International Conference on Security and Privacy in Communication Networks. 10th International ICST Conference, SecureComm 2014, Beijing, China, September 24-26, 2014, Revised Selected Papers, Part I

Research Article

Abusing Browser Address Bar for Fun and Profit

Download
428 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-23829-6_45,
        author={Yinzhi Cao and Chao Yang and Vaibhav Rastogi and Yan Chen and Guofei Gu},
        title={Abusing Browser Address Bar for Fun and Profit 
        },
        proceedings={International Conference on Security and Privacy in Communication Networks. 10th International ICST Conference, SecureComm 2014, Beijing, China, September 24-26, 2014, Revised Selected Papers, Part I},
        proceedings_a={SECURECOMM},
        year={2015},
        month={11},
        keywords={Browser address bar Add-on cross-site scripting User study},
        doi={10.1007/978-3-319-23829-6_45}
    }
    
  • Yinzhi Cao
    Chao Yang
    Vaibhav Rastogi
    Yan Chen
    Guofei Gu
    Year: 2015
    Abusing Browser Address Bar for Fun and Profit
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-23829-6_45
Yinzhi Cao1,*, Chao Yang2,*, Vaibhav Rastogi1,*, Yan Chen1,*, Guofei Gu2,*
  • 1: Northwestern University
  • 2: Texas A&M University
*Contact email: yinzhicao2013@u.northwestern.edu, yangchao0925@gmail.com, vrastogi@u.northwestern.edu, ychen@northwestern.edu, guofei@cs.tamu.edu

Abstract

Add-on JavaScript originating from users’ inputs to the browser brings new functionalities such as debugging and entertainment, however it also leads to a new type of cross-site scripting attack (defined as add-on XSS by us), which consists of two parts: a snippet of JavaScript in clear text, and a spamming sentence enticing benign users to input the previous JavaScript. In this paper, we focus on the most common add-on XSS, the one caused by browser address bar JavaScript. To measure the severity, we conduct three experiments: () analysis on real-world traces from two large social networks, () a user study by means of recruiting Amazon Mechanical Turks [4], and () a Facebook experiment with a fake account. We believe as the first systematic and scientific study, our paper can ring a bell for all the browser vendors and shed a light for future researchers to find an appropriate solution for add-on XSS.