Proceedings Article10.1109/ICECCS.2013.36
Protecting Web Browser Extensions from JavaScript Injection Attacks
Anton Barua,Mohammad Zulkernine,Komminist Weldemariam +2 more
- 17 Jul 2013
- pp 188-197
20
TL;DR: A runtime protection mechanism based on a code randomization technique coupled with a static analysis technique to protect browser extensions from JavaScript injection attacks and is enforced at runtime by distinguishing malicious code from the randomized extension code.
read more
Abstract: Vulnerable web browser extensions can be used by an attacker to steal users' credentials and lure users into leaking sensitive information to unauthorized parties. Current browser security models and existing JavaScript security solutions are inadequate for preventing JavaScript injection attacks that can exploit such vulnerable extensions. In this paper, we present a runtime protection mechanism based on a code randomization technique coupled with a static analysis technique to protect browser extensions from JavaScript injection attacks. The protection is enforced at runtime by distinguishing malicious code from the randomized extension code. We implemented our protection mechanism for the Mozilla Firefox browser and evaluated it on a set of vulnerable and non-vulnerable Firefox extensions. The evaluation results indicate that our approach can be a viable solution for preventing attacks on JavaScript-based browser extensions. In designing and implementing our approach, we were also able to reduce false positives and achieve maximum backward compatibility with existing extensions.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
May I? - Content Security Policy Endorsement for Browser Extensions
Daniel Hausknecht,Jonas Magazinius,Andrei Sabelfeld +2 more
- 09 Jul 2015
TL;DR: A large-scale empirical study of all free extensions from Google's Chrome web store uncovers three classes of vulnerabilities arising from the tension between the power of extensions and CSP intended by web pages: third party code inclusion, enabling XSS, and user profiling.
A Combined Static and Dynamic Analysis Approach to Detect Malicious Browser Extensions
TL;DR: This paper proposes a machine-learning-based approach to detect malicious extensions and applies static and dynamic techniques to analyse an extension for extracting features, and develops detection models based on machine- learning techniques.
Hardening the security analysis of browser extensions
Benjamin Eriksson,Pablo Picazo-Sanchez,Andrei Sabelfeld +2 more
- 25 Apr 2022
TL;DR: This study reveals novel password stealing, traffic stealing, and inter-extension attacks and suggests several avenues for the countermeasures against the uncovered attacks, ranging from refining the permission model to mitigating the attacks by declarations in manifest files.
17
Patent
Modifying web page code to include code to protect output
Ming Sum Sam Ng,Alvaro Munoz,Oleksandr Mirosh +2 more
- 10 Apr 2015
TL;DR: In this paper, a runtime agent is used to modify code of a web page to inject code to protect output of the web page, and the process can be executed using the modified code to generate a modified web page.
14
Malicious JavaScript Detection by Features Extraction
TL;DR: A method for detecting malicious JavaScript code based on five features that capture dierent characteristics of a script: execution time, external referenced domains and calls to JavaScript functions, which suggests that a combination of these features is able to successfully detect malicious JS code.
References
Points-to analysis in almost linear time
Bjarne Steensgaard
- 01 Jan 1996
TL;DR: This is the asymptotically fastest non-trivial interprocedural points-to analysis algorithm yet described and is based on a non-standard type system for describing a universally valid storage shape graph for a program in linear space.
Countering code-injection attacks with instruction-set randomization
Gaurav S. Kc,Angelos D. Keromytis,Vassilis Prevelakis +2 more
- 27 Oct 2003
TL;DR: A new, general approach for safeguarding systems against any type of code-injection attack, by creating process-specific randomized instruction sets of the system executing potentially vulnerable software that can serve as a low-overhead protection mechanism, and can easily complement other mechanisms.
Cloning-based context-sensitive pointer alias analysis using binary decision diagrams
John Whaley,Monica S. Lam +1 more
- 09 Jun 2004
TL;DR: This paper presents the first scalable context-sensitive, inclusion-based pointer alias analysis for Java programs, and develops a system called bddbddb that automatically translates Datalog programs into highly efficient BDD implementations.
SQLrand: Preventing SQL Injection Attacks
Stephen W. Boyd,Angelos D. Keromytis +1 more
- 08 Jun 2004
TL;DR: This work applies the concept of instruction-set randomization to SQL, creating instances of the language that are unpredictable to the attacker, and shows how to use this technique with the MySQL database using an intermediary proxy that translates the random SQL to its standard language.
Randomized instruction set emulation to disrupt binary code injection attacks
Elena Gabriela Barrantes,David H. Ackley,Stephanie Forrest,Trek S. Palmer,Darko Stefanovic,Dino Dai Zovi +5 more
- 27 Oct 2003
TL;DR: RISE as discussed by the authors is a randomized instruction set emulator based on the open-source Valgrind x86-to-x86 binary translator, which is designed to resist binary code injection attacks.
Related Papers (5)
Anil Kumar Saini,Manoj Singh Gaur,Vijay Laxmi +2 more
- 26 Nov 2013
Quan Chen,Alexandros Kapravelos +1 more
- 15 Oct 2018