PathCutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks.
作者: Vinod Yegneswaran , Yinzhi Cao , Yan Chen , Phillip A. Porras
DOI:
关键词:
摘要: Worms exploiting JavaScript XSS vulnerabilities rampantly infect millions of web pages, while drawing the ire helpless users. To date, users across all popular social networks, including Facebook, MySpace, Orkut and Twitter, have been vulnerable to worms. We propose PathCutter as a new approach severing self-propagation path works by blocking two critical steps in propagation an worm: (i) DOM access different views at client side (ii) unauthorized HTTP request server. As result, although vulnerability is successfully exercised client, worm prevented from propagating would-be victim’s own network page. effective against current forms worms, those that exploit traditional XSS, DOM-based content sniffing vulnerabilities. present evaluate both server-side proxyside deployment PathCutter. implement on WordPress Elgg demonstrate its resilience proof-of-concept attacks. also implementation five real-world worms: Boonana, MySpace Samy, Renren, SpaceFlash, Yamanner worm. show worms themselves vulnerabilities, either or server side, they are thwarted it agnostic blocks infection. Our performance evaluation shows rendering overhead less than 4%, memory for one additional view 1%.
ndss-symposium.org 参考文章(28)
Billy Hoffman, Analysis of Web Application Worms and Viruses ,(2006)
Alex Aiken, Yichen Xie, Static detection of security vulnerabilities in scripting languages usenix security symposium. pp. 13- ,(2006)
Michael Martin, Monica S. Lam, Automatic generation of XSS and SQL injection attacks with goal-directed model checking usenix security symposium. pp. 31- 43 ,(2008)
Stephen Chong, Andrew C. Myers, K. Vikram, SIF: enforcing confidentiality and integrity in web applications usenix security symposium. pp. 1- ,(2007)
V. Benjamin Livshits, Monica S. Lam, Finding security vulnerabilities in java applications with static analysis usenix security symposium. pp. 18- 18 ,(2005)
Yacin Nadji, Prateek Saxena, Dawn Song, Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. network and distributed system security symposium. ,(2009)
Prithvi Bisht, V. N. Venkatakrishnan, XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks international conference on detection of intrusions and malware and vulnerability assessment. pp. 23- 43 ,(2008) , 10.1007/978-3-540-70542-0_2
Alexander Moshchuk, Chris Grier, Helen J. Wang, Herman Venter, Piali Choudhury, Samuel T. King, The multi-principal OS construction of the gazelle web browser usenix security symposium. pp. 417- 432 ,(2009)
Haohui Mai, Shuo Tang, Samuel T. King, Trust and protection in the Illinois browser operating system operating systems design and implementation. pp. 17- 31 ,(2010) , 10.5555/1924943.1924945
Davide Balzarotti, Marco Cova, Viktoria V. Felmetsger, Giovanni Vigna, Multi-module vulnerability analysis of web-based applications computer and communications security. pp. 25- 35 ,(2007) , 10.1145/1315245.1315250