Research Article
Abusing Browser Address Bar for Fun and Profit
@INPROCEEDINGS{10.1007/978-3-319-23829-6_45, author={Yinzhi Cao and Chao Yang and Vaibhav Rastogi and Yan Chen and Guofei Gu}, title={Abusing Browser Address Bar for Fun and Profit }, proceedings={International Conference on Security and Privacy in Communication Networks. 10th International ICST Conference, SecureComm 2014, Beijing, China, September 24-26, 2014, Revised Selected Papers, Part I}, proceedings_a={SECURECOMM}, year={2015}, month={11}, keywords={Browser address bar Add-on cross-site scripting User study}, doi={10.1007/978-3-319-23829-6_45} }- Yinzhi Cao
Chao Yang
Vaibhav Rastogi
Yan Chen
Guofei Gu
Year: 2015
Abusing Browser Address Bar for Fun and Profit
SECURECOMM
Springer
DOI: 10.1007/978-3-319-23829-6_45
Abstract
Add-on JavaScript originating from users’ inputs to the browser brings new functionalities such as debugging and entertainment, however it also leads to a new type of cross-site scripting attack (defined as add-on XSS by us), which consists of two parts: a snippet of JavaScript in clear text, and a spamming sentence enticing benign users to input the previous JavaScript. In this paper, we focus on the most common add-on XSS, the one caused by browser address bar JavaScript. To measure the severity, we conduct three experiments: () analysis on real-world traces from two large social networks, () a user study by means of recruiting Amazon Mechanical Turks [4], and () a Facebook experiment with a fake account. We believe as the first systematic and scientific study, our paper can ring a bell for all the browser vendors and shed a light for future researchers to find an appropriate solution for add-on XSS.