Abstract
Browser extensions have a great role in bringing changes to the web browser behavior and improving browser performance. However, nowadays, many browser extensions fail to meet the security requirements. Due to this, they become a medium for various attackers to steal the credential information of the users. The proposal in this paper makes a pitch for the protection of an augmented browser extension against mutation-based cross-site scripting attack. A method is introduced for hardening the browser extension script along with dead code injection. A mutation-based cross-site scripting identifier to identify the attacks that affect the extensions is also discussed in this paper. These methods will protect browser extensions from various malicious script injection attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Guarnieri, S., Pistoia, M., Tripp, O., Dolby, J., Teilhet, S., Berg, R.: Saving the world wide web from vulnerable javascript. In: Proceedings of the 2011 International Symposium on Software Testing and Analysis, pp. 177–187. ACM (2011)
Sundareswaran, S., Squicciarini, A.C.: Xss-dec: A hybrid solution to mitigate cross-site scripting attacks. In: Data and Applications Security and Privacy XXVI, pp. 223–238. Springer (2012)
Heiderich, M., Schwenk, J., Frosch, T., Magazinius, J., Yang, E.Z.: mxss attacks: Attacking well-secured web-applications by using innerhtml mutations. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 777–788. ACM (2013)
Van Acker, S., Nikiforakis, N., Desmet, L., Piessens, F., Joosen, W.: Monkey-in-the-browser: malware and vulnerabilities in augmented browsing script markets. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 525–530. ACM (2014)
Magazinius, J., Hedin, D., Sabelfeld, A.: Architectures for inlining security monitors in web applications. In: Engineering Secure Software and Systems, pp. 141–160. Springer (2014)
Manico, J.: Xss filter evasion cheat sheet. https://www.owasp.org/index.php/XSSFilterEvasionCheatSheet
Wang, Y.H., Mao, C.H., Lee, H.M.: Structural learning of attack vectors for generating mutated xss attacks (2010)
Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: Jsflow: tracking information flow in javascript and its apis. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1663–1671. ACM (2014)
Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E.P., Karagiannis, T.: xjs: practical xss prevention for web application development. In: Proceedings of the 2010 USENIX Conference on Web Application Development, pp. 13–13. USENIX Association (2010)
Zalewski, M.: Vega vulnerability scanner. https://subgraph.com/vega/documentation/index.en.html
NIST: National vulnerability database. https://nvd.nist.gov/CVSS-v2-Calculator?vector
Barua, A., Zulkernine, M., Weldemariam, K.: Protecting web browser extensions from javascript injection attacks. In: 2013 18th International Conference on Engineering of Complex Computer Systems (ICECCS), pp. 188–197. IEEE (2013)
Schneider, J.: The extrasolar planets encyclopaedia. http://exoplanet.eu/catalog.php
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer India
About this paper
Cite this paper
Remya, S., Praveen, K. (2016). Protecting the Augmented Browser Extension from Mutation Cross-Site Scripting. In: Satapathy, S., Raju, K., Mandal, J., Bhateja, V. (eds) Proceedings of the Second International Conference on Computer and Communication Technologies. Advances in Intelligent Systems and Computing, vol 379. Springer, New Delhi. https://doi.org/10.1007/978-81-322-2517-1_22
Download citation
DOI: https://doi.org/10.1007/978-81-322-2517-1_22
Published:
Publisher Name: Springer, New Delhi
Print ISBN: 978-81-322-2516-4
Online ISBN: 978-81-322-2517-1
eBook Packages: EngineeringEngineering (R0)