Autocomplete injection attack

Nethanel Gelernter; Amir Herzberg

doi:10.1007/978-3-319-45741-3_26

Autocomplete injection attack

Nethanel Gelernter, Amir Herzberg

Department of Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

1 Scopus citations

Abstract

Autocomplete, a well-known feature in popular search engines, offers suggestions for search terms before the user has even completed typing their query. We present the autocomplete injection attack and its potential exploits. In this attack, a cross-site attacker injects terms into the autocomplete suggestions offered by a web-service to a victim user. The most popular web search engines are vulnerable to the attack, as well as other websites. Autocomplete injection can be exploited in multiple ways, including phishing, framing, illegitimate content-promotion and sometimes persistent cross-site scripting attacks. We evaluated the effectiveness of the attack with several experiments. Our results show the potential impact of the autocomplete injection attacks.

Original language	English
Title of host publication	Computer Security - 21st European Symposium on Research in Computer Security, ESORICS 2016, Proceedings
Editors	Sokratis Katsikas, Catherine Meadows, Ioannis Askoxylakis, Sotiris Ioannidis
Publisher	Springer Verlag
Pages	512-530
Number of pages	19
ISBN (Print)	9783319457406
DOIs	https://doi.org/10.1007/978-3-319-45741-3_26
State	Published - 2016
Event	21st European Symposium on Research in Computer Security, ESORICS 2016 - Heraklion, Greece Duration: 26 Sep 2016 → 30 Sep 2016

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	9879 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	21st European Symposium on Research in Computer Security, ESORICS 2016
Country/Territory	Greece
City	Heraklion
Period	26/09/16 → 30/09/16

Bibliographical note

Publisher Copyright:
© Springer International Publishing Switzerland 2016.

Funding

This work was supported by grant 1354/11 from the Israeli Science Foundation (ISF), and by grants from the Israeli Ministry of Science, Technology and Space.

Funders	Funder number
Ministry of Science, Technology and Space
Israel Science Foundation

Keywords

Autocomplete injection attack
Blackhat SEO
CSRF
Cross site scripting
Cross-site attacks
Cross-site framing
Persistent XSS
Phishing
Usable security
Web-security

Access to Document

10.1007/978-3-319-45741-3_26

Cite this

Gelernter, N., & Herzberg, A. (2016). Autocomplete injection attack. In S. Katsikas, C. Meadows, I. Askoxylakis, & S. Ioannidis (Eds.), Computer Security - 21st European Symposium on Research in Computer Security, ESORICS 2016, Proceedings (pp. 512-530). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9879 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-45741-3_26

Gelernter, Nethanel ; Herzberg, Amir. / Autocomplete injection attack. Computer Security - 21st European Symposium on Research in Computer Security, ESORICS 2016, Proceedings. editor / Sokratis Katsikas ; Catherine Meadows ; Ioannis Askoxylakis ; Sotiris Ioannidis. Springer Verlag, 2016. pp. 512-530 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{69a8785c23ae4a56a8c521436d63da60,

title = "Autocomplete injection attack",

abstract = "Autocomplete, a well-known feature in popular search engines, offers suggestions for search terms before the user has even completed typing their query. We present the autocomplete injection attack and its potential exploits. In this attack, a cross-site attacker injects terms into the autocomplete suggestions offered by a web-service to a victim user. The most popular web search engines are vulnerable to the attack, as well as other websites. Autocomplete injection can be exploited in multiple ways, including phishing, framing, illegitimate content-promotion and sometimes persistent cross-site scripting attacks. We evaluated the effectiveness of the attack with several experiments. Our results show the potential impact of the autocomplete injection attacks.",

keywords = "Autocomplete injection attack, Blackhat SEO, CSRF, Cross site scripting, Cross-site attacks, Cross-site framing, Persistent XSS, Phishing, Usable security, Web-security",

author = "Nethanel Gelernter and Amir Herzberg",

note = "Publisher Copyright: {\textcopyright} Springer International Publishing Switzerland 2016.; 21st European Symposium on Research in Computer Security, ESORICS 2016 ; Conference date: 26-09-2016 Through 30-09-2016",

year = "2016",

doi = "10.1007/978-3-319-45741-3_26",

language = "אנגלית",

isbn = "9783319457406",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "512--530",

editor = "Sokratis Katsikas and Catherine Meadows and Ioannis Askoxylakis and Sotiris Ioannidis",

booktitle = "Computer Security - 21st European Symposium on Research in Computer Security, ESORICS 2016, Proceedings",

address = "גרמניה",

}

Gelernter, N & Herzberg, A 2016, Autocomplete injection attack. in S Katsikas, C Meadows, I Askoxylakis & S Ioannidis (eds), Computer Security - 21st European Symposium on Research in Computer Security, ESORICS 2016, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9879 LNCS, Springer Verlag, pp. 512-530, 21st European Symposium on Research in Computer Security, ESORICS 2016, Heraklion, Greece, 26/09/16. https://doi.org/10.1007/978-3-319-45741-3_26

Autocomplete injection attack. / Gelernter, Nethanel; Herzberg, Amir.
Computer Security - 21st European Symposium on Research in Computer Security, ESORICS 2016, Proceedings. ed. / Sokratis Katsikas; Catherine Meadows; Ioannis Askoxylakis; Sotiris Ioannidis. Springer Verlag, 2016. p. 512-530 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9879 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Autocomplete injection attack

AU - Gelernter, Nethanel

AU - Herzberg, Amir

N1 - Publisher Copyright: © Springer International Publishing Switzerland 2016.

PY - 2016

Y1 - 2016

N2 - Autocomplete, a well-known feature in popular search engines, offers suggestions for search terms before the user has even completed typing their query. We present the autocomplete injection attack and its potential exploits. In this attack, a cross-site attacker injects terms into the autocomplete suggestions offered by a web-service to a victim user. The most popular web search engines are vulnerable to the attack, as well as other websites. Autocomplete injection can be exploited in multiple ways, including phishing, framing, illegitimate content-promotion and sometimes persistent cross-site scripting attacks. We evaluated the effectiveness of the attack with several experiments. Our results show the potential impact of the autocomplete injection attacks.

AB - Autocomplete, a well-known feature in popular search engines, offers suggestions for search terms before the user has even completed typing their query. We present the autocomplete injection attack and its potential exploits. In this attack, a cross-site attacker injects terms into the autocomplete suggestions offered by a web-service to a victim user. The most popular web search engines are vulnerable to the attack, as well as other websites. Autocomplete injection can be exploited in multiple ways, including phishing, framing, illegitimate content-promotion and sometimes persistent cross-site scripting attacks. We evaluated the effectiveness of the attack with several experiments. Our results show the potential impact of the autocomplete injection attacks.

KW - Autocomplete injection attack

KW - Blackhat SEO

KW - CSRF

KW - Cross site scripting

KW - Cross-site attacks

KW - Cross-site framing

KW - Persistent XSS

KW - Phishing

KW - Usable security

KW - Web-security

UR - http://www.scopus.com/inward/record.url?scp=84990843482&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-45741-3_26

DO - 10.1007/978-3-319-45741-3_26

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:84990843482

SN - 9783319457406

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 512

EP - 530

BT - Computer Security - 21st European Symposium on Research in Computer Security, ESORICS 2016, Proceedings

A2 - Katsikas, Sokratis

A2 - Meadows, Catherine

A2 - Askoxylakis, Ioannis

A2 - Ioannidis, Sotiris

PB - Springer Verlag

T2 - 21st European Symposium on Research in Computer Security, ESORICS 2016

Y2 - 26 September 2016 through 30 September 2016

ER -

Gelernter N, Herzberg A. Autocomplete injection attack. In Katsikas S, Meadows C, Askoxylakis I, Ioannidis S, editors, Computer Security - 21st European Symposium on Research in Computer Security, ESORICS 2016, Proceedings. Springer Verlag. 2016. p. 512-530. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-45741-3_26

Autocomplete injection attack

Abstract

Publication series

Conference

Bibliographical note

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Cite this