Abstract
In the constant evolution of theWeb, the simple always gives way to the more complex. Static webpages with click-through dialogues are becoming more and more obsolete and in their place, asynchronous JavaScript requests, Web mash-ups and proprietary plug-ins with the ability to conduct cross-domain requests shape the modern user experience. Three recent studies showed that a significant number ofWeb applications implement poor cross-domain policies allowing malicious domains to embed Flash and Silverlight applets which can conduct arbitrary requests to these Web applications under the identity of the visiting user. In this paper, we confirm the findings of the aforementioned studies and we design DEMACRO, a client-side defense mechanism which detects potentially malicious cross-domain requests and de-authenticates them by removing existing session credentials. Our system requires no training or user interaction and imposes minimal performance overhead on the user’s browser.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Adobe. Adobe - security bulletins and advisories
Adobe Systems Inc. Cross-domain policy file specification (January 2010), http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
Beato, F., Kohlweiss, M., Wouters, K.: Scramble! Your Social Network Data. In: Fischer-Hübner, S., Hopper, N. (eds.) PETS 2011. LNCS, vol. 6794, pp. 211–225. Springer, Heidelberg (2011)
Burns, J.: Cross Site Request Forgery - An introduction to a common web application weakness. Whitepaper (2005), https://www.isecpartners.com/documents/XSRF_Paper.pdf
Water and Stone: Open Source CMS Market Share Report (2010)
Egele, M., Moser, A., Kruegel, C., Kirda, E.: Pox: Protecting users from malicious facebook applications. In: Proceedings of the 3rd IEEE International Workshop on Security in Social Networks (SESOC), pp. 288–294 (2011)
Grossman, J.: crossdomain.xml statistics, http://jeremiahgrossman.blogspot.com/2006/10/crossdomainxml-statistics.html
Grossman, J.: I used to know what you watched, on YouTube (September 2008), http://jeremiahgrossman.blogspot.com/2008/09/i-used-to-know-what-you-watched-on.html (accessed in January 2011)
Jang, D., Venkataraman, A., Swaka, G.M., Shacham, H.: Analyzing the Cross-domain Policies of Flash Applications. In: Proceedings of the 5th Workshop on Web 2.0 Security and Privacy, W2SP (2011)
Johns, M., Lekies, S.: Biting the Hand That Serves You: A Closer Look at Client-Side Flash Proxies for Cross-Domain Requests. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 85–103. Springer, Heidelberg (2011)
Johns, M., Winter, J.: RequestRodeo: Client Side Protection against Session Riding. In: Proceedings of the OWASP Europe 2006 Conference (2006)
Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A Client-Side Solution for Mitigating Cross Site Scripting Attacks. In: Security Track of the 21st ACM Symposium on Applied Computing (SAC) (April 2006)
Kontaxis, G., Antoniades, D., Polakis, I., Markatos, E.P.: An empirical study on the security of cross-domain policies in rich internet applications. In: Proceedings of the 4th European Workshop on Systems Security, EUROSEC (2011)
Lekies, S., Johns, M., Tighzert, W.: The state of the cross-domain nation. In: Proceedings of the 5th Workshop on Web 2.0 Security and Privacy, W2SP (2011)
Malaria - i’m in your browser, surfin your webs (2010), http://erlend.oftedal.no/blog/?blogid=107
Nikiforakis, N., Meert, W., Younan, Y., Johns, M., Joosen, W.: SessionShield: Lightweight Protection against Session Hijacking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 87–100. Springer, Heidelberg (2011)
Rich internet application (ria) market share, http://www.statowl.com/custom_ria_market_penetration.php
Rios, B.B.: Cross domain hole caused by google docs, http://xs-sniper.com/blog/Google-Docs-Cross-Domain-Hole/
Ruderman, J.: The Same Origin Policy (August 2001), http://www.mozilla.org/projects/security/components/same-origin.html (October 01, 2006)
Russo, A., Sabelfeld, A., Chudnov, A.: Tracking Information Flow in Dynamic Tree Structures. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 86–103. Springer, Heidelberg (2009)
De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W.: CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 18–34. Springer, Heidelberg (2010)
Shahriar, H., Zulkernine, M.: Client-side detection of cross-site request forgery attacks. In: 2010 IEEE 21st International Symposium on Software Reliability Engineering (ISSRE), pp. 358–367 (2010)
Tang, S., Dautenhahn, N., King, S.T.: Fortifying web-based applications automatically. In: Proceedings of the 8th ACM Conference on Computer and Communications Security (2011)
Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: Proceedings of the 14th Annual Network and Distributed System Security Symposium, NDSS 2007 (2007)
W3C. Cross-Origin Resource Sharing, http://www.w3.org/TR/cors/
The Cross-site Scripting FAQ, http://www.cgisecurity.com/xss-faq.html
Zhou, Y., Evans, D.: Why Aren’t HTTP-only Cookies More Widely Deployed? In: Proceedings of 4th Web 2.0 Security and Privacy Workshop, W2SP 2010 (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lekies, S., Nikiforakis, N., Tighzert, W., Piessens, F., Johns, M. (2012). DEMACRO: Defense against Malicious Cross-Domain Requests. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2012. Lecture Notes in Computer Science, vol 7462. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33338-5_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-33338-5_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33337-8
Online ISBN: 978-3-642-33338-5
eBook Packages: Computer ScienceComputer Science (R0)