Enforcing Request Integrity in Web Applications

Abstract : A web application is constructed to process an intended sequence of requests. Failing to enforce the intended sequences can lead to request integrity (RI) attacks, wherein an attacker forces an application into processing an unintended request sequence. Cross-site-request forgeries (CSRF) and workflow violations are two classes of RI attacks. Enforcing the intended request sequences is essential for ensuring the integrity of the application. We describe a new approach for enforcing request integrity in a web application, and its implementation in a tool called Bayawak. Under our approach, the intended request sequences of an application are specified as a security policy, and a framework-level method enforces the security policy strictly and transparently without requiring changes in the application's source code. Our approach can be compared to operating system (OS) support for access control--access control is not built into the application, but based on OS level policy settings. We evaluated Bayawak using nine open source web applications. Our results indicate that our approach is effective against request integrity attacks and incurs negligible overhead.
Type de document :
Communication dans un congrès
Sara Foresti; Sushil Jajodia. 24th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSEC), Jun 2010, Rome, Italy. Springer, Lecture Notes in Computer Science, LNCS-6166, pp.225-240, 2010, Data and Applications Security and Privacy XXIV. 〈10.1007/978-3-642-13739-6_15〉
Liste complète des métadonnées

Littérature citée [20 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01056686
Contributeur : Hal Ifip <>
Soumis le : mercredi 20 août 2014 - 13:27:50
Dernière modification le : vendredi 11 août 2017 - 17:32:43
Document(s) archivé(s) le : jeudi 27 novembre 2014 - 11:48:01

Fichier

_46.pdf
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Karthick Jayaraman, Grzegorz Lewandowski, Paul G. Talaga, Steve J. Chapin. Enforcing Request Integrity in Web Applications. Sara Foresti; Sushil Jajodia. 24th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSEC), Jun 2010, Rome, Italy. Springer, Lecture Notes in Computer Science, LNCS-6166, pp.225-240, 2010, Data and Applications Security and Privacy XXIV. 〈10.1007/978-3-642-13739-6_15〉. 〈hal-01056686〉

Partager

Métriques

Consultations de la notice

65

Téléchargements de fichiers

362