ABSTRACT
Most of the recent work on Web security focuses on preventing attacks that directly harm the browser's host machine and user. In this paper we attempt to quantify the threat of browsers being indirectly misused for attacking third parties. Specifically, we look at how the existing Web infrastructure (e.g., the languages, protocols, and security policies) can be exploited by malicious Web sites to remotely instruct browsers to orchestrate actions including denial of service attacks, worm propagation and reconnaissance scans. We show that, depending mostly on the popularity of a malicious Web site and user browsing patterns, attackers are able to create powerful botnet-like infrastructures that can cause significant damage. We explore the effectiveness of countermeasures including anomaly detection and more fine-grained browser security policies.
- Mozilla Port Blocking. http://www.mozilla.org/projects/netlib/PortBanning.html December 2004.]]Google Scholar
- PuppetNet Project Web Site. http://s3g.i2r.a-star.edu.sg/proj/puppetnets, September 2005.]]Google Scholar
- ABC Electronic.ABCE Database.http://www.abce.org.uk/cgi-bin/gen5?runprog=abce/abce&noc=y 2006.]]Google Scholar
- W. Alcorn. The cross-site scripting virus. http://www.bindshell.net/papers/xssv/xssv.html Published: 27th September, 2005. Last Edited: 16th October 2005.]]Google Scholar
- Alexa Internet Inc. Global top 500. http://www.alexa.com/site/ds/top_500 2006.]]Google Scholar
- S. Andersen and V. Abella. Changes to Functionality in Microsoft Windows XP Service Pack 2,Part 2:Network Protection Technologies. Microsoft TechNet, http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk%.mspx November 2004.]]Google Scholar
- Anonymous. About the Alexa Toolbar and traffic monitoring service: How accurate is Alexa? http://www.mediacollege.com/internet/utilities/alexa/2004.]]Google Scholar
- B. L. Barrett. Home of the webalizer. http://www.mrunix.net/webalizer August 2005.]]Google Scholar
- V. Berk, G. Bakos, and R. Morris. Designing a framework for active worm detection on global networks. In Proceedings of the IEEE International Workshop on Information Assurance, March 2003.]] Google ScholarDigital Library
- T. Berners-Lee, L. Masinter, and M. McCahill. Uniform Resource Locators (URL). RFC 1738, Dec.1994.]] Google ScholarDigital Library
- CERT. Advisory CA-2000-02:Malicious HTML Tags Embedded in Client Web Requests. http://www.cert.org/advisories/CA-2000-02.html February 2000.]]Google Scholar
- CERT. Advisory CA-2001-19:'Code Red 'Worm Exploiting Buffer Over flow in IIS Indexing Service DLL. http://www.cert.org/advisories/CA-2001-19.html July 2001.]]Google Scholar
- CERT. Vulnerability Note VU#476267:Standard HTML form implementation contains vulnerability allowing malicious user to access SMTP,NNTP,POP3,and other services via crafted HTML page. http://www.kb.cert.org/vuls/id/476267 August 2001.]]Google Scholar
- R. Chinchani and E. V. D. Berg. A fast static analysis approach to detect exploit code inside network flows. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2005.]] Google ScholarDigital Library
- N. Chou, R. Ledesma, Y. Teraguchi, and J. Mitchell. Client-side defense against web-based identity theft. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS '04),February 2004.]]Google Scholar
- J. Claessens, B. Preneel, and J. Vandewalle. A tangled world wide web of security issues. First Monday ,7(3), March 2002.]]Google Scholar
- E. Cooke, F. Jahanian, and D. McPherson. The Zombie Roundup: Understanding, Detecting,and Disrupting Botnets. In Proceedings of the 1st USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 2005), July 2005.]] Google ScholarDigital Library
- E. W. Felten, D. Balfanz, D. Dean, and D. S. Wallach. Web Spoofing: An Internet Con Game.In Proceedings of the 20th National Information Systems Security Conference, pages 95--103, October 1997.]]Google Scholar
- E. W. Felten and M. A. Schneider. Timing attacks on Web privacy. In Proceedings of the 7th ACM Conference on Computer and Communications Security (CCS '00),pages 25--32, New York, NY, USA, 2000. ACM Press.]] Google ScholarDigital Library
- J. J. Garrett. Ajax: A New Approach to Web Applications. http://www.adaptivepath.com/publications/essays/archi-ves/000385.php February 2005.]]Google Scholar
- P. Gladychev, A. Patel, and D. O 'Mahony. Cracking RC5 with Java applets.Concurrency:Practice and Experience, 10(11-13):1165--1171, 1998.]]Google ScholarCross Ref
- J. Grossman and T. Niedzialkowski. Hacking intranet websites from the outside -javascript malware just got a lot more dangerous. Blackhat USA, August 2006.]]Google Scholar
- M. Healan. Referer spam. http://www.spywareinfo.com/articles/referer_spam/ Sept. 2003.]]Google Scholar
- W. Inc. Webtrends web analytics and web statistics. http://www.webtrends.com 2006.]]Google Scholar
- S. Ioannidis and S.M. Bellovin.Building a Secure Browser. In Proceedings of the Annual USENIX Technical Conference, Freenix Track, June 2001.]] Google ScholarDigital Library
- C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell. Protecting browser state from Web privacy attacks.In Proceedings of the WWW Conference, 2006.]] Google ScholarDigital Library
- G. Keizer. Dutch botnet bigger than expected. http://informationweek.com/story/showArticle.jhtml?articleID=172303265 October 2005.]]Google Scholar
- J. O. Kephart and S. R. White. Directed-graph epidemiological models of computer viruses. In Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy, May 1991.]]Google ScholarCross Ref
- R. Kohavi, C. Brodley, B. Frasca, L. Mason, and Z. Zheng. KDD-Cup 2000 organizers 'report:Peeling the onion. SIGKDD Explorations, 2(2):86--98, 2000.]] Google ScholarDigital Library
- E. Korpela, D. Werthimer, D. Anderson, J. Cobb, and M. Lebofsky. SETI@home -- Massively Distributed Computing for SETI.Computing in Science & Enginering, 3(1):78--83, 2001.]] Google ScholarDigital Library
- C. Kruegel, E. Kirda, D. Mutz, W. Robertson,and G. Vigna. Polymorphic worm detection using structural information of executables. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2005.]] Google ScholarDigital Library
- C. Kruegel and G. Vigna. Anomaly detection of Web-based attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS '03), pages 251--261, New York, NY, USA, 2003. ACM Press.]] Google ScholarDigital Library
- V. T. Lam, S. Antonatos, P. Akritidis,and K. G. Anagnostakis. Puppetnets:Misusing web browsers as a distributed attack infrastructure (extended version). Technical Report, http://s3g.i2r.a-star.edu.sg/proj/puppetnets,August 2006.]]Google Scholar
- J. Li, T. Ehrenkranz, G. Kuenning, and P. Reiher. Simulation and analysis on the resiliency and efficiency of malnets. In Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation (PADS '05),pages 262--269, Washington, DC, USA, 2005. IEEE Computer Society.]] Google ScholarDigital Library
- J. D. C. Little. A Proof of the Queueing Formula L =λW. Operations Research,(9):383--387, 1961.]]Google Scholar
- G. Maone. Firefox add-ons:Noscript. https://addons.mozilla.org/firefox/722/May 2006.]]Google Scholar
- D. Moniz and H. Moore. Six degrees of xssploitation. Blackhat USA, August 2006.]]Google Scholar
- Mozilla.org. End User Guide: Automatic Proxy Configuration (PAC). http://www.mozilla.org/catalog/end-user/customizing/enduserPAC.html August 2004.]]Google Scholar
- C. Nachenberg. Computer virus-antivirus coevolution. Commun. ACM, 40(1): 46--51, 1997.]] Google ScholarDigital Library
- V. Paxson. An analysis of using reflectors for distributed denial-of-service attacks.ACM Computer Communication Review, 31(3): 38--47, 2001.]] Google ScholarDigital Library
- Philippine Honeynet Project. Philippine Internet Security Monitor - First Quarter of 2006. http://www.philippinehoneynet.org/docs/PISM20061Q.pdf.]]Google Scholar
- M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos. Network-level polymorphic shellcode detection using emulation. In Proceedings of the GI/IEEE SIG SIDAR Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA),July 2006.]] Google ScholarDigital Library
- L. Rizzo. Dummynet: a simple approach to the evaluation of network protocols.ACM Computer Communication Review, 27(1): 31--41, 1997.]] Google ScholarDigital Library
- B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. C. Mitchell. Stronger password authentication using browser extensions. In Proceedings of the 14th Usenix Security Symposium, 2005.]] Google ScholarDigital Library
- A. D. Rubin and D. E. G. Jr. A Survey of Web Security. IEEE Computer, 31(9): 34--41, 1998.]] Google ScholarDigital Library
- J.Ruderman.The Same Origin Policy. http://www.mozilla.org/projects/security/components/same-origin.html August 2001.]]Google Scholar
- S. Saroiu, P. Gummadi, and S. Gribble. A measurement study of peer-to-peer file sharing systems.In Proceedings of Multimedia Computing and Networking (MMCN), 2002.]]Google Scholar
- B. Schneier. Attack trends 2004 and 2005. ACM Queue, 3(5), June 2005.]] Google ScholarDigital Library
- F. Smith, J. Aikat, J. Kapur, and K. Jeffay. Variability in TCP round-trip times.In Proceedings of the 3rd ACM SIGCOMM Conference on Internet measurement, 2003.]] Google ScholarDigital Library
- S. Staniford, D. Moore, V. Paxson,and N. Weaver. The top speed of flash worms. In Proc. ACM WORM, Oct.2004.]] Google ScholarDigital Library
- Stunnix. Stunnix javascript obfuscator -obfuscate javascript source code. http://www.stunnix.com/prod/jo/overview.shtml 2006.]]Google Scholar
- Symantec. Internet Threat Report: Trends for January 05-June 05.Volume VIII.Available from www.symantec.com, September 2005.]]Google Scholar
- TechWeb.com.Lycos strikes back at spammers with dos screensaver. http://www.techweb.com/wire/security/54201269 2004.]]Google Scholar
- The Honeynet Project.Know your enemy:Tracking botnets.http://www.honeynet.org/papers/bots/March 2005.]]Google Scholar
- J. Topf. HTML Form Protocol Attack. http://www.remote.org/jochen/sec/hfpa/August 2001.]]Google Scholar
- VNExpress Electronic Newspaper. Website of largest Vietnamese hacker group attacked by DDoS. http://vnexpress.net/Vietnam/Vi-tinh/2005/12/3B9E4A6D/December 2005.]]Google Scholar
- D. Wang. HOWTO: ISAPI Filter which rejects requests from SF NOTIFY PREPROC HEADERS based on HTTP Referer. http://blogs.msdn.com/david.wang July 2005.]]Google Scholar
- Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. Kin. Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities.In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS '06), February 2006.]]Google Scholar
- N. Weaver, S. Staniford, and V. Paxson. Very Fast Containment of Scanning Worms.In Proceedings of the 13th USENIX Security Symposium, pages 29--44, August 2004.]] Google ScholarDigital Library
- A. T. Williams and J. Heiser. Protect your PCs and Servers From the Bothet Threat.Gartner Research, ID Number: G00124737, December 2004.]]Google Scholar
- zone-h.Digital attacks archive. http://www.zone-h.org/en/defacements/2006.]]Google Scholar
- C.C. Zou, W. Gong, and D. Towsley. Code Red Worm Propagation Modeling and Analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS), pages 138--147, November 2002.]] Google ScholarDigital Library
Index Terms
- Puppetnets: misusing web browsers as a distributed attack infrastructure
Recommendations
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure
Most of the recent work on Web security focuses on preventing attacks that directly harm the browser’s host machine and user. In this paper we attempt to quantify the threat of browsers being indirectly misused for attacking third parties. Specifically, ...
Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Financial Cryptography and Data SecurityA cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF ...
Client-side cross-site scripting protection
Web applications are becoming the dominant way to provide access to online services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is ...
Comments