Reducing Web Attack Surface: Mitigating Social Engineering And Code Injection Threats
Loading...
Author(s)
Yang, Zheng
Advisor(s)
Editor(s)
Collections
Supplementary to:
Permanent Link
Abstract
The increasing complexity and interconnectivity of web applications have made them attractive targets for sophisticated cyber threats. Among these, social engineering attacks and code injection vulnerabilities remain especially dangerous due to their ability to deceive users and exploit underlying application logic. Modern threat actors increasingly blur the lines between these vectors by injecting deceptive content, overlays, or scripts that exploit both user trust and technical weaknesses—leading to a rise in hybrid, injection-based attacks. While existing defenses often focus narrowly on either technical hardening or user awareness, they fall short in addressing this blended threat model. This dissertation presents a multi-layered defense strategy that reduces the attack surface for web applications by treating both social engineering and code injection as forms of injection-based exploitation. To this end, we introduce three novel systems: Trident, CoInDef, and CoInDx. Trident detects and blocks socially engineered threats delivered through low-tier ad networks by analyzing the behavior of ad scripts. CoInDef secures Electron-based applications by enforcing execution policies that ensure only trusted, structurally valid code can run. CoInDx performs root cause analysis of JavaScript injection vulnerabilities using symbolic analysis guided by call stack traces, enabling precise vulnerability diagnosis and remediation. Together, these systems offer a proactive and unified security approach that spans client-side protections, runtime enforcement, and developer support. This work advances the state of web security by addressing hybrid injection threats comprehensively and lays the foundation for future defenses that bridge content-level, execution-level, and developer-facing security measures.
Sponsor
Date
2025-04-09
Extent
Resource Type
Text
Resource Subtype
Dissertation