16 Hits in 2.8 sec


Charles Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky, Saher Esmeir
2007 ACM Transactions on the Web  
Vulnerability-driven filtering of network data can offer a fast and easy-to-deploy alternative or intermediary to software patching, as exemplified in Shield [43] .  ...  We have built and evaluated BrowserShield, a system that performs this dynamic instrumentation of embedded scripts, and that admits policies for customized run-time actions like vulnerabilitydriven filtering  ...  A Motivating Example As a motivating example of vulnerability-driven filtering, we consider MS04-040: the HTML Elements Vulnerability [ Figure 2 : JavaScript code snippet to identify exploits of the  ... 
doi:10.1145/1281480.1281481 fatcat:343pcvsna5hhpbep4sbreqqhgy


Yinzhi Cao, Xiang Pan, Yan Chen, Jianwei Zhuge
2014 Proceedings of the 30th Annual Computer Security Applications Conference on - ACSAC '14  
However, anomaly-based approaches are vulnerable to data pollution, and existing vulnerability-based approaches cannot accurately describe the vulnerability condition of all the drive-by download attacks  ...  Drive-by download attacks, which exploit vulnerabilities of web browsers to control client computers, have become a major venue for attackers.  ...  Their detection scope is limited because the vulnerability condition might not be triggered in their specific detection environment.  ... 
doi:10.1145/2664243.2664256 dblp:conf/acsac/CaoPCZ14 fatcat:gnwctoedrzavtpvyh62ocmvl3a

Fatal injection: a survey of modern code injection attack countermeasures

Dimitris Mitropoulos, Diomidis Spinellis
2017 PeerJ Computer Science  
The second involves the use of dynamic detection safeguards that prevent code injection attacks while the system is in production mode.  ...  A CIA can have different forms depending on the execution context of the application and the location of the programming flaw that leads to the attack.  ...  In particular, JavaScript injection attacks comprise a wide subset of dynamic language-driven attacks.  ... 
doi:10.7717/peerj-cs.136 fatcat:erqwjwx3pndy5gkywrt4dwhpf4

Static Enforcement of Web Application Integrity Through Strong Typing

William K. Robertson, Giovanni Vigna
2009 USENIX Security Symposium  
and dynamic analyses of server-side web application code, and client-side security policy enforcement.  ...  queries generated by a web application, and show how this approach can automatically prevent the introduction of both server-side cross-site scripting and SQL injection vulnerabilities.  ...  We would also like to thank Adam Barth for providing feedback on an earlier version of this paper.  ... 
dblp:conf/uss/RobertsonV09 fatcat:plln545qcfcn5nrhovmrlgijqq

A User-Oriented Approach and Tool for Security and Privacy Protection on the Web

Phu H. Phung, Huu-Danh Pham, Jack Armentrout, Panchakshari N. Hiremath, Quang Tran-Minh
2020 SN Computer Science  
We implement a proof-of-concept prototype and perform practical evaluations to demonstrate the effectiveness of our approach.  ...  We introduce a novel approach to protecting the privacy of web users.  ...  Compliance with Ethical Standards Conflict of interest Phu H. Phung has received a research grant from Novobi, LLC. The other authors declare that they have no conflict of interest.  ... 
doi:10.1007/s42979-020-00237-5 fatcat:v3nxfkdvb5cwpjdpxgvm72beim

How to Train Your Browser

Dimitris Mitropoulos, Konstantinos Stroggylos, Diomidis Spinellis, Angelos D. Keromytis
2016 ACM Transactions on Privacy and Security  
Cross-Site Scripting (XSS) is one of the most common web application vulnerabilities. It is therefore sometimes referred to as the "buffer overflow of the web."  ...  To avoid the false positives caused by minor syntactic changes (e.g., due to dynamic code generation), our layer uses the concept of contextual fingerprints when comparing scripts.  ...  BrowserShield [Reis et al. 2007 ] acts as a proxy on the server side to parse the HTML of server responses and identify scripts.  ... 
doi:10.1145/2939374 fatcat:cf7pd4hlbrezrmrwdxnlnm2oaa

Detecting In-Flight Page Changes with Web Tripwires

Charles Reis, Steven D. Gribble, Tadayoshi Kohno, Nicholas C. Weaver
2008 Symposium on Networked Systems Design and Implementation  
In this paper, we provide evidence of surprisingly widespread and diverse changes made to web pages between the server and client.  ...  Additionally, we find that changes introduced by client software can inadvertently cause harm, such as introducing cross-site scripting vulnerabilities into most pages a client visits.  ...  Acknowledgments Hank Levy, Steve Balensiefer, and Roxana Geambasu provided useful feedback on drafts of this paper.  ... 
dblp:conf/nsdi/ReisGKW08 fatcat:h7rsfmvdi5dhvcp6pycn6z6z6m

A Systematic Approach to Uncover Security Flaws in GUI Logic

Shuo Chen, Jose Meseguer, Ralf Sasse, Helen J. Wang, Yi-Min Wang
2007 2007 IEEE Symposium on Security and Privacy (SP '07)  
GUI logic flaws are a category of software vulnerabilities that result from logic bugs in GUI design/implementation.  ...  Through this work, we demonstrate that a crucial subset of visual spoofing vulnerabilities originate from GUI logic flaws, which have a well-defined mathematical meaning allowing a systematic analysis.  ...  In situations where the vendor's patches are not yet available, vulnerability-driven filtering can provide fast and easy-to-deploy patch-equivalent protection.  ... 
doi:10.1109/sp.2007.6 dblp:conf/sp/MeseguerSWW07 fatcat:pcrsvg3atjfy3gnmxrdkjaxyiu

DeCore: Detecting Content Repurposing Attacks on Clients' Systems [chapter]

Smitha Sundareswaran, Anna C. Squicciarini
2010 Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering  
Web 2.0 platforms are ubiquitously used to share content and personal information, which makes them an inviting and vulnerable target of hackers and phishers alike.  ...  In this paper, we discuss an emerging class of attacks, namely content repurposing attacks, which specifically targets sites that host user uploaded content on Web 2.0 sites.  ...  Finally, AjaxScope [19], BrowserShield [24] , and CoreScript [31] secure the browsers by rewriting HTML and JavaScript.  ... 
doi:10.1007/978-3-642-16161-2_12 fatcat:cygoldgmi5gvveckuwrepxkea4

Client Honeypot Multiplication with High Performance and Precise Detection

2015 IEICE transactions on information and systems  
to the number of honeypot instances.  ...  In contrast, our process sandbox mechanism permits the creation of browser-helper processes, so it can identify these types of exploitations without resulting in false negatives.  ...  In many cases, JavaScript often interacts with the DOM after rendering using Dynamic HTML for providing rich content.  ... 
doi:10.1587/transinf.2014icp0002 fatcat:jyj6ud7unnevtjrf24wx4m62dm

Architectures for Inlining Security Monitors in Web Applications [chapter]

Jonas Magazinius, Daniel Hedin, Andrei Sabelfeld
2014 Lecture Notes in Computer Science  
Being parametric in the monitor itself, the architectures provide freedom in the choice of where the monitor is injected, allowing to serve the interests of the different stake holders: the users, code  ...  We report on experiments that demonstrate successful deployment of a JavaScript information-flow monitor with the different architectures.  ...  A prominent example in the context of the web is BrowserShield [34] by Reis et al. to instrument scripts with checks for known vulnerabilities. Yu et al. [44] and Kikuchi et al.  ... 
doi:10.1007/978-3-319-04897-0_10 fatcat:qypp4vnkzrfj5bgzocnf2ccvs4


Emre Kiciman, Benjamin Livshits
2010 ACM Transactions on the Web  
This article presents AjaxScope, a dynamic instrumentation platform that enables cross-user monitoring and just-in-time control of Web application behavior on end-user desktops.  ...  The rise of the software-as-a-service paradigm has led to the development of a new breed of sophisticated, interactive applications often called Web 2.0.  ...  Our discussions with Helen Wang, Trishul Chilimbi, Yi-Min Wang were invaluable to the conception and refinement of the project.  ... 
doi:10.1145/1841909.1841910 fatcat:4n4ywsiamrayreq6bcytibv2ku


Long Lu, Vinod Yegneswaran, Phillip Porras, Wenke Lee
2010 Proceedings of the 17th ACM conference on Computer and communications security - CCS '10  
of drive-by malware.  ...  Our evaluation includes multiple versions of IE and Firefox, against 1,934 active malicious URLs, representing a broad spectrum of web-based exploits now plaguing the Internet.  ...  The BrowserShield [31] proxy system uses script rewriting and vulnerability-driven filtering to transform inbound web pages into safe equivalents by disabling execution of malicious JavaScript and VBScript  ... 
doi:10.1145/1866307.1866356 dblp:conf/ccs/LuYPL10 fatcat:ba2d5ik2onax7dzinobopdvwfu

Enhancing Web Browsing Security

Chuan Yue
However, due to the vulnerabilities in Web browsers and Web applications and also due to Web users' lack of security knowledge, browser-based attacks are rampant over the Internet and have caused substantial  ...  Enhancing Web browsing security is therefore of great need and importance.  ...  Acknowledgments List of Tables List of Figures  ... 
doi:10.21220/s2-jpwx-sw57 fatcat:jqvmkkgfjbf7ndukedupgdnm54

Spectrogram: A Mixture-of-Markov-Chains Model for Anomaly Detection in Web Traffic

Yingbo Song, Angelos D. Keromytis, Salvatore Stolfo, Columbia University. Computer Science
Signature-based sensors are effective in filtering known exploits but cannot detect 0-day vulnerabilities or deal with polymorphism and statistical AD approaches have mostly been limited to network layer  ...  N -gram based modeling approaches have recently demonstrated success but the ill-posed nature of modeling large grams have thus far prevented exploration of higher order statistical models.  ...  Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the NSF or the U.S. Government.  ... 
doi:10.7916/d86w9k09 fatcat:5iz4ifta75ap7da2pcrhwareom
« Previous Showing results 1 — 15 out of 16 results