Hristo Bojinov
Dan Boneh
ABSTRACT
We study the security of embedded web servers used in consumer electronic devices, such as security cameras and photo frames, and for IT infrastructure, such as wireless access points and lights-out management systems. All the devices we examine turn out to be vulnerable to a variety of web attacks, including cross site scripting (XSS) and cross site request forgery (CSRF). In addition, we show that consumer electronics are particularly vulnerable to a nasty form of persistent XSS where a non-web channel such as NFS or SNMP is used to inject a malicious script. This script is later used to attack an unsuspecting user who connects to the device's web server. We refer to web attacks which are mounted through a non-web channel as cross channel scripting (XCS). We propose a client-side defense against certain XCS which we implement as a browser extension.
- D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In IEEE Symposium on Security and Privacy, 2008. Google Scholar
Digital Library
- A. Barth, C. Jackson, and J. Mitchell. Robust defenses for cross-site request forgery. In proceedings of ACM CCS'08, 2008. Google ScholarDigital Library
- H. Bojinov, E. Bursztein, and D. Boneh. Embedded management interfaces: Emerging massive insecurity. BlackHat'09 http://seclab.stanford.edu/websec/embedded/, August 2009.Google Scholar
- D. Dagon, G. Gu, C. Lee, and W. Lee. A taxonomy of botnet structures. In Proceedings of the 23 Annual Computer Security Applications Conference (ACSAC), 2007.Google ScholarCross Ref
- Dell remote access controller (DRAC), 2008. http://support.dell.com/support/edocs/software/smdrac3/drac4/160/en/ug/index.htm.Google Scholar
- S. Fogie, J. Grossman, R. Hansen, A. Rager, and P. Petkov. XSS Exploits: Cross Site Scripting Attacks and Defense. Syngress, 2007. Google ScholarDigital Library
- M. Foundation. Content security policy, 2009. wiki.mozilla.org/Security/CSP/Spec.Google Scholar
- D. Grzelak. Log injection attack and defence, 2007. www.sift.com.au/assets/downloads/SIFT-Log-Injection-Intelligence-Report-v1-00. pdf.Google Scholar
- O. Hallaraker and G. Vigna. Detecting malicious javascript code in mozilla. In Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems (ICECCS), 2005. Google ScholarDigital Library
- T. L. Harris and Palm. Software update information for palm pre sprint p100eww. Web: http://kb.palm.com/wps/portal/kb/na/pre/p100eww/sprint/solutions/article/50607_en.html, August 2009.Google Scholar
- HP integrated lights-out (iLo), 2008. http://bizsupport.austin.hp.com/bc/docs/support/SupportManual/c00209014/c00209014.pdf.Google Scholar
- IBM remote supervisor adapter (RSA), 2008. http://www.ibm.com/support/docview.wss?uid=psg1MIGR-57091.Google Scholar
- Intel active management technology (AMT), 2008. http://software.intel.com/en-us/articles/architecture-guide-intel-/active-management-technology.Google Scholar
- C. Jackson and A. Barth. Forcehttps: Protecting high-security web sites from network attacks. In Proceedings of the 17th International World Wide Web Conference (WWW2008), 2008. Google ScholarDigital Library
- T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In in proc. of 16th International World Wide Web Conference, 2007. Google ScholarDigital Library
- N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities. In IEEE Symposium on Security and Privacy, 2006. Google ScholarDigital Library
- N. Jovanovic, C. Kruegel, and E. Kirda. Precise alias analysis for static detection of web application vulnerabilities. In Proceedings of the Workshop on Programming Languages and Analysis for Security (PLAS), 2006. Google ScholarDigital Library
- E. Kirda, C. Kruegel, G. Vigna,, and N. Jovanovic. Noxes: A client-side solution for mitigating cross-site scripting attacks. In In Proceedings of the 21st ACM Symposium on Applied Computing (SAC), Security Track, 2006. Google ScholarDigital Library
- V. T. Lam, S. Antonatos, P. Akritidis, and K. G. Anagnostakis. Puppetnets: Misusing web browsers as a distributed attack infrastructure. In Proc. CCS, 2006. Google ScholarDigital Library
- M. Mahemoff. Ajax Design Patterns, volume 978-0596101800. O'Reilly, 2006. Google ScholarDigital Library
- G. Maone. Noscript, 2006. http://noscript.net/.Google Scholar
- G. Markham. Content restrictions, 2007. www.gerv.net/security/content-restrictions/.Google Scholar
- A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In In Proceedings of the 20th IFIP International Information Security Conference, 2005.Google ScholarCross Ref
- T. Oda, G. Wurster, P. van Oorschot, and A. Somayaji. Soma: mutual approval for included content in web pages. In ACM CCS'08, pages 89--98, 2008. Google ScholarDigital Library
- T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Recent Advances in Intrusion Detection (RAID), 2005. Google ScholarDigital Library
- N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser analysis of web-based malware. In proceedings of HotBots'07, 2007. Google ScholarDigital Library
- Html purifier. http://htmlpurifier.org/.Google Scholar
- RSnake. Xss (cross site scripting) cheat sheet for filter evasion. http://ha.ckers.org/xss.html.Google Scholar
- P. Saxena and D. Song. Document structure integrity: A robust basis for cross-site scripting defense. In proceedings of NDSS'08, 2008.Google Scholar
- D. Stuttard and M. Pinto. The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws. Wiley, 2007. Google ScholarDigital Library
- Twitter worm. http://www.techcrunch.com/2009/04/11/twitter-hit-by-stalkdaily-worm/.Google Scholar
- Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In In Proceedings of the USENIX Security Symposium, 2006. Google ScholarDigital Library
Index Terms
- XCS: cross channel scripting and its impact on web applications
Recommendations
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksWeb applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Insecurity Refactoring: Automated Injection of Vulnerabilities in Source Code
AbstractInsecurity Refactoring is a change to the internal structure of software to inject a vulnerability without changing the observable behavior in a normal use case scenario. An implementation of Insecurity Refactoring is formally explained to inject ...
Constructing a "Common cross site scripting vulnerabilities enumeration (CXE)" using CWE and CVE
ICISS'07: Proceedings of the 3rd international conference on Information systems securityIt has been found that almost 70% of the recent attacks in Web Applications have been carried out even when the systems have been protected with well laid Firewalls and Intrusion Detection Systems. Advisories sites report that more than 20% of the ...
Comments