Advertisement

Client-Side Detection of XSS Worms by Monitoring Payload Propagation

  • Fangqi Sun
  • Liang Xu
  • Zhendong Su
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5789)

Abstract

Cross-site scripting (XSS) vulnerabilities make it possible for worms to spread quickly to a broad range of users on popular Web sites. To date, the detection of XSS worms has been largely unexplored. This paper proposes the first purely client-side solution to detect XSS worms. Our insight is that an XSS worm must spread from one user to another by reconstructing and propagating its payload. Our approach prevents the propagation of XSS worms by monitoring outgoing requests that send self-replicating payloads. We intercept all HTTP requests on the client side and compare them with currently embedded scripts. We have implemented a cross-platform Firefox extension that is able to detect all existing self-replicating XSS worms that propagate on the client side. Our test results show that it incurs low performance overhead and reports no false positives when tested on popular Web sites.

Keywords

cross-site scripting worm client-side detection Web application security 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Diminutive XSS worm replication contest (2008) http://sla.ckers.org/forum/read.php?2,18790,page=19
  2. 2.
  3. 3.
    Alexa. Top sites in United States, http://www.alexa.com/topsites
  4. 4.
    Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: Composing static and dynamic analysis to validate sanitization in Web applications. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 387–401. IEEE Computer Society Press, Los Alamitos (2008)Google Scholar
  5. 5.
    Chang, W., Streiff, B., Lin, C.: Efficient and extensible security enforcement using dynamic data flow analysis. In: Proceedings of the 15th ACM conference on Computer and communications security, pp. 39–50. ACM Press, New York (2008)Google Scholar
  6. 6.
    Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-End Containment of Internet Worms. In: Proceedings of the Symposium on Systems and Operating Systems Principles, pp. 133–147 (2005)Google Scholar
  7. 7.
    Crandall, J.R., Su, Z., Wu, S.F., Chong, F.T.: On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In: Proceedings of the 12th ACM conference on Computer and communications security, pp. 235–248. ACM Press, New York (2005)Google Scholar
  8. 8.
    Edwards, D.: Dean Edwards Javascript packer, http://dean.edwards.name/packer/
  9. 9.
  10. 10.
    Gundy, M.V., Chen, H.: Noncespaces: using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (2009)Google Scholar
  11. 11.
    Hansen, R.: XSS cheat sheet, http://ha.ckers.org/xss.html
  12. 12.
    Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with Browser-Enforced Embedded Policies. In: WWW, pp. 601–610 (2007)Google Scholar
  13. 13.
    Kamkar, S.: The Samy worm (2005), http://namb.la/popular/tech.html
  14. 14.
    Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A client-side solution for mitigating cross-site scripting attacks. In: SAC, pp. 330–337 (2006)Google Scholar
  15. 15.
    Li, Z., Sanghi, M., Chen, Y., Kao, M.-y., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 32–47. IEEE Computer Society Press, Los Alamitos (2006)Google Scholar
  16. 16.
    Liang, Z., Sekar, R.: Fast and automated generation of attack signatures: A basis for building self-protecting servers. In: Proceedings of the 12th ACM conference on Computer and communications security (2005)Google Scholar
  17. 17.
    Livshits, B., Cui, W.: Spectator: detection and containment of JavaScript worms. In: USENIX 2008 Annual Technical Conference on Annual Technical Conference, pp. 335–348. USENIX Association (2008)Google Scholar
  18. 18.
    Louw, M.T., Venkatakrishnan, V.N.: Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In: Proceedings of the 30th IEEE Symposium on Security and Privacy (2009)Google Scholar
  19. 19.
    Mozilla Corporation. Same origin policy for JavaScript, https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript
  20. 20.
    Nadji, Y., Saxena, P., Song, D.: Document structure integrity: A robust basis for cross-site scripting defense. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (2009)Google Scholar
  21. 21.
    Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (2005)Google Scholar
  22. 22.
  23. 23.
    Sekar, R.: An efficient black-box technique for defeating Web application attacks. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (2009)Google Scholar
  24. 24.
    Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: Proceedings of the 33rd Annual Symposium on Principles of Programming Languages, pp. 372–382. ACM Press, New York (2006)Google Scholar
  25. 25.
    Symantec Corporation. Symantec Global Internet Security Threat Report, vol. XIII (2008)Google Scholar
  26. 26.
  27. 27.
    Wang, K., Cretu, G., Stolfo, S.J.: Anomalous payload-based worm detection and signature generation. In: Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection, pp. 227–246 (2005)Google Scholar
  28. 28.
    Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: A content anomaly detector resistant to mimicry attack. In: Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection, pp. 226–248 (2006)Google Scholar
  29. 29.
    Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: Proceedings of the 30th International Conference on Software Engineering, pp. 171–180. ACM Press, New York (2008)Google Scholar
  30. 30.
    Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: Proceedings of the 15th conference on USENIX Security Symposium, USENIX Association (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Fangqi Sun
    • 1
  • Liang Xu
    • 1
  • Zhendong Su
    • 1
  1. 1.Department of Computer ScienceUniversity of CaliforniaDavis

Personalised recommendations