Refine your search
Collections
Co-Authors
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z All
Patil, Kailas
- Preventing Click Event Hijacking by User Intention Inference
Abstract Views :217 |
PDF Views:2
Authors
Affiliations
1 Center of Excellence in Research and Development, Vishwakarma Institute of Information Technology, IN
1 Center of Excellence in Research and Development, Vishwakarma Institute of Information Technology, IN
Source
ICTACT Journal on Communication Technology, Vol 7, No 4 (2016), Pagination: 1408-1416Abstract
Web applications are getting more complex and dynamic. By exploiting layout and JavaScript features of a web page, attackers can create web page objects that hijack users' clicks. Such objects look like normal web page objects, but users' clicks on these objects lead to unexpected browser actions, such as visiting different URLs or sending out malicious requests. We call this type of attacks click event hijacking attacks. The Facebook Clickjacking attack is an example, which puts a transparent layer containing the victim web application on top of another web page that lures users to click. While users think they click on the underlying web page, they actually click in the victim web application, resulting in unauthorized actions to the web application. In this paper, we propose a solution to mitigate the problem of click event hijacking by inferring users' intentions. Our solution Click Guard ensures that the browser's behavior after a click matches the user's original intention. The proposed solution is implemented as a Mozilla Firefox extension and evaluated its effectiveness against click event hijacking attacks.Keywords
Event Hijacking, Clickjacking, Pop-Up, UI Overlay.- Evaluating Effectiveness of Mobile Browser Security Warnings
Abstract Views :162 |
PDF Views:1
Authors
Ronak Shah
1,
Kailas Patil
1
Affiliations
1 Department of Computer Engineering, Vishwakarma Institute of Information Technology, IN
1 Department of Computer Engineering, Vishwakarma Institute of Information Technology, IN
Source
ICTACT Journal on Communication Technology, Vol 7, No 3 (2016), Pagination: 1373-1378Abstract
This work precisely evaluates whether browser security warnings are as ineffective as proposed by popular sentiments and past writings. This research used different kinds of Android mobile browsers as well as desktop browsers to evaluate security warnings. Security experts and developers should give emphasis on making a user aware of security warnings and should not neglect aim of communicating this to users. Security experts and system architects should emphasis the goal of communicating security information to end users. In most of the browsers, security warnings are not emphasized, and browsers simply do not show warnings, or there are a number of ways to hide those warnings of malicious sites. This work precisely finds that how inconsistent browsers really are in prompting security warnings. In particular, majority of the modern mobile web browsers are vulnerable to these security threats. We find inconsistency in SSL warnings among web browsers. Based on this work, we make recommendations for warning designers and researchers.Keywords
Mobile Security, Mobile Web Browsers, Malicious Sites, SSL Warnings.- An Insecure Wild Web:A Large-Scale Study of Effectiveness of Web Security Mechanisms
Abstract Views :217 |
PDF Views:2
Authors
Affiliations
1 Vishwakarma Institute of Information Technology, IN
1 Vishwakarma Institute of Information Technology, IN
Source
ICTACT Journal on Communication Technology, Vol 8, No 1 (2017), Pagination: 1465-1471Abstract
This research work presents a large-scale study of the problems in real-world web applications and widely-used mobile browsers. Through a large-scale experiment, we find inconsistencies in Secure Socket Layer (SSL) warnings among popular mobile web browsers (over a billion users download). The majority of popular mobile browsers on the Google Play Store either provide incomplete information in SSL warnings shown to users or failed to provide SSL warnings in the presence of security certificate errors, thus making it a difficult task even for a security savvy user to make an informed decision. In addition, we find that 28% of websites are using mixed content. Mixed content means a secure website (https) loads a sub resource using insecure HTTP protocol. The mixed content weakens the security of entire website and vulnerable to man-in-the-middle (MITM) attacks. Furthermore, we inspected the default behavior of mobile web browsers and report that majority of mobile web browsers allow execution of mixed content in web applications, which implies billions of mobile browser users are vulnerable to eavesdropping and MITM attacks. Based on our findings, we make recommendations for website developers, users and browser vendors.Keywords
Web Security, Mixed Content, SSL Warnings, HSTS, CSP, X-Frame-Options, X-XSS-Protection.References
- Yu-Chi Chen and Raylin Tso, “A Survey on Security of Certificateless Signature Schemes”, IETE Technical Review, Vol. 33, No. 2, pp. 115-121, 2016.
- Majeed Alajeely, Robin Doss and Asmaa Ahmad, “Security and Trust in Opportunistic Networks-A Survey”, IETE Technical Review, Vol. 33, No. 3, pp. 256-268, 2016.
- Neelam Bhalla, “Information Security: A Technical Review”, IETE Technical Review, Vol. 19, No. 2, pp. 47-59, 2002.
- Kailas Patil and Braun Frederik, “A Measurement Study of the Content Security Policy on Real-World Applications”, International Journal of Network Security, Vol. 18, No. 2, pp. 383-392, 2016.
- Kailas Patil, T. Vyas, F. Braun, M. Goodwin, and Z. Liang, “Poster: User CSP-User Specified Content Security Policies”, Proceedings of Symposium on Usable Privacy and Security, pp. 1-2, 2013.
- Matthew Van Gundy and Hao Chen, “Noncespaces: using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks”, Proceedings of 16th Network and Distributed System Security Symposium, pp. 1-13, 2009.
- T. Jim, N. Swamy, and M. Hicks, “Defeating Script Injection Attacks with Browser-Enforced Embedded Policies”, Proceedings of 16th International Conference on World Wide Web, pp. 601-610, 2007.
- D. Akhawe, P. Saxena and D. Song, “Privilege Separation in Html5 Applications”, Proceedings of 21st Conference on Security Symposium, pp. 23, 2012.
- E. Budianto, Y. Jia, X. Dong, P. Saxena, and Z. Liang, “You can’t be me: Enabling trusted paths and user sub-origins in web browsers”, Proceedings of International Workshop on Recent Advances in Intrusion Detection, pp. 150-171, 2014.
- Kailas Patil, Xinshu Dong, Xiaolei Li, Zhenkai Liang and Xuxian Jiang, “Towards Fine-Grained Access Control in JavaScript Contexts”, Proceedings of 31st International Conference on Distributed Computing Systems, pp. 720-729, 2011.
- X. Dong, K. Patil, J. Mao, and Z. Liang, “A Comprehensive Client-Side Behavior Model for Diagnosing Attacks in Ajax Applications”, Proceedings of 18th International Conference in Engineering of Complex Computer Systems, pp. 177-187, 2013.
- Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin and Dawn Song, “A Systematic Analysis of XSS Sanitization in Web Application Frameworks”, Proceedings of European Symposium on Research in Computer Security, pp. 150-171, 2011.
- X. Dong, Z. Chen, H. Siadati, S. Tople, P. Saxena, and Z. Liang, “Protecting Sensitive web Content from Client-Side Vulnerabilities with Cryptons”, Proceedings on ACM conference on Computer and Communications Security, pp. 1311-1324, 2013.
- Amit Klein, “Cross Site Scripting Explained. Sanctum Security Group”, Available at: https://crypto.stanford.edu/cs155/papers/CSS.pdf.
- Web Application Security Assessment Report, Available at: http://www.cstl.com/CST/Penetration-Test/CST-Web-Application-Testing-Report.pdf.
- S. Stamm, B. Sterne and G. Markham, “Reining in the Web with Content Security Policy”, Proceedings of 19th International Conference on World Wide Web, pp. 921-930, 2010.
- HTTP Strict Transport Security (HSTS), Available at: https://tools.ietf.org/html/rfc6797.
- HTTP Header Field X-Frame-Options, Available at: https://tools.ietf.org/html/rfc7034.
- Lin-Shung Huang, Alex Moshchuk, Helen J. Wang, Stuart Schechter and Collin Jackson, “Clickjacking: Attacks and Defenses”, Proceedings of 21st USENIX Security Symposium, pp. 413-428, 2012.
- M. Marlinspike, “New Tricks for Defeating SSL in Practice”, Available at: https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
- Hossein Saiedian and Dan S. Broyles, “Security Vulnerabilities in the Same-Origin Policy: Implications and Alternatives”, Computer, Vol. 44, No. 9, pp. 29-26, 2011.
- Scrapy Framework, Available at: https://scrapy.org/, Accessed on 2015.
- Ronak Shah and Kailas Patil. “Evaluating Effectiveness of Mobile Browser Security Warnings”, ICTACT Journal of Communication Technology, Vol. 7, No. 3, pp. 1373-1378, 2016.
- Kailas Patil, “Preventing Click Event Hijacking by User Intention Inference”, ICTACT Journal of Communication Technology, Vol. 7, No. 4, pp. 1408-1416, 2016.
- Kailas Patil, “Request Dependency Integrity: Validating Web Requests using Dependencies in the Browser Environment”, International Journal of Information Privacy, Security and Integrity, Vol. 2, No. 4, pp. 281-306, 2016.
- Dnyaneshwar K Patil and Kailas Patil, “Automated Client Side Sanitizer for Code Injection Attacks”, International Journal of Information Technology and Computer Science, Vol. 8, No. 4, pp. 86-95, 2016.
- Dnyaneshwar K. Patil and Kailas Patil, “Client-Side Automated Sanitizer for Cross-Site Scripting Vulnerabilities”, International Journal of Computer Applications, Vol. 121, No. 20, pp. 1-7, 2015.
- Kailas Patil, “Isolating Malicious Content Scripts of Browser Extensions”, International Journal of Information Privacy, Security and Integrity, 2017.
- User Agent String Explained, Available at: http://www.useragentstring.com/, Accessed on 2013.