Abstract-The advent of Software-as-a-Service (SaaS) has led to the development of multi-party web applications (MPWAs). MPWAs rely on core trusted third-party systems (e.g., payment servers, identity providers) and protocols such as Cashier-as-aService (CaaS), Single Sign-On (SSO) to deliver business services to users. Motivated by the large number of attacks discovered against MPWAs and by the lack of a single general-purpose application-agnostic technique to support their discovery, we propose an automatic technique based on attack patterns for black-box, security testing of MPWAs. Our approach stems from the observation that attacks against popular MPWAs share a number of similarities, even if the underlying protocols and services are different. In this paper, we target six different replay attacks, a login CSRF attack and a persistent XSS attack. Firstly, we propose a methodology in which security experts can create attack patterns from known attacks. Secondly, we present a security testing framework that leverages attack patterns to automatically generate test cases for testing the security of MPWAs. We implemented our ideas on top of OWASP ZAP (a popular, open-source penetration testing tool), created seven attack patterns that correspond to thirteen prominent attacks from the literature and discovered twenty one previously unknown vulnerabilities in prominent MPWAs (e.g., twitter.com, developer.linkedin.com, pinterest.com), including MPWAs that do not belong to SSO and CaaS families.
In a Cross-Origin State Inference (COSI) attack, an attacker convinces a victim into visiting an attack web page, which leverages the cross-origin interaction features of the victim's web browser to infer the victim's state at a target web site. COSI attacks can have serious consequences including determining if the victim has an account or is the administrator of a prohibited target site, determining if the victim owns sensitive content or is the owner of a specific account at the target site.While COSI attacks are not new, they have previously been considered as sparse attacks under different names. This paper is the first to systematically study COSI attacks as a comprehensive category and to present a tool for detecting COSI attacks. We introduce the concept of a COSI attack class to capture related attack variants and identify 39 COSI attack classes, of which 22 are new, and the rest generalize existing attacks. We discover a novel XS-Leak based on window.postMessage. We design a novel approach to detect COSI attacks, and implement it into Basta-COSI, a tool that produces attack web pages that demonstrate the existence of COSI attacks in a target web site. We apply Basta-COSI to four popular stand-alone web applications and six popular live sites, finding COSI attacks against each of them. Finally, we discuss defenses against COSI attacks.
Freeware is proprietary software that can be used free of charge. A popular vector for distributing freeware are download portals, i.e., websites that index, categorize, and host programs. Download portals can be abused to distribute potentially unwanted programs (PUP) and malware. The abuse can be due to PUP and malware authors uploading their ware, by benign freeware authors joining as affiliate publishers of PPI services and other affiliate programs, or by malicious download portal owners. In this work, we perform a systematic study of abuse in download portals. We build a platform to crawl download portals and apply it to download 191K Windows freeware installers from 20 download portals. We analyze the collected installers and execute them in a sandbox to monitor their installation. We measure an overall ratio of PUP and malware between 8% (conservative estimate) and 26% (lax estimate). In 18 of the 20 download portals examined the amount of PUP and malware is below 9%. But, we also find two download portals exclusively used to distribute PPI downloaders. Finally, we detail different abusive behaviors that authors of undesirable programs use to distribute their programs through download portals.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.