Advertisement

Mitigating Cross-Site Form History Spamming Attacks with Domain-Based Ranking

  • Chuan Yue
Conference paper
  • 1.2k Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6739)

Abstract

Modern Web browsers often provide a very useful form autocomplete feature to help users conveniently speed up their form filling process. However, browsers are generally too permissive in both saving form history data and suggesting them to users. Attackers can take advantage of this permissiveness and use malicious webpages to inject a large amount of junk or spam data into the form history database of a browser, performing invasive advertising or simply making this useful form autocomplete feature almost useless to users. In this paper, we illustrate that this type of cross-site form history spamming attacks can be feasibly achieved at least on the recent versions of Mozilla Firefox and Google Chrome browsers. We inspect the autocomplete feature implementations in open source Firefox and Chromium browsers to analyze how basic and advanced cross-site form history spamming attacks can be successful. Browser vendors are apparently taking active measures to protect against these attacks, but we explore a different approach and propose a domain-based ranking mechanism to address the problem. Our mechanism is simple, transparent to users, and easily adoptable by different browsers to complement their existing protection mechanisms. We have implemented this mechanism in Firefox 3 and verified its effectiveness. We make our Firefox 3 build available for download and verification.

Keywords

Form Data Form History History Database Form Submission Modern Browser 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proc. of the CCS, pp. 75–88 (2008)Google Scholar
  2. 2.
    Chen, S., Meseguer, J., Sasse, R., Wang, H.J., Wang, Y.-M.: A systematic approach to uncover security flaws in gui logic. In: Proc. of the IEEE Symposium on Security and Privacy, pp. 71–85 (2007)Google Scholar
  3. 3.
    Chen, S., Ross, D., Wang, Y.-M.: An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism. In: Proc. of the CCS (2007)Google Scholar
  4. 4.
    Grossman, J.: Breaking Browsers: Hacking Auto-Complete. In: Proc. of the BlackHat USA Technical Security Conference (2010), http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html
  5. 5.
    Jackson, C., Barth, A.: Beware of finer-grained origins. In: Proc. of the Web 2.0 Security and Privacy, W2SP (2008)Google Scholar
  6. 6.
    Jackson, C., Bortz, A., Boneh, D., Mitchell, J.C.: Protecting browser state from web privacy attacks. In: Proc. of the WWW, pp. 737–744 (2006)Google Scholar
  7. 7.
    Provos, N., Rajab, M.A., Mavrommatis, P.: Cybercrime 2.0: when the cloud turns dark. Commun. ACM 52(4), 42–47 (2009)CrossRefGoogle Scholar
  8. 8.
    Reis, C., Barth, A., Pizano, C.: Browser security: lessons from google chrome. Commun. ACM 52(8), 45–49 (2009)CrossRefGoogle Scholar
  9. 9.
    Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: Browsershield: vulnerability-driven filtering of dynamic html. In: Proc. of the OSDI (2006)Google Scholar
  10. 10.
    Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: Proc. of the USENIX Security Symposium, pp. 17–32 (2005)Google Scholar
  11. 11.
    Singh, K., Moshchuk, A., Wang, H.J., Lee, W.: On the incoherencies in web browser access control policies. In: Proc. of the IEEE Symposium on Security and Privacy, pp. 463–478 (2010)Google Scholar
  12. 12.
  13. 13.
    Microsoft Security Bulletin MS10-071 - Critical, http://www.microsoft.com/technet/security/bulletin/ms10-071.mspx
  14. 14.
  15. 15.
    SQLite Home Page, http://www.sqlite.org
  16. 16.
    Submit form without reloading page, http://codingforums.com/showthread.php?t=61444.
  17. 17.
    Symantec Internet Security Threat Report Volume XV (April 2010), http://www.symantec.com/business/theme.jsp?themeid=threatreport

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Chuan Yue
    • 1
  1. 1.Department of Computer ScienceUniversity of Colorado at Colorado SpringsColorado SpringsUSA

Personalised recommendations