WYSISNWIV: What you scan is not what I visit

Qilang Yang, Dimitrios Damopoulos, Georgios Portokalidis

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

1 Scopus citations

Abstract

A variety of attacks, including remote-code execution exploits, malware, and phishing, are delivered to users over the web. Users are lured to malicious websites in various ways, including through spam delivered over email and instant messages, and by links injected in search engines and popular benign websites. In response to such attacks, many initiatives, such as Google’s Safe Browsing, are trying to make the web a safer place by scanning URLs to automatically detect and blacklist malicious pages. Such blacklists are then used to block dangerous content, take down domains hosting malware, and warn users that have clicked on suspicious links. However, they are only useful, when scanners and browsers address the web the same way. This paper presents a study that exposes differences on how browsers and scanners parse URLs. These differences leave users vulnerable to malicious web content, because the same URL leads the browser to one page, while the scanner follows the URL to scan another page. We experimentally test all major browsers and URL scanners, as well as various applications that parse URLs, and discover multiple discrepancies. In particular, we discover that pairing Firefox with the blacklist produced by Google’s Safe Browsing, leaves Firefox users exposed to malicious content hosted under URLs including the backslash character. The problem is a general one and affects various applications and URL scanners. Even though, the solution is technically straightforward, it requires that multiple parties follow the same standard when parsing URLs. Currently, the standard followed by an application, seems to be unconsciously dictated by the URL parser implementation it is using, while most browsers have strayed from the URL RFC.

Original languageEnglish
Title of host publicationResearch in Attacks, Intrusions, and Defenses - 18th International Symposium, RAID 2015, Proceedings
EditorsHerbert Bos, Gregory Blanc, Fabian Monrose
Pages317-338
Number of pages22
DOIs
StatePublished - 2015
Event18th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2015 - Kyoto, Japan
Duration: 2 Nov 20154 Nov 2015

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume9404
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference18th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2015
Country/TerritoryJapan
CityKyoto
Period2/11/154/11/15

Fingerprint

Dive into the research topics of 'WYSISNWIV: What you scan is not what I visit'. Together they form a unique fingerprint.

Cite this