add-on XSS by us), which consists of two parts: a snippet of JavaScript in clear text, and a spamming sentence enticing benign users to input the previous JavaScript. In this paper, we focus on the most common add-on XSS, the one caused by browser address bar JavaScript. To measure the severity, we conduct three experiments: (i) analysis on real-world traces from two large social networks, (ii) a user study by means of recruiting Amazon Mechanical Turks [4], and (iii) a Facebook experiment with a fake account. We believe as the first systematic and scientific study, our paper can ring a bell for all the browser vendors and shed a light for future researchers to find an appropriate solution for add-on XSS.


Browser address bar Add-on cross-site scripting  User study 


  1. 1.
  2. 2.
    Ad network mobile theory announces record revenue growth in 2012.
  3. 3.
    Alexa Top Websites.
  4. 4.
    Amazon mechanical turk.
  5. 5.
  6. 6.
  7. 7.
  8. 8.
  9. 9.
  10. 10.
  11. 11.
  12. 12.
  13. 13.
  14. 14.
    Maxthon browser.
  15. 15.
    Opera browser.
  16. 16.
    Over-usage of administator of tieba’s power - in Chinese.
  17. 17.
  18. 18.
    Social engineering issue with javascript urls.
  19. 19.
    Sogou browser.
  20. 20.
    Sogou revenue soars 123% in q2 2012.
  21. 21.
  22. 22.
    Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy, pp. 387–401. IEEE Computer Society, Washington, DC (2008)Google Scholar
  23. 23.
    Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  24. 24.
    Cao, Y., Yegneswaran, V., Porras, P., Chen, Y.: PathCutter: severing the self-propagation path of XSS JavaScript worms in social web networks. In: Proceedings of the 19th Annual Network & Distributed System Security Symposium (2012)Google Scholar
  25. 25.
    Chong, S., Vikram, K., Myers, A.C.: SIF: enforcing confidentiality and integrity in web applications. In: USENIX Security Symposium (2007)Google Scholar
  26. 26.
    Gao, H., Chen, Y., Lee, K., Palsetia, D., Choudhary, A.: Towards online spam filtering in social networks. In: Proceedings of the 19th Annual Network & Distributed System Security Symposium (2012)Google Scholar
  27. 27.
    Gao, H., Hu, J., Wilson, C., Li, Z., Chen, Y., Zhao, B.Y.: Detecting and characterizing social spam campaigns. In: Proceedings of the 10th Annual Conference on Internet Measurement, IMC 2010 (2010)Google Scholar
  28. 28.
    Grier, C., Thomas, K., Paxson, V., Zhang, M.: @spam: the underground on 140 characters or less. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010 (2010)Google Scholar
  29. 29.
    Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., Kuo, S.-Y.: Securing web application code by static analysis and runtime protection. In: WWW: Conference on World Wide Web (2004)Google Scholar
  30. 30.
    Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, pp. 601–610. ACM, New York (2007)Google Scholar
  31. 31.
    Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities (short paper). In: SP: IEEE Symposium on Security and Privacy (2006)Google Scholar
  32. 32.
    Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: SAC: ACM Symposium on Applied Computing (2006)Google Scholar
  33. 33.
    Lee, K., Caverlee, J., Webb, S.: Uncovering social spammers: social honeypots + machine learning. In: Proceedings of the 33rd International ACM SIGIR Conference on Research and Development in Information Retrieval, SIGIR 2010 (2010)Google Scholar
  34. 34.
    Livshits, B., Cui, W.: Spectator: detection and containment of javascript worms. In: ATC: USENIX Annual Technical Conference (2008)Google Scholar
  35. 35.
    Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium, vol. 14, p. 18. USENIX Association, Berkeley (2005)Google Scholar
  36. 36.
    Martin, M., Lam, M.S.: Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In: Proceedings of the 17th Conference on Security Symposium, pp. 31–43. USENIX Association, Berkeley (2008)Google Scholar
  37. 37.
    Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: Network and Distributed System Security Symposium (2009)Google Scholar
  38. 38.
    Sambamurthy, V., Tanniru, M. (eds.): A Renaissance of Information Technology for Sustainability and Global Competitiveness. 17th Americas Conference on Information Systems, AMCIS 2011, Detroit, Michigan, USA, August 4–8 2011. Association for Information Systems (2011)Google Scholar
  39. 39.
    Song, D.: Machine learning & security and privacy: Experiences and lessons.
  40. 40.
    Sun, F., Xu, L., Su, Z.: Client-side detection of XSS worms by monitoring payload propagation. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 539–554. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  41. 41.
    Ter Louw, M., Venkatakrishnan, V.: Blueprint: precise browser-neutral prevention of cross-site scripting attacks. In: 30th IEEE Symposium on Security and Privacy (2009)Google Scholar
  42. 42.
    Thomas, K., Grier, C., Ma, J., Paxson, V., Song, D.: Design and evaluation of a real-time url spam filtering service. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP 2011 (2011)Google Scholar
  43. 43.
    Weinberg, Z., Chen, E.Y., Jayaraman, P.R., Jackson, C.: I still know what you visited last summer: leaking browsing history via user interaction and side channel attacks. In: IEEE Symposium on Security and Privacy (2011)Google Scholar
  44. 44.
    Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: USENIX Security Symposium (2006)Google Scholar
  45. 45.
    Xu, W., Zhang, F., Zhu, S.: Toward worm detection in online social networks. In: Proceedings of the 26th Annual Computer Security Applications Conference (New York, NY, USA, 2010), ACSAC 2010, pp. 11–20. ACM (2010)Google Scholar
  46. 46.
    Yang, C., Harkreader, R.C., Gu, G.: Die free or live hard? empirical evaluation and new design for fighting evolving twitter spammers. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 318–337. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  47. 47.
    Zhou, Y., Evans, D.: Why aren’t http-only cookies more widely deployed? In: W2SP: Web 2.0 Security and Privacy (2010)Google Scholar

Copyright information

© Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2015

Authors and Affiliations

  • Yinzhi Cao
    • 1
  • Chao Yang
    • 2
  • Vaibhav Rastogi
    • 1
  • Yan Chen
    • 1
  • Guofei Gu
    • 2
  1. 1.Northwestern UniversityEvanstonUSA
  2. 2.Texas A&M UniversityCollege StationUSA

Personalised recommendations