Static analysis for Ajax intrusion detection

DMCA

Static analysis for Ajax intrusion detection (2009)

Cached

Download Links

by Arjun Guha , Shriram Krishnamurthi , Trevor Jim

Venue:	In International World Wide Web Conference
Citations:	66 - 3 self

BibTeX

@INPROCEEDINGS{Guha09staticanalysis,
    author = {Arjun Guha and Shriram Krishnamurthi and Trevor Jim},
    title = {Static analysis for Ajax intrusion detection},
    booktitle = {In International World Wide Web Conference},
    year = {2009}
}

OpenURL

Abstract

We present a static control-flow analysis for JavaScript programs running in a web browser. Our analysis tackles numerous challenges posed by modern web applications including asynchronous communication, frameworks, and dynamic code generation. We use our analysis to extract a model of expected client behavior as seen from the server, and build an intrusion-prevention proxy for the server: the proxy intercepts client requests and disables those that do not meet the expected behavior. We insert random asynchronous requests to foil mimicry attacks. Finally, we evaluate our technique against several real applications and show that it protects against an attack in a widely-used web application.

Keyphrases

ajax intrusion detection static analysis client request mimicry attack asynchronous communication modern web application several real application dynamic code generation asynchronous request numerous challenge intrusion-prevention proxy javascript program static control-flow analysis web browser client behavior widely-used web application

DMCA