Presentation is loading. Please wait.

Presentation is loading. Please wait.

JSProxy: Safety from Javascript Benjamin Prosnitz, Tang Yi, Yinzhi Cao.

Published bySherilyn Ryan Modified over 9 years ago

Similar presentations

Presentation on theme: "JSProxy: Safety from Javascript Benjamin Prosnitz, Tang Yi, Yinzhi Cao."— Presentation transcript:

1 JSProxy: Safety from Javascript Benjamin Prosnitz, Tang Yi, Yinzhi Cao

2 Motivation Most web attacks today are performed through JavaScript ▫Vulnerabilities in the execution engine ▫Invocations of vulnerable plug-in code

3 Goals Run Javascript code remotely in a way that ▫Does not require client modification ▫Is high performance ▫Maintains original functionality Test whether the JavaScript code performs an attack Filter code when it can be done safely Future

4 Running Javascript Remotely Modify pages viewed by client ▫Replace original scripts with remote calls (AJAX) Repeat the user’s actions on the server Send changes made by scripts that should be visible to the user back to client

5 Diagram of System Web Server Proxy Proxy Interface Modification Engine Session Manager Interface Javascript Execution Engine (modified browser) Javascript Execution Engine (modified browser) User

6 Timeline of Events t Client Proxy Server Request for page Original Page Modified Page Button Pressed Button Pressed remote_call() Inject button press Changes to page Changes to page (it is really asynchronous)

7 DEMO: Page Modification Uses Mozilla Gecko engine Searches for javascript and replaces it with calls (which will eventually be remote calls) Suggest a URL to download and modify!

8 Performance of Page Modification CDF of Processing Time

9 Performance of Page Modification Strong correlation between Page Size and Processing Time

10 Performance of Page Modification Processing Time is not clearly correlated with Number of Scripts

11 Interface and Session Management Client-server interface using Javascript/AJAX and FastCGI/C++ (not being demoed today) Session manager which ▫Identifies sessions that are alive and dead ▫Redirects calls to the correct browser session ▫Closes browser sessions which have ended

12 DEMO: Executing Javascript on Proxy Browser on Proxy is Webkit-based Remote execution of Javascript code would occur when user performs an action

13 DEMO: User-Visible Change Detection Also based on Webkit Can detect approximately 8 different changes now ▫.innerHTML changes ▫alert() ▫print() ▫close() ▫…

14 Where is state (cookies,etc.) kept? On both client and proxy ▫Proxy needs it to have javascript (esp. AJAX) work as expected ▫Client needs it to submit forms, display the data, etc.

15 Future Work: Remote Execution Create session manager Finalize interface Detect and fix cases that it doesn’t work with

16 Future Work: The Filter Acquire or implement a virtual-machine based vulnerability detector Determine how to safely identify which pages to run remotely Implement a mechanism to transparently switch between remote and local page execution

17 Conclusion Work on our system is in progress and will continue next quarter Key components of the remote execution system are currently functional and work well The remainder of the remote execution system can likely be finished soon

18 Q&A?

Download ppt "JSProxy: Safety from Javascript Benjamin Prosnitz, Tang Yi, Yinzhi Cao."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
AJAX Technologies KAUNAS UNIVERSITY OF TECHNOLOGY MODULE: INFORMATION TECHNOLOGY GROUP: IF - 4/9 GROUP: VENTILIATORIAI 2014-12-02.

AJAX Technologies KAUNAS UNIVERSITY OF TECHNOLOGY MODULE: INFORMATION TECHNOLOGY GROUP: IF - 4/9 GROUP: VENTILIATORIAI
Building Applications using ASP.NET and C# / Session 1 / 1 of 21 Session 1.

Building Applications using ASP.NET and C# / Session 1 / 1 of 21 Session 1.
6/3/2015eBiquity1 Tutorial on AJAX Anubhav Kale (akale1 AT cs DOT umbc DOT edu)

6/3/2015eBiquity1 Tutorial on AJAX Anubhav Kale (akale1 AT cs DOT umbc DOT edu)
Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao.

Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao.
INTRODUCTION The Group WEB BROWSER FOR RELATION Goals.

INTRODUCTION The Group WEB BROWSER FOR RELATION Goals.
Cloud Computing Lecture #7 Introduction to Ajax Jimmy Lin The iSchool University of Maryland Wednesday, October 15, 2008 This work is licensed under a.

Cloud Computing Lecture #7 Introduction to Ajax Jimmy Lin The iSchool University of Maryland Wednesday, October 15, 2008 This work is licensed under a.
Multiple Tiers in Action

Multiple Tiers in Action
Architecture, Deployment Diagrams, Web Modeling Elizabeth Bigelow CS-15499C October 6, 2000.

Architecture, Deployment Diagrams, Web Modeling Elizabeth Bigelow CS-15499C October 6, 2000.
Apache Tomcat Server Typical html Request/Response cycle

Apache Tomcat Server Typical html Request/Response cycle
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Computer Science 101 Web Access to Databases Overview of Web Access to Databases.

Computer Science 101 Web Access to Databases Overview of Web Access to Databases.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Client/Server Architectures

Client/Server Architectures
Agenda What is AJAX? What is jQuery? Demonstration/Tutorial Resources Q&A.

Agenda What is AJAX? What is jQuery? Demonstration/Tutorial Resources Q&A.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 13 Slide 1 Application architectures.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 13 Slide 1 Application architectures.

Similar presentations

Ads by Google