A Formal Model of Web Security Showing Malicious Cross Origin Requests and Its Mitigation using CORP
نویسندگان
چکیده
This document describes a web security model to analyse cross origin requests and block them using CORP, a browser security policy proposed for mitigating Cross Origin Request Attacks (CORA) such as CSRF, Clickjacking, Web application timing, etc. CORP is configured by website administrators and sent as an HTTP response header to the browser. A browser which is CORP-enabled will interpret the policy and enforce it on all cross-origin HTTP requests originating from other tabs of the browser, thus preventing malicious crossorigin requests. In this document we use Alloy, a finite state model finder, to formalize a web security model to analyse malicious cross-origin attacks and verify that CORP can be used to mitigate such attacks.
منابع مشابه
Anomaly-based Web Attack Detection: The Application of Deep Neural Network Seq2Seq With Attention Mechanism
Today, the use of the Internet and Internet sites has been an integrated part of the people’s lives, and most activities and important data are in the Internet websites. Thus, attempts to intrude into these websites have grown exponentially. Intrusion detection systems (IDS) of web attacks are an approach to protect users. But, these systems are suffering from such drawbacks as low accuracy in ...
متن کاملAutomatic and Precise Client-Side Protection against CSRF Attacks
A common client-side countermeasure against Cross Site Request Forgery (CSRF) is to strip session and authentication information from malicious requests. The difficulty however is in determining when a request is malicious. Existing client-side countermeasures are typically too strict, thus breaking many existing websites that rely on authenticated cross-origin requests, such as sites that use ...
متن کاملAnalyzing new features of infected web content in detection of malicious web pages
Recent improvements in web standards and technologies enable the attackers to hide and obfuscate infectious codes with new methods and thus escaping the security filters. In this paper, we study the application of machine learning techniques in detecting malicious web pages. In order to detect malicious web pages, we propose and analyze a novel set of features including HTML, JavaScript (jQuery...
متن کاملModelling and Mitigation of Cross-Origin Request Attacks on Federated Identity Management Using Cross Origin Request Policy
Cross origin request attacks (CORA) such as Cross site request forgery (CSRF), cross site timing, etc. continue to pose a threat on the modern day web. Current browser security policies inadequately mitigate these attacks. Additionally, third party authentication services are now the preferred way to carry out identity management between multiple enterprises and web applications. This scenario,...
متن کاملCsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests
Protecting users in the ubiquitous online world is becoming more and more important, as shown by web application security – or the lack thereof – making the mainstream news. One of the more harmful attacks is cross-site request forgery (CSRF), which allows an attacker to make requests to certain web applications while impersonating the user without their awareness. Existing client-side protecti...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2017