FALCO: Detecting superfluous javascript injection attacks using website fingerprints

Abstract

JavaScript injection attacks enable man-in-the-middle adversaries to not only exploit innocent users to launch browser-based DDoS but also expose them to unwanted advertisements. Despite ongoing efforts to address the critical JavaScript injection attacks, prior solutions have several practical limitations, including the lack of deployment incentives and the difficulty to configure security policies. An interesting observation is that the injected JavaScript oftentimes changes the website's behavior, significantly increasing the additional requests to previously unseen domains. Hence, this paper presents the design and implementation of a lightweight system called FALCO to detect JavaScript injection with mismatched website behavior fingerprints. We extract a website's behavior fingerprint from its dependency on external domains, which yields compact fingerprint representations with reasonable detection accuracy. Our experiments show that FALCO can detect 96.98% of JavaScript-based attacks in simulation environments. FALCO requires no cooperation with servers and users can easily add an extension on their browsers to use our service without privacy concerns.