57
4
archive
disk0/00/00/00/57
2009-04-06 19:10:07
2009-04-07 14:02:27
2009-04-06 19:10:07
conference_item
show
0
-
Guha
Arjun
Brown University
-
Krishnamurthi
Shriram
Brown University
-
Jim
Trevor
AT&T Laboratories-Research
Using Static Analysis for Ajax Intrusion Detection
pub
public
paper
We present a static control-flow analysis for JavaScript programs running in a web browser. Our analysis tackles numerous challenges posed by modern web applications including asynchronous communication, frameworks, and dynamic code generation. We use our analysis to extract a model of expected client behavior as seen from the server, and build an intrusion-prevention proxy for the server: the proxy intercepts client requests and disables those that do not meet the expected behavior. We insert random asynchronous requests to foil mimicry attacks. Finally, we evaluate our technique against several real applications and show that it protects against an attack in a widely-used web application.
2009-04
561-561
18th International World Wide Web Conference
Madrid, Spain
April 20th-24th, 2009
conference
TRUE
57
4
57
1
application/pdf
en
public
p561.pdf
published
p561.pdf
1021301
http://www2009.eprints.org/57/1/p561.pdf