Advertisement

FrameHanger: Evaluating and Classifying Iframe Injection at Large Scale

  • Ke Tian
  • Zhou Li
  • Kevin D. Bowers
  • Danfeng (Daphne) Yao
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 255)

Abstract

Iframe is a web primitive frequently used by web developers to integrate content from third parties. It is also extensively used by web hackers to distribute malicious content after compromising vulnerable sites. Previous works focused on page-level detection, which is insufficient for Iframe-specific injection detection. As such, we conducted a comprehensive study on how Iframe is included by websites around Internet in order to identify the gap between malicious and benign inclusions. By studying the online and offline inclusion patterns from Alexa top 1M sites, we found benign inclusion is usually regulated. Driven by this observation, we further developed a tag-level detection system named FrameHanger which aims to detect injection of malicious Iframes for both online and offline cases. Different from previous works, our system brings the detection granularity down to the tag-level for the first time without relying on any reference. The evaluation result shows FrameHanger could achieve this goal with high accuracy.

References

  1. 1.
    The easylist filter lists. https://easylist.to/. Accessed 10 Oct 2017
  2. 2.
    The easyprivacy filter lists. https://easylist.to/easylist/easyprivacy.txt. Accessed 10 Oct 2017
  3. 3.
    Framehanger released version. https://github.com/ririhedou/FrameHanger
  4. 4.
    Google tag manager quick start. https://developers.google.com/tag-manager/quickstart. Accessed 10 Oct 2017
  5. 5.
    A javascript minifier written in python. https://github.com/rspivak/slimit. Accessed 10 Oct 2017
  6. 6.
    Malvertising campaigns involving exploit kits. https://www.fireeye.com/blog/threat-research/2017/03/still_getting_served.html. Accessed 10 Oct 2017
  7. 7.
    Obfuscation service. https://javascriptobfuscator.com/. Accessed 10 Oct 2017
  8. 8.
    RSA shadow fall. https://www.rsa.com/en-us/blog/2017-06/shadowfall. Accessed 10 Oct 2017
  9. 9.
  10. 10.
    Scrapy cralwer framework. https://scrapy.org/. Accessed 10 Oct 2017
  11. 11.
    Selenium automates browsers. http://www.seleniumhq.org/
  12. 12.
  13. 13.
    X-frame-options or CSP frame-ancestors? https://oxdef.info/csp-frame-ancestors/. Accessed 10 Oct 2017
  14. 14.
    Argyros, G., Stais, I., Jana, S., Keromytis, A.D., Kiayias, A.: SFADiff: automated evasion attacks and fingerprinting using black-box differential automata learning. In: Proceedings of CCS (2016)Google Scholar
  15. 15.
    Blum, A., Wardman, B., Solorio, T., Warner, G.: Lexical feature based phishing URL detection using online learning. In: Proceedings of AISec (2010)Google Scholar
  16. 16.
    Borgolte, K., Kruegel, C., Vigna, G.: Delta: automatic identification of unknown web-based infection campaigns. In: Proceedings of CCS (2013)Google Scholar
  17. 17.
    Calzavara, S., Rabitti, A., Bugliesi, M.: Content security problems?: evaluating the effectiveness of content security policy in the wild. In: Proceedings of CCS (2016)Google Scholar
  18. 18.
    Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: Proceedings of WWW (2011)Google Scholar
  19. 19.
    Catakoglu, O., Balduzzi, M., Balzarotti, D.: Automatic extraction of indicators of compromise for web applications. In: Proceedings of WWW (2016)Google Scholar
  20. 20.
    Choi, H., Zhu, B.B., Lee, H.: Detecting malicious web links and identifying their attack types. In: Proceedings of USENIX Conference on Web Application Development (2011)Google Scholar
  21. 21.
    Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: Proceedings of WWW (2010)Google Scholar
  22. 22.
    Curtsinger, C., Livshits, B., Zorn, B.G., Seifert, C.: ZOZZLE: fast and precise in-browser JavaScript malware detection. In: Proceedings of USENIX Security (2011)Google Scholar
  23. 23.
    Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: Proceedings of CCS (2016)Google Scholar
  24. 24.
    Hu, X., Cheng, Y., Duan, Y., Henderson, A., Yin, H.: JSForce: a forced execution engine for malicious JavaScript detection. CoRR, abs/1701.07860 (2017)Google Scholar
  25. 25.
    Kaplan, S., Livshits, B., Zorn, B., Seifert, C., Curtsinger, C.: "NOFUS: Automatically Detecting"+ String. fromCharCode (32)+ "ObFuSCateD ".toLowerCase()+ "JavaScript Code". Technical report MSR-TR-2011-57, Microsoft Research, May 2011Google Scholar
  26. 26.
    Kim, K., et al.: J-force: forced execution on JavaScript. In: Proceedings of WWW (2017)Google Scholar
  27. 27.
    Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: de-cloaking internet malware. In: Proceedings of Security and Privacy (Oakland) (2012)Google Scholar
  28. 28.
    Kumar, D., et al.: Security challenges in an increasingly tangled web. In: Proceedings of WWW (2017)Google Scholar
  29. 29.
    Lauinger, T., Chaabane, A., Arshad, S., Robertson, W., Wilson, C., Kirda, E.: Thou shalt not depend on me: analysing the use of outdated JavaScript libraries on the web. In: Proceedings of NDSS (2017)Google Scholar
  30. 30.
    Le, A., Markopoulou, A., Faloutsos, M.: PhishDef: URL names say it all. In: Proceedings of INFOCOM (2011)Google Scholar
  31. 31.
    Li, Z., Alrwais, S. Wang, X., Alowaisheq, E.: Hunting the red fox online: Understanding and detection of mass redirect-script injections. In: Proceedings of Security and Privacy (Okaland) (2014)Google Scholar
  32. 32.
    Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Learning to detect malicious URLs. ACM Trans. Intell. Syst. Technol. (TIST) 2(3), 30 (2011)Google Scholar
  33. 33.
    Nikiforakis, N., et al.: You are what you include: large-scale evaluation of remote JavaScript inclusions. In: Proceedings of CCS (2012)Google Scholar
  34. 34.
    Provos, N., Panayiotis, M., Rajab, M.A., Monrose, F.: All your iFRAMEs point to us. In: Proceedings of USENIX Security (2008)Google Scholar
  35. 35.
    Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: Proceedings of Security and Privacy (Okaland) (2010)Google Scholar
  36. 36.
    Sen, K., Kalasapur, S., Brutch, T., Gibbs, S.: Jalangi: a selective record-replay and dynamic analysis framework for JavaScript. In: Proceedings of ESEC/FSE (2013)Google Scholar
  37. 37.
    Soska, K., Christin, N.: Automatically detecting vulnerable websites before they turn malicious. In: Proceedings of USENIX Security (2014)Google Scholar
  38. 38.
    Stock, B., Livshits, B., Zorn, B.: KIZZLE: a signature compiler for exploit kits. In International Conference on Dependable Systems and Networks (DSN), June 2016Google Scholar
  39. 39.
    Weichselbaum, L., Spagnuolo, M., Lekies, S., Janc, A.: CSP is dead, long live CSP! on the insecurity of whitelists and the future of content security policy. In: Proceedings of CCS (2016)Google Scholar
  40. 40.
    Weissbacher, M., Lauinger, T., Robertson, W.: Why is CSP failing? Trends and challenges in CSP adoption. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 212–233. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-11379-1_11CrossRefGoogle Scholar
  41. 41.
    Xu, W., Zhang, F. Zhu, S.: Jstill: mostly static detection of obfuscated malicious JavaScript code. In: Proceedings of AsiaCCS (2013)Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  • Ke Tian
    • 1
  • Zhou Li
    • 2
  • Kevin D. Bowers
    • 2
  • Danfeng (Daphne) Yao
    • 1
  1. 1.Virginia TechBlacksburgUSA
  2. 2.RSA LaboratoriesBedfordUSA

Personalised recommendations