DEMACRO: Defense against Malicious Cross-Domain Requests
作者: Sebastian Lekies , Nick Nikiforakis , Walter Tighzert , Frank Piessens , Martin Johns
DOI: 10.1007/978-3-642-33338-5_13
关键词:
摘要: In the constant evolution of Web, simple always gives way to more complex. Static webpages with click-through dialogues are becoming and obsolete in their place, asynchronous JavaScript requests, Web mash-ups proprietary plug-ins ability conduct cross-domain requests shape modern user experience. Three recent studies showed that a significant number applications implement poor policies allowing malicious domains embed Flash Silverlight applets which can arbitrary these under identity visiting user. this paper, we confirm findings aforementioned design DEMACRO, client-side defense mechanism detects potentially de-authenticates them by removing existing session credentials. Our system requires no training or interaction imposes minimal performance overhead on user's browser.
springer.com
core.ac.uk
securitee.org参考文章(19)
Justus Winter, Martin Johns, RequestRodeo: Client Side Protection against Session Riding ,(2006)
Engin Kirda, Christopher Krügel, Nenad Jovanovic, Giovanni Vigna, Philipp Vogt, Florian Nentwich, Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. network and distributed system security symposium. ,(2007)
Philippe De Ryck, Lieven Desmet, Thomas Heyman, Frank Piessens, Wouter Joosen, CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests Lecture Notes in Computer Science. pp. 18- 34 ,(2010) , 10.1007/978-3-642-11747-3_2
Alejandro Russo, Andrei Sabelfeld, Andrey Chudnov, Tracking information flow in dynamic tree structures european symposium on research in computer security. pp. 86- 103 ,(2009) , 10.1007/978-3-642-04444-1_6
Martin Johns, Sebastian Lekies, Biting the hand that serves you: a closer look at client-side flash proxies for cross-domain requests international conference on detection of intrusions and malware and vulnerability assessment. pp. 85- 103 ,(2011) , 10.1007/978-3-642-22424-9_6
Yves Younan, Wouter Joosen, Wannes Meert, Nick Nikiforakis, Martin Johns, SessionShield: lightweight protection against session hijacking international conference on engineering secure software and systems. ,vol. 6542, pp. 87- 100 ,(2011) , 10.5555/1946341.1946351
Georgios Kontaxis, Demetris Antoniades, Iasonas Polakis, Evangelos P. Markatos, An empirical study on the security of cross-domain policies in rich internet applications Proceedings of the Fourth European Workshop on System Security - EUROSEC '11. pp. 7- ,(2011) , 10.1145/1972551.1972558
Vanja Seničar, Borka Jerman-Blažič, Tomaž Klobučar, Privacy-enhancing technologies: approaches and development Computer Standards & Interfaces. ,vol. 25, pp. 147- 158 ,(2003) , 10.1016/S0920-5489(03)00003-5
Mohd. Shadab Siddiqui, Deepanker Verma, Cross site request forgery: A common web application weakness ieee international conference on communication software and networks. pp. 538- 543 ,(2011) , 10.1109/ICCSN.2011.6014783
Úlfar Erlingsson, Nicola Zannone, Roelf J. Wieringa, Engineering Secure Software and Systems ,(2011)