A Comprehensive Client-Side Behavior Model for Diagnosing Attacks in Ajax Applications

Behavior models of applications are widely used for diagnosing security incidents in complex web-based systems. However, Ajax techniques that enable better web experiences also make it fairly challenging to model Ajax application behaviors in the complex browser environment. In Ajax applications, server-side states are no longer synchronous with the views to end users at the client side. Therefore, to model the behaviors of Ajax applications, it is indispensable to incorporate client-side application states into the behavior models, as being explored by prior work. Unfortunately, how to leverage behavior models to perform security diagnosis in Ajax applications has yet been thoroughly examined. Existing models extracted from Ajax application behaviors are insufficient in a security context. In this paper, we propose a new behavior model for diagnosing attacks in Ajax applications, which abstracts both client-side state transitions as well as their communications to external servers. Our model articulates different states with the browser events or user actions that trigger state transitions. With a prototype implementation, we demonstrate that the proposed model is effective in attack diagnosis for real-world Ajax applications.

[1]  Ali Mesbah,et al.  Automated cross-browser compatibility testing , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[2]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[3]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[4]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[5]  Arie van Deursen,et al.  Automated security testing of web widget interactions , 2009, ESEC/FSE '09.

[6]  Alessandro Orso,et al.  WEBDIFF: Automated identification of cross-browser issues in web applications , 2010, 2010 IEEE International Conference on Software Maintenance.

[7]  Giuseppe A. Di Lucca,et al.  Identifying cross site scripting vulnerabilities in Web applications , 2004, Proceedings. Sixth IEEE International Workshop on Web Site Evolution.

[8]  Shriram Krishnamurthi,et al.  Using static analysis for Ajax intrusion detection , 2009, WWW '09.

[9]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[10]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[11]  Tzi-cker Chiueh,et al.  Dynamic multi-process information flow tracking for web application security , 2007, MC '07.

[12]  Vern Paxson,et al.  Enhancing byte-level network intrusion detection signatures with context , 2003, CCS '03.

[13]  Mike Shema Cross-Site Scripting , 2010 .

[14]  Arie van Deursen,et al.  Regression Testing Ajax Applications: Coping with Dynamism , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[15]  Carrie Gates,et al.  Challenging the anomaly detection paradigm: a provocative discussion , 2006, NSPW '06.

[16]  Davide Sangiorgi,et al.  Communicating and Mobile Systems: the π-calculus, , 2000 .

[17]  Robin Milner,et al.  Communicating and mobile systems - the Pi-calculus , 1999 .

[18]  A. Halim Zaim,et al.  A hybrid intrusion detection system design for computer network security , 2009, Comput. Electr. Eng..

[19]  Myungjin Lee,et al.  AjaxTracker: Active Measurement System for High-Fidelity Characterization of AJAX Applications , 2010, WebApps.

[20]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[21]  Haining Wang,et al.  Characterizing insecure javascript practices on the web , 2009, WWW '09.

[22]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[23]  Stefano Zanero,et al.  Masibty: an anomaly based intrusion prevention system for web applications , 2009 .

[24]  Arie van Deursen,et al.  Crawling AJAX by Inferring User Interface State Changes , 2008, 2008 Eighth International Conference on Web Engineering.

[25]  Grzegorz Lewandowski,et al.  Enforcing Request Integrity in Web Applications , 2010, DBSec.

[26]  Giovanni Vigna,et al.  Detecting malicious JavaScript code in Mozilla , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).

[27]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[28]  Arie van Deursen,et al.  Invariant-based automatic testing of AJAX user interfaces , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[29]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[30]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.

[31]  Christopher Krügel,et al.  Leveraging User Interactions for In-Depth Testing of Web Applications , 2008, RAID.