Skip to main content
SpringerLink
Log in

On JavaScript Malware and related threats

Web page based attacks revisited

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

The term JavaScript Malware describes attacks that abuse the web browser’s capabilities to execute malicious script-code within the victim’s local execution context. Unlike related attacks, JavaScript Malware does not rely on security vulnerabilities in the web browser’s code but instead solely utilizes legal means in respect to the applying specification documents. Such attacks can either invade the user’s privacy, explore and exploit the LAN, or use the victimized browser as an attack proxy. This paper documents the state of the art concerning this class of attacks, sums up relevant protection approaches, and provides directions for future research.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Alcorn, W.: Inter-protocol communication. Whitepaper, http://www.ngssoftware.com/research/papers/InterProtocolCommunication.pdf (11/13/06), August 2006

  2. Alcorn, W.: Inter-protocol exploitation. Whitepaper, NGSSoftware Insight Security Research (NISR), http://www.ngssoftware.com/research/papers/InterProtocolExploitation.pdf, March 2007

  3. Alshanetsky, I.: Network scanning with http without javascript. [online], http://ilia.ws/archives/145-Network-Scanning-with-HTTP-without-JavaScript.html (09/11/07), November 2006

  4. Bortz, A., Boneh, D., Nandy, P.: Exposing private information by timing web applications. In: WWW 2007, 2007

  5. Burns, J.: Cross site reference forgery—an introduction to a common web application weakness. Whitepaper, http://www.isecpartners.com/documents/XSRF_Paper.pdf, 2005

  6. Byrne, D.: Anti-dns pinning and java applets. Posting to the Bugtraq mailing list, http://seclists.org/fulldisclosure/2007/Jul/0159.html, July 2007

  7. Mozilla Developer Center.: Liveconnect. [online], http://developer.mozilla.org/en/docs/LiveConnect (08/08/07), 2007

  8. Chess, B., O’Neil, Y.T., West, J.: Javascript hijacking. [whitepaper], Fortify Software, http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf, March 2007

  9. Christey, S., Martin, R.A.: Vulnerability type distributions in cve, version 1.1. [online], http://cwe.mitre.org/documents/vuln-trends/index.html (09/11/07), May 2007

  10. Clover, A.: Css visited pages disclosure. Posting to the Bugtraq mailing list, http://seclists.org/bugtraq/2002/Feb/0271.html, February 2002

  11. Adobe Coperation. Adobe flash. [online] http://www.adobe.com/products/flash/flashpro/

  12. Duong, T.N.: Zombilizing the browser via flash player 9. talk at the VNSecurity 2007 conference, http://vnhacker.blogspot.com/2007/08/zombilizing-web-browsers-via-flash.html, August 2007

  13. Endler, D.: The evolution of cross-site scripting attacks. Whitepaper, iDefense Inc., http://www.cgisecurity.com/lib/XSS.pdf, May 2002

  14. Esser, S.: Bruteforcing http auth in firefox with javascript. [online], http://blog.php-security.org/archives/56-Bruteforcing-HTTP-Auth-in-Firefox-with-JavaScript.html (08/31/07), December~2006

  15. Esser, S.: Javascript/html portscanning and http auth. [online], http://blog.php-security.org/archives/54-JavaScriptHTML-Portscanning-and-HTTP-Auth.html (08/27/07), November 2006

  16. Felten, E.W., Schneider, M.A.: Timing attacks on web privacy. In: Proceedings of the 9th ACM Conference on Computer and Communication Security (CCS ’02), 2000

  17. Glass, E.: The ntlm authentication protocol. [online], http://davenport.sourceforge.net/ntlm.html (03/13/06), 2003

  18. AVM Gmbh. Fritz! box. [online], product website, http://www.avm.de/en/Produkte/FRITZBox/index.html (09/06/07)

  19. Google. Google translate. [online service], http://www.google.com/translate_t (09/11/07)

  20. Grossman, J.: I know if you’re logged-in, anywhere. [online], http://jeremiahgrossman.blogspot.com/2006/12/i-know-if-youre-logged-in-anywhere.html (08/08/07), December 2006

  21. Grossman, J.: I know where you’ve been. [online], http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html, August 2006

  22. Grossman, J.: Javascript malware, port scanning, and beyond. Posting to the websecurity mailing list, http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00097.html, July 2006

  23. Grossman, J., Hansen, R., Petkov, P., Rager, A.: Cross Site Scripting Attacks: Xss Exploits and Defense. Syngress, 2007

  24. Grossman, J., Niedzialkowski, T.C.: Hacking intranet websites from the outside. Talk at Black Hat USA 2006, http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grossman.pdf, August 2006

  25. Hallaraker, O., Vigna, G.: Detecting malicious javascript code in mozilla. In: Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems (ICECCS), pp. 85–94, June 2005

  26. Hansen, R.: Detecting firefox extentions. [online], http://ha.ckers.org/blog/20060823/detecting-firefox-extentions/ (08/08/07), August 2006

  27. Hansen, R.: Detecting states of authentication with protected images. [online], http://ha.ckers.org/blog/20061108/detecting-states-of-authentication-with-protected-images/ (08/31/07), November 2006

  28. Hansen, R.: Hacking intranets via brute force. [online], http://ha.ckers.org/blog/20061228/hacking-intranets-via-brute-force/, December 2006

  29. Hansen, R.: List of common internal domain names. [online], http://ha.ckers.org/fierce/hosts.txt (09/06/07), March 2007

  30. Hegaret, P.L., Whitmer, R., Wood, L.: Document object model (dom). W3C recommendation, http://www.w3.org/DOM/, January 2005

  31. Hoffman, B.: Javascript malware for a gray goo tomorrow! Talk at the Shmoocon’07, http://www.spidynamics.com/spilabs/education/presentations/Javascript_malware.pdf, March 2007

  32. Apple Inc.: Dynamic html and xml: The xmlhttprequest object. [online], http://developer.apple.com/internet/webcontent/xmlhttpreq.html (08/08/07), June 2005

  33. InformAction.: Noscript firefox extension. Software, http://www.noscript.net/whats, 2006

  34. Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D.: Protecting browsers from dns rebinding attack. In: Proceedings of the 14th ACM Conference on Computer and Communication Security (CCS ’07), October 2007

  35. Jackson, C., Bortz, A., Boneh, D., Mitchell, J.C.: Protecting browser state from web privacy attacks. In: Proceedings of the 15th ACM World Wide Web Conference (WWW 2006), 2006

  36. Jackson, C., Bortz, A., Boneh, D., Mitchell, J.C.: Safehistory. software, http://www.safehistory.com/, 2006

  37. Jakobsson, M., Stamm, S.: Invasive browser sniffing and countermeasures. In: Proceedings of the 15th Annual World Wide Web Conference (WWW2006), 2006

  38. Johns, M.: Sessionsafe: implementing xss immune session handling. In: European Symposium on Research in Computer Security (ESORICS 2006), September 2006

  39. Johns, M.: (somewhat) breaking the same-origin policy by undermining dns-pinning. Posting to the Bugtraq mailinglist, http://www.securityfocus.com/archive/107/443429/30/180/threaded, August 2006

  40. Johns, M., Kanatoko.: Using java in anti dns-pinning attacks (firefox and opera). [online], http://shampoo.antville.org/stories/1566124/ (08/27/07), February 2007

  41. Johns, M., Winter, J.: Requestrodeo: client side protection against session riding. In: Frank Piessens, editor, OWASP Conference 2006, Report CW448, pp. 5–17. Departement Computerwetenschappen, Katholieke Universiteit Leuven, May 2006

  42. Johns, M., Winter, J.: Protecting the intranet against “javascript malware” and related attacks. In: Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2007), July 2007

  43. Kaminsky, D.: Black ops 2007: Design reviewing the web. talk at the Black Hat 2007 conference, http://www.doxpara.com/?q=node/1149, August 2007

  44. Kanatoko.: Stealing information using anti-dns pinning: Online demonstration. [online], http://www.jumperz.net/index.php?i=2&a=1&b=7 (30/01/07), 2006

  45. Kanatoko.: Anti-dns pinning + socket in flash. [online], http://www.jumperz.net/index.php?i=2&a=3&b=3 (19/01/07), January 2007

  46. Karlof, C., Shankar, U., Tygar, J.D., Wagner, D.: Dynamic pharming attacks and the locked same-origin policies for web browsers. In: Proceedings of the 14th ACM Conference on Computer and Communication Security (CCS ’07), October 2007

  47. Kindermann, L.: My address java applet. [online], http://reglos.de/myaddress/MyAddress.html (11/08/06), 2003

  48. Kishor.: Ie—guessing the names of the fixed drives on your computer. [online], http://wasjournal.blogspot.com/2007/07/ie-guessing-names-of-fixed-drives-on.html (08/31/07), July 2007

  49. SPI Labs.: Detecting, analyzing, and exploiting intranet applications using javascript. Whitepaper, http://www.spidynamics.com/assets/documents/JSportscan.pdf, July 2006

  50. SPI Labs.: Stealing search engine queries with javascript. Whitepaper, http://www.spidynamics.com/assets/documents/JS_SearchQueryTheft.pdf, 2006

  51. Lam, V.T., Antonatos, S., Akritidis, P., Anagnostakis, K.G.: Puppetnets: misusing web browsers as a distributed attack infrastructure. In: Proceedings of the 13th ACM Conference on Computer and Communication Security (CCS ’06), pp. 221–234, 2006

  52. Lamarre, J.: Ajax without xmlhttprequest, frame, iframe, java or flash. [online], http://zingzoom.com/ajax/ajax_with_image.php (02/02/2006), September 2005

  53. Ludwig, A.: Macromedia flash player 8 security. Whitepaper, Macromedia, http://www.adobe.com/devnet/flashplayer/articles/flash_player_8_security.pdf, September 2005

  54. McFeters, N., Rios, B.: Uri use and abuse. Whitepaper, http://www.xs-sniper.com/nmcfeters/URI_Use_and_Abuse.pdf, July 2007

  55. Meer, H., Slaviero, M.: It’s all about the timing... Whitepaper, http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf, August 2007

  56. Megacz, A.: Firewall circumvention possible with all browsers. Posting to the Bugtraq mailing list, http://seclists.org/bugtraq/2002/Jul/0362.html, July 2002

  57. Meschkat, S.: Json rpc—cross site scripting and client side web services. Talk at the 23C3 Congress, http://events.ccc.de/congress/2006/Fahrplan/attachments/1198-jsonrpcmesch.pdf, December 2006

  58. Microsoft.: Microsoft silverlight. [online], http://www.microsoft.com/silverlight/ (09/14/07), 2007

  59. Mueller, M.: Sun’s response to the dns spoofing attack. [online], http://www.cs.princeton.edu/sip/news/sun-02-22-96.html (09/09/07), February 1996

  60. Project, M.: Mozilla port blocking. [online], http://www.mozilla.org/projects/netlib/PortBanning.html (11/13/06), 2001

  61. Rios, B.K., McFeters, N.: Slipping past the firewall. Talk at the HITBSecConf2007 conference, http://conference.hitb.org/hitbsecconf2007kl/agenda.htm, September 2007

  62. Ruderman, J.: The same origin policy. [online], http://www.mozilla.org/projects/security/components/same-origin.html (01/10/06), August 2001

  63. Samy.: Technical explanation of the myspace worm. [online], http://namb.la/popular/tech.html (01/10/06), October 2005

  64. Schreiber, T.: Session riding—a widespread vulnerability in today’s web applications. Whitepaper, SecureNet GmbH, http://www.securenet.de/papers/Session_Riding.pdf, December 2004

  65. Princeton University Secure Internet Programming Group. Dns attack scenario. [online], http://www.cs.princeton.edu/sip/news/dns-scenario.html, February 1996

  66. Sethumadhavan, R.: Microsoft Internet explorer local file accesses vulnerability. Posting to the full disclosure mailing list, http://seclists.org/fulldisclosure/2007/Feb/0434.html, February 2007

  67. Soref, J.: Dns: spoofing and pinning. [online], http://viper.haque.net/~timeless/blog/11/ (14/11/06), September 2003

  68. Stamm, S., Ramzan, Z., Jakobsson, M.: Drive-by pharming. Technical Report 641, Indiana University Computer Science, December 2006

  69. Stuttard, D.: Dns pinning and web proxies. NISR whitepaper, http://www.ngssoftware.com/research/papers/DnsPinningAndWebProxies.pdf, 2007

  70. Topf, J.: The html form protocol attack. Whitepaper, http://www.remote.org/jochen/sec/hfpa/hfpa.pdf, August 2001

  71. Vzloman, S., Hansen, R.: Enumerate windows users in js. [online], http://ha.ckers.org/blog/20070518/enumerate-windows-users-in-js/ (08/08/07), May 2007

  72. Vzloman, S., Hansen, R.: Read firefox settings (poc). [online], http://ha.ckers.org/blog/20070516/read-firefox-settings-poc/ (08/08/07), May 2007

  73. Winter, J., Johns, M.: Localrodeo: Client side protection against javascript malware. [online], http://databasement.net/labs/localrodeo (01/02/07), January 2007

Download references

Author information

Authors and Affiliations

  1. Security in Distributed Systems (SVS), Department of Informatics, University of Hamburg, Vogt-Koelln-Str. 30, 22527, Hamburg, Germany

    Martin Johns

Authors
  1. Martin Johns
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Martin Johns.

Additional information

This work was supported by the German Ministry of Economics (BMWi) as part of the project “secologic”, http://www.secologic.org.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Johns, M. On JavaScript Malware and related threats. J Comput Virol 4, 161–178 (2008). https://doi.org/10.1007/s11416-007-0076-7

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-007-0076-7

Keywords

Search

Navigation