Abstract
The term JavaScript Malware describes attacks that abuse the web browser’s capabilities to execute malicious script-code within the victim’s local execution context. Unlike related attacks, JavaScript Malware does not rely on security vulnerabilities in the web browser’s code but instead solely utilizes legal means in respect to the applying specification documents. Such attacks can either invade the user’s privacy, explore and exploit the LAN, or use the victimized browser as an attack proxy. This paper documents the state of the art concerning this class of attacks, sums up relevant protection approaches, and provides directions for future research.
Similar content being viewed by others
References
Alcorn, W.: Inter-protocol communication. Whitepaper, http://www.ngssoftware.com/research/papers/InterProtocolCommunication.pdf (11/13/06), August 2006
Alcorn, W.: Inter-protocol exploitation. Whitepaper, NGSSoftware Insight Security Research (NISR), http://www.ngssoftware.com/research/papers/InterProtocolExploitation.pdf, March 2007
Alshanetsky, I.: Network scanning with http without javascript. [online], http://ilia.ws/archives/145-Network-Scanning-with-HTTP-without-JavaScript.html (09/11/07), November 2006
Bortz, A., Boneh, D., Nandy, P.: Exposing private information by timing web applications. In: WWW 2007, 2007
Burns, J.: Cross site reference forgery—an introduction to a common web application weakness. Whitepaper, http://www.isecpartners.com/documents/XSRF_Paper.pdf, 2005
Byrne, D.: Anti-dns pinning and java applets. Posting to the Bugtraq mailing list, http://seclists.org/fulldisclosure/2007/Jul/0159.html, July 2007
Mozilla Developer Center.: Liveconnect. [online], http://developer.mozilla.org/en/docs/LiveConnect (08/08/07), 2007
Chess, B., O’Neil, Y.T., West, J.: Javascript hijacking. [whitepaper], Fortify Software, http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf, March 2007
Christey, S., Martin, R.A.: Vulnerability type distributions in cve, version 1.1. [online], http://cwe.mitre.org/documents/vuln-trends/index.html (09/11/07), May 2007
Clover, A.: Css visited pages disclosure. Posting to the Bugtraq mailing list, http://seclists.org/bugtraq/2002/Feb/0271.html, February 2002
Adobe Coperation. Adobe flash. [online] http://www.adobe.com/products/flash/flashpro/
Duong, T.N.: Zombilizing the browser via flash player 9. talk at the VNSecurity 2007 conference, http://vnhacker.blogspot.com/2007/08/zombilizing-web-browsers-via-flash.html, August 2007
Endler, D.: The evolution of cross-site scripting attacks. Whitepaper, iDefense Inc., http://www.cgisecurity.com/lib/XSS.pdf, May 2002
Esser, S.: Bruteforcing http auth in firefox with javascript. [online], http://blog.php-security.org/archives/56-Bruteforcing-HTTP-Auth-in-Firefox-with-JavaScript.html (08/31/07), December~2006
Esser, S.: Javascript/html portscanning and http auth. [online], http://blog.php-security.org/archives/54-JavaScriptHTML-Portscanning-and-HTTP-Auth.html (08/27/07), November 2006
Felten, E.W., Schneider, M.A.: Timing attacks on web privacy. In: Proceedings of the 9th ACM Conference on Computer and Communication Security (CCS ’02), 2000
Glass, E.: The ntlm authentication protocol. [online], http://davenport.sourceforge.net/ntlm.html (03/13/06), 2003
AVM Gmbh. Fritz! box. [online], product website, http://www.avm.de/en/Produkte/FRITZBox/index.html (09/06/07)
Google. Google translate. [online service], http://www.google.com/translate_t (09/11/07)
Grossman, J.: I know if you’re logged-in, anywhere. [online], http://jeremiahgrossman.blogspot.com/2006/12/i-know-if-youre-logged-in-anywhere.html (08/08/07), December 2006
Grossman, J.: I know where you’ve been. [online], http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html, August 2006
Grossman, J.: Javascript malware, port scanning, and beyond. Posting to the websecurity mailing list, http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00097.html, July 2006
Grossman, J., Hansen, R., Petkov, P., Rager, A.: Cross Site Scripting Attacks: Xss Exploits and Defense. Syngress, 2007
Grossman, J., Niedzialkowski, T.C.: Hacking intranet websites from the outside. Talk at Black Hat USA 2006, http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grossman.pdf, August 2006
Hallaraker, O., Vigna, G.: Detecting malicious javascript code in mozilla. In: Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems (ICECCS), pp. 85–94, June 2005
Hansen, R.: Detecting firefox extentions. [online], http://ha.ckers.org/blog/20060823/detecting-firefox-extentions/ (08/08/07), August 2006
Hansen, R.: Detecting states of authentication with protected images. [online], http://ha.ckers.org/blog/20061108/detecting-states-of-authentication-with-protected-images/ (08/31/07), November 2006
Hansen, R.: Hacking intranets via brute force. [online], http://ha.ckers.org/blog/20061228/hacking-intranets-via-brute-force/, December 2006
Hansen, R.: List of common internal domain names. [online], http://ha.ckers.org/fierce/hosts.txt (09/06/07), March 2007
Hegaret, P.L., Whitmer, R., Wood, L.: Document object model (dom). W3C recommendation, http://www.w3.org/DOM/, January 2005
Hoffman, B.: Javascript malware for a gray goo tomorrow! Talk at the Shmoocon’07, http://www.spidynamics.com/spilabs/education/presentations/Javascript_malware.pdf, March 2007
Apple Inc.: Dynamic html and xml: The xmlhttprequest object. [online], http://developer.apple.com/internet/webcontent/xmlhttpreq.html (08/08/07), June 2005
InformAction.: Noscript firefox extension. Software, http://www.noscript.net/whats, 2006
Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D.: Protecting browsers from dns rebinding attack. In: Proceedings of the 14th ACM Conference on Computer and Communication Security (CCS ’07), October 2007
Jackson, C., Bortz, A., Boneh, D., Mitchell, J.C.: Protecting browser state from web privacy attacks. In: Proceedings of the 15th ACM World Wide Web Conference (WWW 2006), 2006
Jackson, C., Bortz, A., Boneh, D., Mitchell, J.C.: Safehistory. software, http://www.safehistory.com/, 2006
Jakobsson, M., Stamm, S.: Invasive browser sniffing and countermeasures. In: Proceedings of the 15th Annual World Wide Web Conference (WWW2006), 2006
Johns, M.: Sessionsafe: implementing xss immune session handling. In: European Symposium on Research in Computer Security (ESORICS 2006), September 2006
Johns, M.: (somewhat) breaking the same-origin policy by undermining dns-pinning. Posting to the Bugtraq mailinglist, http://www.securityfocus.com/archive/107/443429/30/180/threaded, August 2006
Johns, M., Kanatoko.: Using java in anti dns-pinning attacks (firefox and opera). [online], http://shampoo.antville.org/stories/1566124/ (08/27/07), February 2007
Johns, M., Winter, J.: Requestrodeo: client side protection against session riding. In: Frank Piessens, editor, OWASP Conference 2006, Report CW448, pp. 5–17. Departement Computerwetenschappen, Katholieke Universiteit Leuven, May 2006
Johns, M., Winter, J.: Protecting the intranet against “javascript malware” and related attacks. In: Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2007), July 2007
Kaminsky, D.: Black ops 2007: Design reviewing the web. talk at the Black Hat 2007 conference, http://www.doxpara.com/?q=node/1149, August 2007
Kanatoko.: Stealing information using anti-dns pinning: Online demonstration. [online], http://www.jumperz.net/index.php?i=2&a=1&b=7 (30/01/07), 2006
Kanatoko.: Anti-dns pinning + socket in flash. [online], http://www.jumperz.net/index.php?i=2&a=3&b=3 (19/01/07), January 2007
Karlof, C., Shankar, U., Tygar, J.D., Wagner, D.: Dynamic pharming attacks and the locked same-origin policies for web browsers. In: Proceedings of the 14th ACM Conference on Computer and Communication Security (CCS ’07), October 2007
Kindermann, L.: My address java applet. [online], http://reglos.de/myaddress/MyAddress.html (11/08/06), 2003
Kishor.: Ie—guessing the names of the fixed drives on your computer. [online], http://wasjournal.blogspot.com/2007/07/ie-guessing-names-of-fixed-drives-on.html (08/31/07), July 2007
SPI Labs.: Detecting, analyzing, and exploiting intranet applications using javascript. Whitepaper, http://www.spidynamics.com/assets/documents/JSportscan.pdf, July 2006
SPI Labs.: Stealing search engine queries with javascript. Whitepaper, http://www.spidynamics.com/assets/documents/JS_SearchQueryTheft.pdf, 2006
Lam, V.T., Antonatos, S., Akritidis, P., Anagnostakis, K.G.: Puppetnets: misusing web browsers as a distributed attack infrastructure. In: Proceedings of the 13th ACM Conference on Computer and Communication Security (CCS ’06), pp. 221–234, 2006
Lamarre, J.: Ajax without xmlhttprequest, frame, iframe, java or flash. [online], http://zingzoom.com/ajax/ajax_with_image.php (02/02/2006), September 2005
Ludwig, A.: Macromedia flash player 8 security. Whitepaper, Macromedia, http://www.adobe.com/devnet/flashplayer/articles/flash_player_8_security.pdf, September 2005
McFeters, N., Rios, B.: Uri use and abuse. Whitepaper, http://www.xs-sniper.com/nmcfeters/URI_Use_and_Abuse.pdf, July 2007
Meer, H., Slaviero, M.: It’s all about the timing... Whitepaper, http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf, August 2007
Megacz, A.: Firewall circumvention possible with all browsers. Posting to the Bugtraq mailing list, http://seclists.org/bugtraq/2002/Jul/0362.html, July 2002
Meschkat, S.: Json rpc—cross site scripting and client side web services. Talk at the 23C3 Congress, http://events.ccc.de/congress/2006/Fahrplan/attachments/1198-jsonrpcmesch.pdf, December 2006
Microsoft.: Microsoft silverlight. [online], http://www.microsoft.com/silverlight/ (09/14/07), 2007
Mueller, M.: Sun’s response to the dns spoofing attack. [online], http://www.cs.princeton.edu/sip/news/sun-02-22-96.html (09/09/07), February 1996
Project, M.: Mozilla port blocking. [online], http://www.mozilla.org/projects/netlib/PortBanning.html (11/13/06), 2001
Rios, B.K., McFeters, N.: Slipping past the firewall. Talk at the HITBSecConf2007 conference, http://conference.hitb.org/hitbsecconf2007kl/agenda.htm, September 2007
Ruderman, J.: The same origin policy. [online], http://www.mozilla.org/projects/security/components/same-origin.html (01/10/06), August 2001
Samy.: Technical explanation of the myspace worm. [online], http://namb.la/popular/tech.html (01/10/06), October 2005
Schreiber, T.: Session riding—a widespread vulnerability in today’s web applications. Whitepaper, SecureNet GmbH, http://www.securenet.de/papers/Session_Riding.pdf, December 2004
Princeton University Secure Internet Programming Group. Dns attack scenario. [online], http://www.cs.princeton.edu/sip/news/dns-scenario.html, February 1996
Sethumadhavan, R.: Microsoft Internet explorer local file accesses vulnerability. Posting to the full disclosure mailing list, http://seclists.org/fulldisclosure/2007/Feb/0434.html, February 2007
Soref, J.: Dns: spoofing and pinning. [online], http://viper.haque.net/~timeless/blog/11/ (14/11/06), September 2003
Stamm, S., Ramzan, Z., Jakobsson, M.: Drive-by pharming. Technical Report 641, Indiana University Computer Science, December 2006
Stuttard, D.: Dns pinning and web proxies. NISR whitepaper, http://www.ngssoftware.com/research/papers/DnsPinningAndWebProxies.pdf, 2007
Topf, J.: The html form protocol attack. Whitepaper, http://www.remote.org/jochen/sec/hfpa/hfpa.pdf, August 2001
Vzloman, S., Hansen, R.: Enumerate windows users in js. [online], http://ha.ckers.org/blog/20070518/enumerate-windows-users-in-js/ (08/08/07), May 2007
Vzloman, S., Hansen, R.: Read firefox settings (poc). [online], http://ha.ckers.org/blog/20070516/read-firefox-settings-poc/ (08/08/07), May 2007
Winter, J., Johns, M.: Localrodeo: Client side protection against javascript malware. [online], http://databasement.net/labs/localrodeo (01/02/07), January 2007
Author information
Authors and Affiliations
Corresponding author
Additional information
This work was supported by the German Ministry of Economics (BMWi) as part of the project “secologic”, http://www.secologic.org.
Rights and permissions
About this article
Cite this article
Johns, M. On JavaScript Malware and related threats. J Comput Virol 4, 161–178 (2008). https://doi.org/10.1007/s11416-007-0076-7
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-007-0076-7