Abstract
This paper considers exploiting browsers for attacking Web servers. We demonstrate the generation of HTTP traffic to third-party domains without the user’s knowledge, that can be used e.g. for Denial of Service attacks.
Our attack is primarily possible since Cross Origin Resource Sharing does not restrict WebSocket communications. We show an HTTP-based DoS attack with a proof of concept implementation, analyse its impact against Apache and Nginx, and compare the effectiveness of our attack to two common attack tools.
In the course of our work we identified two new vulnerabilities in Chrome and Safari, i.e. two thirds of all browsers in use, that turn these browsers into attack tools comparable to known DoS applications like LOIC.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Introducing the new HTML5 Hard Disk Filler API (2013). http://feross.org/fill-disk/
MD5-Password-Cracker (2013). https://github.com/feross/md5-password-cracker.js/
The top 500 sites on the web (2015). http://www.alexa.com/topsites
Antonatos, S., Akritidis, P., Lam, V.T., Anagnostakis, K.G.: Puppetnets: Misusing Web Browsers As a Distributed Attack Infrastructure. ACM Trans. Inf. Syst. Secur. 12(2) (2008)
Using Baidu to steer millions of computers to launch denial of serviceattacks (2015). https://drive.google.com/file/d/0ByrxblDXR_yqeUNZYU5WcjFCbXM/view
Web code weakness allows data dump on PCs (2008). http://www.bbc.co.uk/news/technology-21628622
Bitcoin Miner for Websites (2011). http://www.bitcoinplus.com/miner/embeddable
Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious javascript code. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, pp. 281–290. ACM, New York (2010)
Fifield, D., Hardison, N., Ellithorpe, J., Stark, E., Boneh, D., Dingledine, R., Porras, P.: Evading censorship with browser-based proxies. In: Fischer-Hübner, Simone, Wright, Matthew (eds.) PETS 2012. LNCS, vol. 7384, pp. 239–258. Springer, Heidelberg (2012)
SynGUI (2014). http://download.cnet.com/SynGUI/3000-18510_4-10915777.html
Grossman, J., Johansen, M.: Million Browser Botnet (2013). https://www.blackhat.com/us-13/briefings.html
Hickson, I.: Web workers. Candidate recommendation, W3C, May 2012. http://www.w3.org/TR/2012/CR-workers-20120501/
Huang, L.S., Chen, E.Y., Barth, A., Rescorla, E., Jackson, C.: Talking to yourself for fun and profit. In: Proceedings of W2SP, pp. 1–11 (2011)
Kesteren, A.V.: Cross-Origin Resource Sharing. W3C recommendation, W3C, January 2014. http://www.w3.org/TR/2014/REC-cors-20140116/
Kulshrestha, A.: An Empirical study of HTML5 Websockets and their Cross Browser behavior for Mixed Content and Untrusted Certificates. International Journal of Computer Applications 82(6), 13–18 (2013)
Kuppan, L., Saindane, M.: JS Recon (2010). http://www.andlabs.org/tools/jsrecon/jsrecon.html
Linux Programmer’s Manual (2015). http://man7.org/linux/man-pages/man2/select.2.html
A Network Stress Testing Application (2014). https://sourceforge.net/projects/loic/
Matthews, N.: jsMiner (2011). https://github.com/jwhitehorn/jsMiner
Matthews, N.: Ravan: JavaScript Distributed Computing System (BETA) (2012). http://www.andlabs.org/tools/ravan.html
Melnikov, A.: The websocket protocol. RFC 6455, RFC Editor, December 2011. http://tools.ietf.org/html/rfc6455
Rice, A.: Chromium Code Reviews Issue 835623003: Add a delay when unlockingWebSocket endpoints. (Closed) (2015). https://codereview.chromium.org/835623003
Rieck, K., Krueger, T., Dewald, A.: Cujo: efficient detection and prevention of drive-by-download attacks. In: Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC 2010, pp. 31–39. ACM, Austin (2010)
Schütt, K., Kloft, M., Bikadorov, A., Rieck, K.: Early detection of malicious behavior in JavaScript code. In: Proceedings of the 5th ACM Workshop on Security and Artificial Intelligence, AISec 2012, pp. 15–24. ACM, Raileigh (2012)
Web Server Usage Statistics (2015). http://trends.builtwith.com/web-server
Shema, M., Shekyan, S., Toukharia, V.: Hacking with WebSockets (2012). http://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf
Internet activists blame China for cyber-attack that brought down GitHub (2015). http://www.theguardian.com/technology/2015/mar/30/china-github-internet-activists-cyber-attack
Browser Statistics (2014). http://www.w3schools.com/browsers/browsers_stats.asp
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Rodriguez, J.D.P., Posegga, J. (2015). Why Web Servers Should Fear Their Clients. In: Thuraisingham, B., Wang, X., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2015. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 164. Springer, Cham. https://doi.org/10.1007/978-3-319-28865-9_22
Download citation
DOI: https://doi.org/10.1007/978-3-319-28865-9_22
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-28864-2
Online ISBN: 978-3-319-28865-9
eBook Packages: Computer ScienceComputer Science (R0)