Abusing browser address bar for fun and profit - an empirical investigation of add-on cross site scripting attacks

Yinzhi Cao*, Chao Yang, Vaibhav Rastogi, Yan Chen, Guofei Gu

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingChapter

1 Scopus citations

Abstract

Add-on JavaScript originating from users’ inputs to the browser brings new functionalities such as debugging and entertainment, however it also leads to a new type of cross-site scripting attack (defined as add-on XSS by us), which consists of two parts: a snippet of JavaScript in clear text, and a spamming sentence enticing benign users to input the previous JavaScript. In this paper, we focus on the most common add-on XSS, the one caused by browser address bar JavaScript. To measure the severity, we conduct three experiments: (i) analysis on real-world traces from two large social networks, (ii) a user study by means of recruiting Amazon Mechanical Turks [4], and (iii) a Facebook experiment with a fake account. We believe as the first systematic and scientific study, our paper can ring a bell for all the browser vendors and shed a light for future researchers to find an appropriate solution for add-on XSS.

Original languageEnglish (US)
Title of host publicationLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
PublisherSpringer Verlag
Pages582-601
Number of pages20
DOIs
StatePublished - Jan 1 2015

Publication series

NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume152
ISSN (Print)1867-8211

Keywords

  • Add-on cross-site scripting
  • Browser address bar
  • User study

ASJC Scopus subject areas

  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Abusing browser address bar for fun and profit - an empirical investigation of add-on cross site scripting attacks'. Together they form a unique fingerprint.

Cite this