The web ecosystem has become an essential platform for communication, business, and entertainment, yet it remains highly vulnerable to various forms of injection-based cyber threats. These include not only technical exploits like code injection attacks, but also social engineering threats that inject misleading content, invisible overlays, or malicious scripts to deceive users and compromise web applications. While existing security solutions tend to focus narrowly on either system hardening or user education, they often fall short in mitigating the increasingly sophisticated and blended attack techniques seen in the wild.

This dissertation presents a unified, multi-layered defense strategy against such injection-based threats through the design and implementation of three novel security mechanisms: TRIDENT, COINDEF, and COINDX. Each system targets a different class of attack vector and collectively contributes to a reduced attack surface for both end-users and developers.

We first introduce TRIDENT, a browser-based defense system that detects and blocks social engineering attacks distributed through low-tier ad networks. By analyzing ad script behaviors, TRIDENT identifies and mitigates deceptive content injected to ad publisher websites that lead users to social engineering websites. Then, we propose COINDEF, a customized Electron engine designed to prevent code injection attacks by enforcing execution policies. Unlike traditional XSS mitigation strategies that focus on browser isolation, COINDEF ensures that only trusted code executes within the Electron environment by validating the structural integrity of JavaScript’s abstract syntax tree and execution context. Last, we present COINDX, a root cause analysis framework for code injection attacks in JavaScript applications. Given the complexity of JavaScript and its dynamic dependencies, traditional vulnerability detection methods struggle with state explosion or accuracy. COINDX addresses this by constructing a simplified program based on call stack traces and applying iterative symbolic analysis to reproduce the vulnerable state and pinpoint the root cause.

By integrating these three systems, this dissertation advances web security through a proactive and automated defense model. Rather than reacting to known signatures or relying solely on user awareness, the proposed framework reduces the attack surface by preventing both social and technical injections before they can succeed. TRIDENT limits user exposure to deceptive web content, COINDEF safeguards execution environments in hybrid applications, and COINDX provides developers with precise tools for vulnerability remediation.

Ultimately, this research underscores the importance of a holistic approach to web security–one that recognizes the convergence of social and technical vectors under the broader category of injection attacks. The solutions presented here contribute to a more resilient web ecosystem by bridging the gap between content-level, runtime, and developer-facing defenses.