Abstract
Iframe is a web primitive frequently used by web developers to integrate content from third parties. It is also extensively used by web hackers to distribute malicious content after compromising vulnerable sites. Previous works focused on page-level detection, which is insufficient for Iframe-specific injection detection. As such, we conducted a comprehensive study on how Iframe is included by websites around Internet in order to identify the gap between malicious and benign inclusions. By studying the online and offline inclusion patterns from Alexa top 1M sites, we found benign inclusion is usually regulated. Driven by this observation, we further developed a tag-level detection system named FrameHanger which aims to detect injection of malicious Iframes for both online and offline cases. Different from previous works, our system brings the detection granularity down to the tag-level for the first time without relying on any reference. The evaluation result shows FrameHanger could achieve this goal with high accuracy.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
Only Iframe with src is considered in the measurement study.
- 3.
The update of src might be triggered by user’s action, like moving mouse. User actions are not simulated by our system so the update might be missed.
- 4.
- 5.
useragent strings extracted from http://useragentstring.com/.
References
The easylist filter lists. https://easylist.to/. Accessed 10 Oct 2017
The easyprivacy filter lists. https://easylist.to/easylist/easyprivacy.txt. Accessed 10 Oct 2017
Framehanger released version. https://github.com/ririhedou/FrameHanger
Google tag manager quick start. https://developers.google.com/tag-manager/quickstart. Accessed 10 Oct 2017
A javascript minifier written in python. https://github.com/rspivak/slimit. Accessed 10 Oct 2017
Malvertising campaigns involving exploit kits. https://www.fireeye.com/blog/threat-research/2017/03/still_getting_served.html. Accessed 10 Oct 2017
Obfuscation service. https://javascriptobfuscator.com/. Accessed 10 Oct 2017
RSA shadow fall. https://www.rsa.com/en-us/blog/2017-06/shadowfall. Accessed 10 Oct 2017
Same original policy. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy. Accessed 10 Oct 2017
Scrapy cralwer framework. https://scrapy.org/. Accessed 10 Oct 2017
Selenium automates browsers. http://www.seleniumhq.org/
Tree-based importance score. http://scikit-learn.org/stable/auto_examples/ensemble/plot_forest_importances.html. Accessed 10 Oct 2017
X-frame-options or CSP frame-ancestors? https://oxdef.info/csp-frame-ancestors/. Accessed 10 Oct 2017
Argyros, G., Stais, I., Jana, S., Keromytis, A.D., Kiayias, A.: SFADiff: automated evasion attacks and fingerprinting using black-box differential automata learning. In: Proceedings of CCS (2016)
Blum, A., Wardman, B., Solorio, T., Warner, G.: Lexical feature based phishing URL detection using online learning. In: Proceedings of AISec (2010)
Borgolte, K., Kruegel, C., Vigna, G.: Delta: automatic identification of unknown web-based infection campaigns. In: Proceedings of CCS (2013)
Calzavara, S., Rabitti, A., Bugliesi, M.: Content security problems?: evaluating the effectiveness of content security policy in the wild. In: Proceedings of CCS (2016)
Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: Proceedings of WWW (2011)
Catakoglu, O., Balduzzi, M., Balzarotti, D.: Automatic extraction of indicators of compromise for web applications. In: Proceedings of WWW (2016)
Choi, H., Zhu, B.B., Lee, H.: Detecting malicious web links and identifying their attack types. In: Proceedings of USENIX Conference on Web Application Development (2011)
Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: Proceedings of WWW (2010)
Curtsinger, C., Livshits, B., Zorn, B.G., Seifert, C.: ZOZZLE: fast and precise in-browser JavaScript malware detection. In: Proceedings of USENIX Security (2011)
Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: Proceedings of CCS (2016)
Hu, X., Cheng, Y., Duan, Y., Henderson, A., Yin, H.: JSForce: a forced execution engine for malicious JavaScript detection. CoRR, abs/1701.07860 (2017)
Kaplan, S., Livshits, B., Zorn, B., Seifert, C., Curtsinger, C.: "NOFUS: Automatically Detecting"+ String. fromCharCode (32)+ "ObFuSCateD ".toLowerCase()+ "JavaScript Code". Technical report MSR-TR-2011-57, Microsoft Research, May 2011
Kim, K., et al.: J-force: forced execution on JavaScript. In: Proceedings of WWW (2017)
Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: de-cloaking internet malware. In: Proceedings of Security and Privacy (Oakland) (2012)
Kumar, D., et al.: Security challenges in an increasingly tangled web. In: Proceedings of WWW (2017)
Lauinger, T., Chaabane, A., Arshad, S., Robertson, W., Wilson, C., Kirda, E.: Thou shalt not depend on me: analysing the use of outdated JavaScript libraries on the web. In: Proceedings of NDSS (2017)
Le, A., Markopoulou, A., Faloutsos, M.: PhishDef: URL names say it all. In: Proceedings of INFOCOM (2011)
Li, Z., Alrwais, S. Wang, X., Alowaisheq, E.: Hunting the red fox online: Understanding and detection of mass redirect-script injections. In: Proceedings of Security and Privacy (Okaland) (2014)
Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Learning to detect malicious URLs. ACM Trans. Intell. Syst. Technol. (TIST) 2(3), 30 (2011)
Nikiforakis, N., et al.: You are what you include: large-scale evaluation of remote JavaScript inclusions. In: Proceedings of CCS (2012)
Provos, N., Panayiotis, M., Rajab, M.A., Monrose, F.: All your iFRAMEs point to us. In: Proceedings of USENIX Security (2008)
Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: Proceedings of Security and Privacy (Okaland) (2010)
Sen, K., Kalasapur, S., Brutch, T., Gibbs, S.: Jalangi: a selective record-replay and dynamic analysis framework for JavaScript. In: Proceedings of ESEC/FSE (2013)
Soska, K., Christin, N.: Automatically detecting vulnerable websites before they turn malicious. In: Proceedings of USENIX Security (2014)
Stock, B., Livshits, B., Zorn, B.: KIZZLE: a signature compiler for exploit kits. In International Conference on Dependable Systems and Networks (DSN), June 2016
Weichselbaum, L., Spagnuolo, M., Lekies, S., Janc, A.: CSP is dead, long live CSP! on the insecurity of whitelists and the future of content security policy. In: Proceedings of CCS (2016)
Weissbacher, M., Lauinger, T., Robertson, W.: Why is CSP failing? Trends and challenges in CSP adoption. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 212–233. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11379-1_11
Xu, W., Zhang, F. Zhu, S.: Jstill: mostly static detection of obfuscated malicious JavaScript code. In: Proceedings of AsiaCCS (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Tian, K., Li, Z., Bowers, K.D., Yao, D.(. (2018). FrameHanger: Evaluating and Classifying Iframe Injection at Large Scale. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds) Security and Privacy in Communication Networks. SecureComm 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 255. Springer, Cham. https://doi.org/10.1007/978-3-030-01704-0_17
Download citation
DOI: https://doi.org/10.1007/978-3-030-01704-0_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01703-3
Online ISBN: 978-3-030-01704-0
eBook Packages: Computer ScienceComputer Science (R0)