1. Technical Field
Embodiments of the present disclosure generally relate to computer security and, more particularly, to method and apparatus for identifying web attacks.
2. Description of the Related Art
Web users employ browser applications to navigate the Internet and view active and static content on one or more web pages. Many browser applications enforce a “same origin” policy during the web browsing session to prevent an attacker at a first origin from attacking a computer at a second origin. Generally, the “same origin” policy specifies the circumstances in which the first origin can access a resource at the second origin. Particularly, the “same origin” policy prevents content associated with the first origin from reading or setting the attributes of content that is loaded into the browser window from the second origin. For example, according to “same origin” policy, the browser application considers two objects as belonging to the same origin if, and only if, they are associated with the same domain name, protocol type and port number.
Hackers attack computers by exploiting one or more weakness of the “same origin” policy. For example, the “same origin” policy is only concerned with domain names and not IP addresses. Content (e.g., objects) is not accessed through the domain name but an Internet Protocol (IP) address that is associated with the domain name. Specifically, the domain name resolves to the IP address within a Domain Name System (DNS). If multiple IP addresses (e.g., from different entities) are associated with the same domain name, the “same origin” policy is still satisfied for various objects associated with the same domain name even though the various objects may be retrieved from the multiple IP address.
By confusing the browser application with multiple addresses for a single domain, the hacker is able to undermine the “same origin” policy and perform unwanted activities on another computer using the attack computer as a proxy. The hacker can circumvent firewalls to spider corporate intranets, infiltrate sensitive material (e.g., documents) and compromise unpatched (I.e. unprotected) internal computing devices.
Typically, the browser application defends such an attack through DNS pinning where information regarding a domain name resolved to a particular IP address is saved in cache for a fixed period of time. Unfortunately, DNS pinning is not effective against attacks that use active content to mount a DNS rebinding attack because a malicious program manipulates round robin DNS response types to switch the particular IP address that resolves to the domain name with an another IP address that resolves to a different domain name. The malicious program is able to control the frame or object associated with the different domain name through another IP address.
Therefore, there is a need in the art for a method and apparatus for identifying web attacks that exploit the vulnerabilities of the “same origin” policy in order to secure the computer.