IIIT Hyderabad Publications |
|||||||||
|
A Formal Model ofWeb Security Showing Malicious Cross Origin Requests and Its Mitigation using CORPAuthors: Krishna Chaitanya,Akash Agrawall,Venkatesh Choppella Conference: ICISSP- International Conference on Information Systems Security and Privacy Date: 2017-02-19 Report no: IIIT/TR/2017/33 AbstractThis document describes a web security model to analyse cross origin requests and block them using CORP, a browser security policy proposed for mitigating Cross Origin Request Attacks (CORA) such as CSRF, Clickjacking,Web application timing, etc. CORP is configured by website administrators and sent as an HTTP response header to the browser. A browser which is CORP-enabled will interpret the policy and enforce it on all cross-origin HTTP requests originating from other tabs of the browser, thus preventing malicious cross origin requests. In this document we use Alloy, a finite state model finder, to formalize a web security model to analyse malicious cross-origin attacks and verify that CORP can be used to mitigate such attacks. Full paper: pdf Centre for Software Engineering Research Lab |
||||||||
Copyright © 2009 - IIIT Hyderabad. All Rights Reserved. |