TY - GEN
T1 - Monkey-in-the-browser
T2 - 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2014
AU - Van Acker, Steven
AU - Nikiforakis, Nick
AU - Desmet, Lieven
AU - Piessens, Frank
AU - Joosen, Wouter
N1 - Publisher Copyright:
Copyright 2014 ACM.
PY - 2014/6/4
Y1 - 2014/6/4
N2 - With the constant migration of applications from the desk-top to the web, power users have found ways of enhancing web applications, at the client-side, according to their needs. In this paper, we investigate this phenomenon by focusing on the popular Greasemonkey extension which enables users to write scripts that arbitrarily change the content of any page, allowing them to remove unwanted features from web applications, or add additional, desired features to them. The creation of script markets, on which these scripts are often shared, extends the standard web security model with two new actors, introducing novel vulnerabilities. We describe the architecture of Greasemonkey and perform a large-scale analysis of the most popular, community-driven, script market for Greasemonkey. Through our analysis, we discover not only dozens of malicious scripts waiting to be installed by users, but thousands of benign scripts with vulnerabilities that could be abused by attackers. In 58 cases, the vulnerabilities are so severe, that they can be used to bypass the Same-Origin Policy of the user's browser and steal sensitive user-data from all sites. We verify the practicality of our attacks, by developing a proof-of-concept exploit against a vulnerable user script with an installation base of 1.2 million users, equivalent to a "Man-in-the- browser" attack.
AB - With the constant migration of applications from the desk-top to the web, power users have found ways of enhancing web applications, at the client-side, according to their needs. In this paper, we investigate this phenomenon by focusing on the popular Greasemonkey extension which enables users to write scripts that arbitrarily change the content of any page, allowing them to remove unwanted features from web applications, or add additional, desired features to them. The creation of script markets, on which these scripts are often shared, extends the standard web security model with two new actors, introducing novel vulnerabilities. We describe the architecture of Greasemonkey and perform a large-scale analysis of the most popular, community-driven, script market for Greasemonkey. Through our analysis, we discover not only dozens of malicious scripts waiting to be installed by users, but thousands of benign scripts with vulnerabilities that could be abused by attackers. In 58 cases, the vulnerabilities are so severe, that they can be used to bypass the Same-Origin Policy of the user's browser and steal sensitive user-data from all sites. We verify the practicality of our attacks, by developing a proof-of-concept exploit against a vulnerable user script with an installation base of 1.2 million users, equivalent to a "Man-in-the- browser" attack.
KW - Augmented browsing
KW - Browser extension
KW - DOM-based XSS
KW - Greasemonkey
KW - Large-scale analysis
KW - Malware
KW - Script market
KW - Userscripts.org
KW - Vulnerabilities
UR - https://www.scopus.com/pages/publications/84984906839
U2 - 10.1145/2590296.2590311
DO - 10.1145/2590296.2590311
M3 - Conference contribution
AN - SCOPUS:84984906839
T3 - ASIA CCS 2014 - Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security
SP - 525
EP - 530
BT - ASIA CCS 2014 - Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security
PB - Association for Computing Machinery, Inc
Y2 - 4 June 2014 through 6 June 2014
ER -