Abstract
Add-on JavaScript originating from users’ inputs to the browser brings new functionalities such as debugging and entertainment, however it also leads to a new type of cross-site scripting attack (defined as add-on XSS by us), which consists of two parts: a snippet of JavaScript in clear text, and a spamming sentence enticing benign users to input the previous JavaScript. In this paper, we focus on the most common add-on XSS, the one caused by browser address bar JavaScript. To measure the severity, we conduct three experiments: (i) analysis on real-world traces from two large social networks, (ii) a user study by means of recruiting Amazon Mechanical Turks [4], and (iii) a Facebook experiment with a fake account. We believe as the first systematic and scientific study, our paper can ring a bell for all the browser vendors and shed a light for future researchers to find an appropriate solution for add-on XSS.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Although sharing the keyword “add-on”, add-on JavaScript and browser add-on are two different concepts.
- 2.
Safari is the default web browsers for Mac Users, which “accounted for 62.17 % of mobile web browsing traffic and 5.43 % of desktop traffic in October 2011, giving a combined market share of 8.72 %” [7].
- 3.
Opera owns over 270 million users worldwide [2].
- 4.
On June, 2012, the unique users of Sogou Browser are 90 million [20].
- 5.
Maxthon ranked 97 in PCWorlds the 100 Best Products on year 2011 [1].
References
100 best products of 2011. http://www.pcworld.com/product/collection/9806/2011-best-tech.html
Ad network mobile theory announces record revenue growth in 2012. http://www.opera.com/press/releases/2012/06/11/
Alexa Top Websites. http://www.alexa.com/topsites
Amazon mechanical turk. https://requester.mturk.com/
Chrome for mobile. https://www.google.com/intl/en/chrome/browser/mobile/#utm_campaign=en&utm_source=en-ha-na-us-bk&utm_medium=ha
Content Security Policy - Mozilla. http://people.mozilla.com/bsterne/content-security-policy/index.html
The end of an era: Internet explorer drops below 50. http://arstechnica.com/information-technology/2011/11/the-end-of-an-era-internet-explorer-drops-below-50-percent-of-web-usage/
Facebook tokens abused in free ticket spam campaign. http://news.softpedia.com/news/Facebook-Tokens-Abused-in-Free-Ticket-Spam-Campaign-225411.shtml
Facebook usage: How often do different types of users access facebook? http://blog.coherentia.com/index.php/2009/08/facebook-usage-how-often-do-different-types-of-users-access-facebook/
Fly images with javascript. http://www.vincentchow.net/345/fly-images-with-javascript
Javascript alert not working in firefox 6. http://stackoverflow.com/questions/6643414/javascript-alert-not-working-in-firefox-6
Javascript console. http://www.squarefree.com/shell/
Javascript shell. http://www.squarefree.com/shell/
Maxthon browser. http://www.maxthon.com/
Opera browser. http://www.opera.com
Over-usage of administator of tieba’s power - in Chinese. http://law.shangdu.com/post/p.asp?/=101394
Safari. http://www.apple.com/safari/
Social engineering issue with javascript urls. https://bugzilla.mozilla.org/show_bug.cgi?id=527530
Sogou browser. http://ie.sogou.com/
Sogou revenue soars 123% in q2 2012. http://www.iresearchchina.com/views/4443.html
Survey monkey. http://www.surveymonkey.com
Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy, pp. 387–401. IEEE Computer Society, Washington, DC (2008)
Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008)
Cao, Y., Yegneswaran, V., Porras, P., Chen, Y.: PathCutter: severing the self-propagation path of XSS JavaScript worms in social web networks. In: Proceedings of the 19th Annual Network & Distributed System Security Symposium (2012)
Chong, S., Vikram, K., Myers, A.C.: SIF: enforcing confidentiality and integrity in web applications. In: USENIX Security Symposium (2007)
Gao, H., Chen, Y., Lee, K., Palsetia, D., Choudhary, A.: Towards online spam filtering in social networks. In: Proceedings of the 19th Annual Network & Distributed System Security Symposium (2012)
Gao, H., Hu, J., Wilson, C., Li, Z., Chen, Y., Zhao, B.Y.: Detecting and characterizing social spam campaigns. In: Proceedings of the 10th Annual Conference on Internet Measurement, IMC 2010 (2010)
Grier, C., Thomas, K., Paxson, V., Zhang, M.: @spam: the underground on 140 characters or less. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010 (2010)
Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., Kuo, S.-Y.: Securing web application code by static analysis and runtime protection. In: WWW: Conference on World Wide Web (2004)
Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, pp. 601–610. ACM, New York (2007)
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities (short paper). In: SP: IEEE Symposium on Security and Privacy (2006)
Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: SAC: ACM Symposium on Applied Computing (2006)
Lee, K., Caverlee, J., Webb, S.: Uncovering social spammers: social honeypots + machine learning. In: Proceedings of the 33rd International ACM SIGIR Conference on Research and Development in Information Retrieval, SIGIR 2010 (2010)
Livshits, B., Cui, W.: Spectator: detection and containment of javascript worms. In: ATC: USENIX Annual Technical Conference (2008)
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium, vol. 14, p. 18. USENIX Association, Berkeley (2005)
Martin, M., Lam, M.S.: Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In: Proceedings of the 17th Conference on Security Symposium, pp. 31–43. USENIX Association, Berkeley (2008)
Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: Network and Distributed System Security Symposium (2009)
Sambamurthy, V., Tanniru, M. (eds.): A Renaissance of Information Technology for Sustainability and Global Competitiveness. 17th Americas Conference on Information Systems, AMCIS 2011, Detroit, Michigan, USA, August 4–8 2011. Association for Information Systems (2011)
Song, D.: Machine learning & security and privacy: Experiences and lessons. http://tsig.fujitsulabs.com/~aisec2011/Program.html
Sun, F., Xu, L., Su, Z.: Client-side detection of XSS worms by monitoring payload propagation. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 539–554. Springer, Heidelberg (2009)
Ter Louw, M., Venkatakrishnan, V.: Blueprint: precise browser-neutral prevention of cross-site scripting attacks. In: 30th IEEE Symposium on Security and Privacy (2009)
Thomas, K., Grier, C., Ma, J., Paxson, V., Song, D.: Design and evaluation of a real-time url spam filtering service. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP 2011 (2011)
Weinberg, Z., Chen, E.Y., Jayaraman, P.R., Jackson, C.: I still know what you visited last summer: leaking browsing history via user interaction and side channel attacks. In: IEEE Symposium on Security and Privacy (2011)
Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: USENIX Security Symposium (2006)
Xu, W., Zhang, F., Zhu, S.: Toward worm detection in online social networks. In: Proceedings of the 26th Annual Computer Security Applications Conference (New York, NY, USA, 2010), ACSAC 2010, pp. 11–20. ACM (2010)
Yang, C., Harkreader, R.C., Gu, G.: Die free or live hard? empirical evaluation and new design for fighting evolving twitter spammers. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 318–337. Springer, Heidelberg (2011)
Zhou, Y., Evans, D.: Why aren’t http-only cookies more widely deployed? In: W2SP: Web 2.0 Security and Privacy (2010)
Acknowledgement
This paper was made possible by NPRP grant 6-1014-2-414 from the Qatar National Research Fund (a member of Qatar Foundation). The statements made herein are solely the responsibility of the authors.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Cao, Y., Yang, C., Rastogi, V., Chen, Y., Gu, G. (2015). Abusing Browser Address Bar for Fun and Profit - An Empirical Investigation of Add-On Cross Site Scripting Attacks . In: Tian, J., Jing, J., Srivatsa, M. (eds) International Conference on Security and Privacy in Communication Networks. SecureComm 2014. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 152. Springer, Cham. https://doi.org/10.1007/978-3-319-23829-6_45
Download citation
DOI: https://doi.org/10.1007/978-3-319-23829-6_45
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23828-9
Online ISBN: 978-3-319-23829-6
eBook Packages: Computer ScienceComputer Science (R0)