Protecting the Augmented Browser Extension from Mutation Cross-Site Scripting

Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 379)

Abstract

Browser extensions have a great role in bringing changes to the web browser behavior and improving browser performance. However, nowadays, many browser extensions fail to meet the security requirements. Due to this, they become a medium for various attackers to steal the credential information of the users. The proposal in this paper makes a pitch for the protection of an augmented browser extension against mutation-based cross-site scripting attack. A method is introduced for hardening the browser extension script along with dead code injection. A mutation-based cross-site scripting identifier to identify the attacks that affect the extensions is also discussed in this paper. These methods will protect browser extensions from various malicious script injection attacks.

Keywords

Augmented browser Mutation cross-site scripting Dead code injection 

References

  1. 1.
    Guarnieri, S., Pistoia, M., Tripp, O., Dolby, J., Teilhet, S., Berg, R.: Saving the world wide web from vulnerable javascript. In: Proceedings of the 2011 International Symposium on Software Testing and Analysis, pp. 177–187. ACM (2011)Google Scholar
  2. 2.
    Sundareswaran, S., Squicciarini, A.C.: Xss-dec: A hybrid solution to mitigate cross-site scripting attacks. In: Data and Applications Security and Privacy XXVI, pp. 223–238. Springer (2012)Google Scholar
  3. 3.
    Heiderich, M., Schwenk, J., Frosch, T., Magazinius, J., Yang, E.Z.: mxss attacks: Attacking well-secured web-applications by using innerhtml mutations. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 777–788. ACM (2013)Google Scholar
  4. 4.
    Van Acker, S., Nikiforakis, N., Desmet, L., Piessens, F., Joosen, W.: Monkey-in-the-browser: malware and vulnerabilities in augmented browsing script markets. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 525–530. ACM (2014)Google Scholar
  5. 5.
    Magazinius, J., Hedin, D., Sabelfeld, A.: Architectures for inlining security monitors in web applications. In: Engineering Secure Software and Systems, pp. 141–160. Springer (2014)Google Scholar
  6. 6.
    Manico, J.: Xss filter evasion cheat sheet. https://www.owasp.org/index.php/XSSFilterEvasionCheatSheet
  7. 7.
    Wang, Y.H., Mao, C.H., Lee, H.M.: Structural learning of attack vectors for generating mutated xss attacks (2010)Google Scholar
  8. 8.
    Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: Jsflow: tracking information flow in javascript and its apis. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1663–1671. ACM (2014)Google Scholar
  9. 9.
    Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E.P., Karagiannis, T.: xjs: practical xss prevention for web application development. In: Proceedings of the 2010 USENIX Conference on Web Application Development, pp. 13–13. USENIX Association (2010)Google Scholar
  10. 10.
    Zalewski, M.: Vega vulnerability scanner. https://subgraph.com/vega/documentation/index.en.html
  11. 11.
    NIST: National vulnerability database. https://nvd.nist.gov/CVSS-v2-Calculator?vector
  12. 12.
    Barua, A., Zulkernine, M., Weldemariam, K.: Protecting web browser extensions from javascript injection attacks. In: 2013 18th International Conference on Engineering of Complex Computer Systems (ICECCS), pp. 188–197. IEEE (2013)Google Scholar
  13. 13.
    Schneider, J.: The extrasolar planets encyclopaedia. http://exoplanet.eu/catalog.php

Copyright information

© Springer India 2016

Authors and Affiliations

  1. 1.TIFAC CORE in Cyber SecurityAmrita Vishwa VidyapeethamCoimbatoreIndia

Personalised recommendations