HTML5应用程序缓存中毒攻击研究

doi:10.11959/j.issn.1000-436x.2016206

Abstract

Abstract:

HTML5 application cache (AppCache) allowed Web browser to access Web offline.But it also brought a new method of cache poisoning attack that was more persisting.As for websites which used the AppCache,a novel poisoning method RFTM (replace file twice method),in which the attacker replaced the manifest file twice to poison the client’s AppCache,was proposed.Compared with the original attack,the legal server would not receive abnormal HTTP requests from the client in the attack.Therefore,changing the server configuration could not prevent the client from the RFTM AppCache poisoning.To avoid the attack mentioned above,a lightweight signature defense scheme Sec-Cache in application layer was designed.Furthermore,experiments show that it has good performance and compatibility.

Key words: Web security, HTML5, application cache, cache poisoning attack, signature scheme

Yan JIA,He WANG,Shao-qing LYU,Yu-qing ZHANG. Research on HTML5 application cache poison attack[J]. Journal on Communications, 2016, 37(10): 149-157.

Figures/Tables 12

References 23

[1]	LEENHEER N . How well does your browser support HTML5[EB/OL]. .
[2]	KUPPAN L . Attacking with HTML5[EB/OL]. .
[3]	ZALEWSKI M . Geolocation spoofing and other UI woes[EB/OL]. .
[4]	SON S , SHMATIKOV V . The postman always rings twice:attacking and defending postMessage in HTML5 Websites[C]// NDSS. 2013.
[5]	王晓强 . 基于HTML5的CSRF攻击与防御技术研究[D]. 成都:电子科技大学, 2013. WANG X Q . Research of CSRF attack and defense techniques based on HTML5[D]. Chengdu:University of Electronic Science and Technology of China, 2013.
[6]	KULSHRESTHA A . An empirical study of HTML5 websockets and their cross browser behavior for mixed content and untrusted certificates[J]. International Journal of Computer Applications, 2013,82(6): 13-18.
[7]	JIN X , HU X , YING K ,et al. Code injection attacks on HTML5-based mobile apps:characterization,detection and mitigation[C]// ACM SIGSAC Conference on Computer ＆ Communications Security. 2014: 66-77.
[8]	GILGER J . Persistent AppCache injections[EB/OL]. .
[9]	JIA Y , CHEN Y , DONG X . Man-in-the-browser-cache:persisting https attacks via browser cache poisoning[J]. Computers ＆ Security, 2015: 62-80.
[10]	HANNA S , CHUL E , SHIN R ,et al. The Emperor's new APIs:on the (in) secure usage of new client-side primitives[J]. W2sp Web Security＆ Privacy, 2010.
[11]	李潇宇, 张玉清, 刘奇旭 ,等. 一种基于HTML5的安全跨文档消息传递方案[J]. 中国科学院大学学报, 2013,30(1): 124-130. LI X Y , ZHANG Y Q , LIU Q X ,et al. Secure cross document messaging scheme based on HTML5[J]. Journal of Graduate University of Chinese Academy of Sciences, 2013,30(1): 124-130.
[12]	TIAN Y , LIU Y C , BHOSALE A ,et al. All your screens are belong to us:attacks exploiting the HTMl5 screen sharing API[C]// Proceedings of the 2014 IEEE Symposium on Security and Privacy,IEEE Computer Society. 2014: 34-48.
[13]	HEIDERICH M , FROSCH T , JENSEN M ,et al. Crouching tiger hidden payload:security risks of scalable vectors graphics[C]// Proceedings of the 18th ACM Conference on Computer and Communications Security. 2011: 239-250.
[14]	JOHNS M , LEKIES S , STOCK B . Eradicating DNS rebinding with the extended same-origin policy[C]// Usenix Conference on Security. 2013: 621-636.
[15]	LEE S , KIM H , KIM J . Identifying cross-origin resource status using application cache[C]// Proc NDSS ’15. 2015.
[16]	HOMAKOV E . Using AppCache and service worker for evil[EB/OL]. .
[17]	W3C. W3C.Offline Web applications-HTML5[EB/OL]. .
[18]	VALLENTIN M , BEN-DAVID Y . Persistent browser cache poisoning[R/OL]. .
[19]	WALIULLAH M , GAN D . Wireless LAN security threats ＆ vulnerabilities:a literature review[J]. International Journal of Advanced Computer Science ＆ Application, 2014,5(1): 176-181.
[20]	LAVA. Shell of the future:reverse web shell handler for XSS exploitation[EB/OL]. .
[21]	LAVA. HTML5 based JavaScript network reconnaissance tool[EB/OL]. .
[22]	MARLINSPIKE M . A tool for exploiting moxie marlinspike's SSL"stripping"Attack[EB/OL]. .
[23]	Internet Engineering Task Force. HTTP strict transport security (HSTS)[S/OL]. .

Metrics

Recommended 0

No Suggested Reading articles found!

对比项	RFTM	Kuppan	Homakov
攻击条件	高	低	高
隐蔽性	高	低	低
服务端防范可行性	否	是	否
恢复难易	难	难	易

符号	含义
pk	服务器当前的公钥
sk	服务器当前的私钥
m	符合W3C标准的manifest文件
Sig(·)	RSA签名算法
Ver(·)	RSA验证算法
H(·)	安全散列算法
timestamp	时间戳，GTM 1970-1-1 00:00:00到当前时间的秒数
check	签名字段，以注释的形式写入manifest标准文件末尾
expire	公钥过期时间，格式同timestamp

关键字	含义
#SEC_CACHEv1.0	使用安全方案的版本标志
#PUBLIC_KEY	服务器当前的公钥
#TIMESTAMP	时间戳
#EXPIRE	密钥过期时间
#CHECK	签名
#NEW_PUBLIC_KEY	服务器新的公钥（可选）
#DELETE	取消应用程序缓存

Research on HTML5 application cache poison attack

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 12

References 23

Related Articles 7

Metrics

Recommended 0

[1]	Yu-fei ZHAO,Gang XIONG,Long-tao HE,Zhou-jun LI. Approach to detecting SQL injection behaviors in network environment [J]. Journal on Communications, 2016, 37(2): 89-98.
[2]	. Efficient top-k string similarity query algorithms [J]. Journal on Communications, 2014, 35(12): 2-20.
[3]	Zi-yang CHEN,Yu-jun HAN,Xuan WANG,Jun-feng ZHOU. Efficient top-k string similarity query algorithms [J]. Journal on Communications, 2014, 35(12): 10-20.
[4]	De-yan CHEN,Hong ZHAO,Xia ZHANG,Li-jun ZHAO,An PING. Study on semantic Web security [J]. Journal on Communications, 2012, 33(Z2): 45-59.
[5]	Sheng-bao WANG,Wen-hao LIU,Qi XIE. Certificateless signature scheme without bilinear pairings [J]. Journal on Communications, 2012, 33(4): 93-98.
[6]	Dian-jun LU,GBing-ru ZHAN,Hai-xing ZHAO. Forward-secure threshold signature scheme based on polynomial secret sharing [J]. Journal on Communications, 2009, 30(1): 45-49.
[7]	Zhi-min LI,Li-cheng WANG,Shi-hui ZHENG,Yi-xian YANG. Security of randomized hashing and signer’s cheating [J]. Journal on Communications, 2008, 29(10): 101-107.