DEMACRO: defense against malicious cross-domain requests

Authors:
Sebastian Lekies;Nick Nikiforakis;Walter Tighzert;Frank Piessens;Martin Johns
Affiliations:
SAP Research, Germany;IBBT-DistriNet, KU Leuven, Leuven, Belgium;SAP Research, Germany;IBBT-DistriNet, KU Leuven, Leuven, Belgium;SAP Research, Germany
Venue:
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Year:
2012

Citing 9
Cited 0

Noxes: a client-side solution for mitigating cross-site scripting attacks

Proceedings of the 2006 ACM symposium on Applied computing
Tracking information flow in dynamic tree structures

ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Client-Side Detection of Cross-Site Request Forgery Attacks

ISSRE '10 Proceedings of the 2010 IEEE 21st International Symposium on Software Reliability Engineering
SessionShield: lightweight protection against session hijacking

ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
An empirical study on the security of cross-domain policies in rich internet applications

Proceedings of the Fourth European Workshop on System Security
Biting the hand that serves you: a closer look at client-side flash proxies for cross-domain requests

DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
Scramble! your social network data

PETS'11 Proceedings of the 11th international conference on Privacy enhancing technologies
Fortifying web-based applications automatically

Proceedings of the 18th ACM conference on Computer and communications security
CsFire: transparent client-side mitigation of malicious cross-domain requests

ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

In the constant evolution of the Web, the simple always gives way to the more complex. Static webpages with click-through dialogues are becoming more and more obsolete and in their place, asynchronous JavaScript requests, Web mash-ups and proprietary plug-ins with the ability to conduct cross-domain requests shape the modern user experience. Three recent studies showed that a significant number of Web applications implement poor cross-domain policies allowing malicious domains to embed Flash and Silverlight applets which can conduct arbitrary requests to these Web applications under the identity of the visiting user. In this paper, we confirm the findings of the aforementioned studies and we design DEMACRO, a client-side defense mechanism which detects potentially malicious cross-domain requests and de-authenticates them by removing existing session credentials. Our system requires no training or user interaction and imposes minimal performance overhead on the user's browser.