Presentation is loading. Please wait.

Presentation is loading. Please wait.

ABUSING BROWSER ADDRESS BAR FOR FUN AND PROFIT - AN EMPIRICAL INVESTIGATION OF ADD-ON CROSS SITE SCRIPTING ATTACKS Presenter: Jialong Zhang.

Published byMargaret Booker Modified over 9 years ago

Similar presentations

Presentation on theme: "ABUSING BROWSER ADDRESS BAR FOR FUN AND PROFIT - AN EMPIRICAL INVESTIGATION OF ADD-ON CROSS SITE SCRIPTING ATTACKS Presenter: Jialong Zhang."— Presentation transcript:

1 ABUSING BROWSER ADDRESS BAR FOR FUN AND PROFIT - AN EMPIRICAL INVESTIGATION OF ADD-ON CROSS SITE SCRIPTING ATTACKS Presenter: Jialong Zhang

2 Roadmap  Introduction  Background and Motivation  Experiments  Discussion  Related Work  Conclusion

3 Introduction  Add-on Cross Site Scripting (XSS) Attacks  A sentence using social engineering techniques  Javascript:codes  For Example, on April 25, 2013, over 70,000 people have been affected by one such Add-on XSS attack on tieba.baidu.com.

4 Roadmap  Introduction  Background and Motivation  Experiments  Discussion  Related Work  Conclusion

5 Background

6 A Motivating Example

7 Roadmap  Introduction  Background and Motivation  Experiments  Discussion  Related Work  Conclusion

8 Expriments  Experiment One: Measuring Real-world Attacks  Experiment Two: User Study Using Amazon Mechanical Turks  Experiment Three: A Fake Facebook Account Test

9 Experiment One  Data Set:  Facebook: 187 million wall posts generated by roughly 3.5 million users  Twitter: 485,721 Twitter accounts with 14,401,157 tweets  Results  Facebook  Twitter CategoryDescription# of distinct samples Malicious BehaviorRedirecting to malicious sites Redirecting to malicious videos 40 3 Mischievous Tricks Sending invitations to friends Keep popping up windows Alert some words 212212 Benign BehaviorZooming images Letting images fly Discussion among technicians 442442 Total58 CategoryDescription# of distinct samples Malicious BehaviorRedirecting to malicious sites Including malicious JavaScript 2525 Benign BehaviorChanging Background Color Altering Textbox Color 1111 Total9

10 Experiment One – Discussion  Beyond Attacks in the Wild:  More Severe Damages Stealing confidential information Session fixation attacks Browser Address Bar Worms  More Technique to Increase Compromising Rate Trojan – Combining with Normal Functionality Obfuscating JavaScript Code  So we have experiment two.

11 Roadmap  Introduction  Background and Motivation  Experiments  Experiment One  Experiment Two  Experiment Three  Discussion  Related Work  Conclusion

12 Experiment Two  Methodology  Survey format Consent form Demographic survey Survey questions  Comparative survey changing one parameter but fixing others  Question sequence randomization  Platform: Amazon Mechanical Turk

13 Experiment Two  Results  Percentage of Deceived People According to Different Factors  Percentage of Deceived People According to Age  Percentage of Deceived People According to Different Spamming Categories  Percentage of Deceived People According to Programming Experiences  Percentage of Deceived People According to Years of Using Computers FactorWithout the factorWith the factor Obfuscated URL29.4%38.4% Lengthy JavaScript38.4%40.4% Combining with Benign Behavior 37.1%40.0% Typing “JavaScript:” and then Pasting Contents 38.2%20.3%

14 Experiment Two  Results  Percentage of Deceived People According to Age  Percentage of Deceived People According to Different Spamming Categories  Percentage of Deceived People According to Programming Experiences  Percentage of Deceived People According to Years of Using Computers AgeRate Age <= 2445.7% 25 < Age <= 3039.8% 30 < Age <= 4034.4% Age > 4014.0%

15 Experiment Two  Results  Percentage of Deceived People According to Different Spamming Categories  Percentage of Deceived People According to Programming Experiences  Percentage of Deceived People According to Years of Using Computers CategoryRate Magic (like flying images)38.4% Porn (like sexy girl)36.3% Family issue (like a wedding photo) 52.7% Free ticket29.2%

16 Experiment Two  Results  Percentage of Deceived People According to Programming Experiences  Percentage of Deceived People According to Years of Using Computers Programming ExperienceRate No38.4% Yes, but only a few times36.3% Yes52.7%

17 Experiment Two  Results  Percentage of Deceived People According to Years of Using Computers Years of Using ComputersRate < 5 years56.7% 5 – 10 years41.1% 10 – 15 years28.0% 15 – 20 years24.3%

18 Roadmap  Introduction  Background and Motivation  Experiments  Experiment One  Experiment Two  Experiment Three  Discussion  Related Work  Conclusion

19 Experiment Three  Experiment setup  A fake female account on Facebook using a university email address.  By sending random invitations, the account gains 123 valid friends.  Experiment Execution  We post an add-on XSS sample. Description: a wedding photo JavaScript: show a wedding photo and send an request to a university web server  Result 4.9% deception rate.

20 Experiment Three  Comparing with experiment two – why is the rate much lower than the one in experiment two?  Not everyone has seen the status message.  The account is fake and thus no one knows this person.

21 Roadmap  Introduction  Background and Motivation  Experiments  Discussion  Related Work  Conclusion

22 Discussion  The motives of the participants  We state in the beginning that we will pay those participants no matter what their answers are.  Can we just disable address bar JavaScript?  There are some benign usages.  Ethics issue  No participant is actually being attacked.  We inform the participants after our survey.

23 Roadmap  Introduction  Background and Motivation  Experiments  Discussion  Related Work  Conclusion

24 Related Work  Human Censorship  Slow  Disabling Address Bar JavaScript  Dis-function of existing programs  Removing the keyword – “JavaScript”  Problem still exists (a user can input himself)  Defense on OSN Spam  High False Negative Rate

25 Roadmap  Introduction  Background and Motivation  Experiments  Discussion  Related Work  Conclusion

26 Conclusion  Add-on XSS combines social engineering and cross- site scripting.  We perform three experiments:  Real-world Experiment  Experiment using Amazon Mechanical Turks  Fake Facebook Account Experiment  Researchers and browser vendors should take actions to fight against add-on XSS attacks.

27 Thanks! Questions?

Download ppt "ABUSING BROWSER ADDRESS BAR FOR FUN AND PROFIT - AN EMPIRICAL INVESTIGATION OF ADD-ON CROSS SITE SCRIPTING ATTACKS Presenter: Jialong Zhang."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.

Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.

Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.
PHISHING By, Himanshu Mishra Parrag Mehta. OUTLINE What is Phishing ? Phishing Techniques Message Delivery Effects of Phishing Anti-Phishing Techniques.

PHISHING By, Himanshu Mishra Parrag Mehta. OUTLINE What is Phishing ? Phishing Techniques Message Delivery Effects of Phishing Anti-Phishing Techniques.
Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,

Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,
Web-Based Attacks: Offense Wild Wild West Bob, Jeff, and Junia.

Web-Based Attacks: Offense Wild Wild West Bob, Jeff, and Junia.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
How naïve are people on Internet Final, June 1st.

How naïve are people on Internet Final, June 1st.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

Similar presentations

Ads by Google