{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:59:51Z","timestamp":1750309191670,"version":"3.41.0"},"reference-count":69,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2008,12,1]],"date-time":"2008-12-01T00:00:00Z","timestamp":1228089600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2008,12]]},"abstract":"<jats:p>Most of the recent work on Web security focuses on preventing attacks that directly harm the browser\u2019s host machine and user. In this paper we attempt to quantify the threat of browsers being indirectly misused for attacking third parties. Specifically, we look at how the existing Web infrastructure (e.g., the languages, protocols, and security policies) can be exploited by malicious or subverted Web sites to remotely instruct browsers to orchestrate actions including denial of service attacks, worm propagation, and reconnaissance scans. We show that attackers are able to create powerful botnet-like infrastructures that can cause significant damage. We explore the effectiveness of countermeasures including anomaly detection and more fine-grained browser security policies.<\/jats:p>","DOI":"10.1145\/1455518.1477941","type":"journal-article","created":{"date-parts":[[2008,12,17]],"date-time":"2008-12-17T13:25:20Z","timestamp":1229520320000},"page":"1-38","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":14,"title":["Puppetnets"],"prefix":"10.1145","volume":"12","author":[{"given":"Spiros","family":"Antonatos","sequence":"first","affiliation":[{"name":"FORTH-ICS"}]},{"given":"Periklis","family":"Akritidis","sequence":"additional","affiliation":[{"name":"Cambridge University"}]},{"given":"Vinh The","family":"Lam","sequence":"additional","affiliation":[{"name":"University of California"}]},{"given":"Kostas G.","family":"Anagnostakis","sequence":"additional","affiliation":[{"name":"Institute for Infocomm Research (I2R)"}]}],"member":"320","published-online":{"date-parts":[[2008,12]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"ABC Electronic. 2006. ABCE Database. http:\/\/www.abce.org.uk\/cgi-bin\/gen5?runprog=abce\/abce&noc=y.  ABC Electronic. 2006. ABCE Database. http:\/\/www.abce.org.uk\/cgi-bin\/gen5?runprog=abce\/abce&noc=y."},{"key":"e_1_2_1_2_1","unstructured":"Alcorn W. 2005. The cross-site scripting virus. http:\/\/www.bindshell.net\/papers\/xssv\/xssv.html.  Alcorn W. 2005. The cross-site scripting virus. http:\/\/www.bindshell.net\/papers\/xssv\/xssv.html."},{"key":"e_1_2_1_3_1","unstructured":"Alexa Internet Inc. 2006. Global top 500. http:\/\/www.alexa.com\/site\/ds\/top_500.  Alexa Internet Inc. 2006. Global top 500. http:\/\/www.alexa.com\/site\/ds\/top_500."},{"key":"e_1_2_1_4_1","unstructured":"Andersen S. and Abella V. 2004. Changes to functionality in Microsoft Windows XP Service Pack 2 Part 2: Network Protection Technologies. Microsoft TechNet. http:\/\/www.microsoft.com\/technet\/prodtechnol\/winxppro\/maintain\/sp2netwk.mspx.  Andersen S. and Abella V. 2004. Changes to functionality in Microsoft Windows XP Service Pack 2 Part 2: Network Protection Technologies. Microsoft TechNet. http:\/\/www.microsoft.com\/technet\/prodtechnol\/winxppro\/maintain\/sp2netwk.mspx."},{"key":"e_1_2_1_5_1","unstructured":"Anonymous. 2004. About the Alexa Toolbar and traffic monitoring service: How accurate is Alexa? http:\/\/www.mediacollege.com\/internet\/utilities\/alexa\/.  Anonymous. 2004. About the Alexa Toolbar and traffic monitoring service: How accurate is Alexa? http:\/\/www.mediacollege.com\/internet\/utilities\/alexa\/."},{"key":"e_1_2_1_6_1","unstructured":"Barrett B. L. 2005. Home of the Webalizer. http:\/\/www.mrunix.net\/webalizer.  Barrett B. L. 2005. Home of the Webalizer. http:\/\/www.mrunix.net\/webalizer."},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.5555\/857183.857561"},{"key":"e_1_2_1_8_1","doi-asserted-by":"crossref","unstructured":"Berners-Lee T. Masinter L. and McCahill M. 1994. Uniform Resource Locators (URL). RFC 1738.   Berners-Lee T. Masinter L. and McCahill M. 1994. Uniform Resource Locators (URL). RFC 1738.","DOI":"10.17487\/rfc1738"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/1242572.1242656"},{"key":"e_1_2_1_10_1","unstructured":"CERT. 2000. Advisory CA-2000-02: Malicious HTML tags embedded in client Web requests. http:\/\/www.cert.org\/advisories\/CA-2000-02.html.  CERT. 2000. Advisory CA-2000-02: Malicious HTML tags embedded in client Web requests. http:\/\/www.cert.org\/advisories\/CA-2000-02.html."},{"volume-title":"\u201cCode Red","year":"2001","author":"Advisory","key":"e_1_2_1_11_1"},{"key":"e_1_2_1_12_1","unstructured":"CERT. 2001b. Vulnerability Note VU#476267: Standard HTML form implementation contains vulnerability allowing malicious user to access SMTP NNTP POP3 and other services via crafted HTML page. http:\/\/www.kb.cert.org\/vuls\/id\/476267.  CERT. 2001b. Vulnerability Note VU#476267: Standard HTML form implementation contains vulnerability allowing malicious user to access SMTP NNTP POP3 and other services via crafted HTML page. http:\/\/www.kb.cert.org\/vuls\/id\/476267."},{"volume-title":"Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID\u201905)","author":"Chinchani R.","key":"e_1_2_1_13_1"},{"volume-title":"Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS\u201904)","author":"Chou N.","key":"e_1_2_1_14_1"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.5210\/fm.v7i3.935"},{"volume-title":"Proceedings of the 1st USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI\u201905)","year":"2005","author":"Cooke E.","key":"e_1_2_1_16_1"},{"volume-title":"Proceedings of the 20th National Information Systems Security Conference (NISSC\u201997)","author":"Felten E. W.","key":"e_1_2_1_17_1"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/352600.352606"},{"volume-title":"Ajax: A new approach to Web applications","year":"2005","author":"Garrett J. J.","key":"e_1_2_1_19_1"},{"key":"e_1_2_1_20_1","first-page":"11","article-title":"Cracking RC5 with Java applets. Concurrency","volume":"10","author":"Gladychev P.","year":"1998","journal-title":"Prac. Exper."},{"volume-title":"Black Hat Technical Security Conference.","author":"Grossman J.","key":"e_1_2_1_21_1"},{"key":"e_1_2_1_22_1","unstructured":"Healan M. 2003. Referer spam. http:\/\/www.spywareinfo.com\/articles\/referer_spam\/.  Healan M. 2003. Referer spam. http:\/\/www.spywareinfo.com\/articles\/referer_spam\/."},{"key":"e_1_2_1_23_1","unstructured":"Inc W. 2006. Webtrends Web analytics and Web statistics. http:\/\/www.webtrends.com.  Inc W. 2006. Webtrends Web analytics and Web statistics. http:\/\/www.webtrends.com."},{"volume-title":"Proceedings of the Annual USENIX Technical Conference, Freenix Track (USENIX\u201901)","author":"Ioannidis S.","key":"e_1_2_1_24_1"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/1135777.1135884"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/1242572.1242654"},{"key":"e_1_2_1_27_1","unstructured":"Keizer G. 2005. Dutch botnet bigger than expected. http:\/\/informationweek.com\/story\/showArticle.jhtml?articleID=172303265.  Keizer G. 2005. Dutch botnet bigger than expected. http:\/\/informationweek.com\/story\/showArticle.jhtml?articleID=172303265."},{"volume-title":"Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy (SSP\u201991)","author":"Kephart J. O.","key":"e_1_2_1_28_1"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/380995.381033"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/5992.895191"},{"volume-title":"Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID\u201905)","author":"Kruegel C.","key":"e_1_2_1_31_1"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/948109.948144"},{"key":"e_1_2_1_33_1","unstructured":"Lam V. T. Antonatos S. Akritidis P. and Anagnostakis K. G. 2005. PuppetNet project Web site. http:\/\/s3g.i2r.a-star.edu.sg\/proj\/puppetnets.  Lam V. T. Antonatos S. Akritidis P. and Anagnostakis K. G. 2005. PuppetNet project Web site. http:\/\/s3g.i2r.a-star.edu.sg\/proj\/puppetnets."},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/1180405.1180434"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/PADS.2005.29"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1287\/opre.9.3.383"},{"key":"e_1_2_1_37_1","unstructured":"Maone G. 2006. Firefox add-ons: Noscript. https:\/\/addons.mozilla.org\/firefox\/722\/.  Maone G. 2006. Firefox add-ons: Noscript. https:\/\/addons.mozilla.org\/firefox\/722\/."},{"volume-title":"Black Hat Technical Security Conference.","author":"Moniz D.","key":"e_1_2_1_38_1"},{"key":"e_1_2_1_39_1","unstructured":"Mozilla.org. 2004. End User Guide: Automatic Proxy Configuration (PAC). http:\/\/www.mozilla.org\/catalog\/end-user\/customizing\/enduserPAC.html.  Mozilla.org. 2004. End User Guide: Automatic Proxy Configuration (PAC). http:\/\/www.mozilla.org\/catalog\/end-user\/customizing\/enduserPAC.html."},{"key":"e_1_2_1_40_1","unstructured":"Mozilla Port Blocking. 2004. http:\/\/mozilla.org\/projects\/netlib\/PortBanning.html.  Mozilla Port Blocking. 2004. http:\/\/mozilla.org\/projects\/netlib\/PortBanning.html."},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/242857.242869"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/505659.505664"},{"volume-title":"Philippine Internet security monitor - First quarter of","year":"2006","author":"Philippine Honeynet Project","key":"e_1_2_1_43_1"},{"volume-title":"Proceedings of the GI\/IEEE SIG SIDAR Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA&rsquo;\u201906)","author":"Polychronakis M.","key":"e_1_2_1_44_1"},{"volume-title":"Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation (OSDI\u201906)","author":"Reis C.","key":"e_1_2_1_45_1"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/251007.251012"},{"volume-title":"Proceedings of the 14th Usenix Security Symposium (SECURITY\u201905)","author":"Ross B.","key":"e_1_2_1_47_1"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/2.708448"},{"key":"e_1_2_1_49_1","unstructured":"Ruderman J. 2001. The same origin policy. http:\/\/www.mozilla.org\/projects\/security\/components\/same-origin.html.  Ruderman J. 2001. The same origin policy. http:\/\/www.mozilla.org\/projects\/security\/components\/same-origin.html."},{"volume-title":"Proceedings of Multimedia Computing and Networking (MMCN\u201902)","author":"Saroiu S.","key":"e_1_2_1_50_1"},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/1071713.1071729"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/948205.948241"},{"key":"e_1_2_1_53_1","unstructured":"Stamm S. Ramzan Z. and Jakobson M. 2006. Drive-by pharming. Tech. rep. TR641 Department of Computer Science Indiana University.  Stamm S. Ramzan Z. and Jakobson M. 2006. Drive-by pharming. Tech. rep. TR641 Department of Computer Science Indiana University."},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/1029618.1029624"},{"volume-title":"Proceedings of the 11th USENIX Security Symposium (SECURITY\u201902)","author":"Staniford S.","key":"e_1_2_1_55_1"},{"key":"e_1_2_1_56_1","unstructured":"Stunnix. 2006. Stunnix javascript obfuscator - obfuscate javascript source code. http:\/\/www.stunnix.com\/prod\/jo\/overview.shtml.  Stunnix. 2006. Stunnix javascript obfuscator - obfuscate javascript source code. http:\/\/www.stunnix.com\/prod\/jo\/overview.shtml."},{"volume-title":"Internet Threat Report: Trends for January 05-June 05","author":"Symantec","key":"e_1_2_1_57_1"},{"key":"e_1_2_1_58_1","unstructured":"TechWeb.com. 2004. Lycos strikes back at spammers with dos screensaver. http:\/\/www.techweb.com\/wire\/security\/54201269.  TechWeb.com. 2004. Lycos strikes back at spammers with dos screensaver. http:\/\/www.techweb.com\/wire\/security\/54201269."},{"key":"e_1_2_1_59_1","unstructured":"The Honeynet Project. 2005. Know your enemy: Tracking botnets. http:\/\/www.honeynet.org\/papers\/bots\/.  The Honeynet Project. 2005. Know your enemy: Tracking botnets. http:\/\/www.honeynet.org\/papers\/bots\/."},{"key":"e_1_2_1_60_1","unstructured":"Topf J. 2001. HTML Form Protocol Attack. http:\/\/www.remote.org\/jochen\/sec\/hfpa\/.  Topf J. 2001. HTML Form Protocol Attack. http:\/\/www.remote.org\/jochen\/sec\/hfpa\/."},{"key":"e_1_2_1_61_1","unstructured":"VNExpress. 2005. Website of largest Vietnamese hacker group attacked by DDoS. http:\/\/vnexpress.net\/Vietnam\/Vi-tinh\/2005\/12\/3B9E4A6D\/.  VNExpress. 2005. Website of largest Vietnamese hacker group attacked by DDoS. http:\/\/vnexpress.net\/Vietnam\/Vi-tinh\/2005\/12\/3B9E4A6D\/."},{"volume-title":"Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS\u201907)","author":"Vogt P.","key":"e_1_2_1_62_1"},{"volume-title":"HOWTO: ISAPI Filter which rejects requests from SF notify preproc headers based on HTTP Referer","year":"2005","author":"Wang D.","key":"e_1_2_1_63_1"},{"key":"e_1_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/948187.948198"},{"volume-title":"Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS\u201906)","author":"Wang Y.-M.","key":"e_1_2_1_65_1"},{"volume-title":"Proceedings of the 13th USENIX Security Symposium (SECURITY\u201904)","author":"Weaver N.","key":"e_1_2_1_66_1"},{"key":"e_1_2_1_67_1","unstructured":"Williams A. T. and Heiser J. 2004. Protect your PCs and servers from the bothet threat. Gartner Research ID Number: G00124737.  Williams A. T. and Heiser J. 2004. Protect your PCs and servers from the bothet threat. Gartner Research ID Number: G00124737."},{"key":"e_1_2_1_68_1","unstructured":"zone-h. 2006. Digital attacks archive. http:\/\/www.zone-h.org\/en\/defacements\/.  zone-h. 2006. Digital attacks archive. http:\/\/www.zone-h.org\/en\/defacements\/."},{"key":"e_1_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1145\/586110.586130"}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1455518.1477941","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1455518.1477941","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T22:54:18Z","timestamp":1750287258000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1455518.1477941"}},"subtitle":["Misusing Web Browsers as a Distributed Attack Infrastructure"],"short-title":[],"issued":{"date-parts":[[2008,12]]},"references-count":69,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2008,12]]}},"alternative-id":["10.1145\/1455518.1477941"],"URL":"https:\/\/doi.org\/10.1145\/1455518.1477941","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"type":"print","value":"1094-9224"},{"type":"electronic","value":"1557-7406"}],"subject":[],"published":{"date-parts":[[2008,12]]},"assertion":[{"value":"2007-02-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2007-08-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2008-12-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}