Skip to main content
SpringerLink
Log in

CORP: A Browser Policy to Mitigate Web Infiltration Attacks

  • Conference paper
Information Systems Security (ICISS 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8880))

Included in the following conference series:

Abstract

Cross origin interactions constitute the core of today’s collaborative Word Wide Web. They are, however, also the cause of malicious behaviour like Cross-Site Request Forgery (CSRF), clickjacking, and cross-site timing attacks, which we collectively refer as Web Infiltration attacks. These attacks are a rampant source of information stealth and privacy intrusion on the web. Existing browser security policies like Same Origin Policy, either ignore this class of attacks or, like Content Security Policy, insufficiently deal with them.

In this paper, we propose a new declarative browser security policy — “Cross Origin Request Policy” (CORP) — to mitigate such attacks. CORP enables a server to have fine-grained control on the way different sites can access resources on the server. The server declares the policy using HTTP response headers. The web browser monitors cross origin HTTP requests targeting the server and blocks those which do not comply with CORP. Based on lessons drawn from examining various types of cross origin attacks, we formulate CORP and demonstrate its effectiveness and ease of deployment. We formally verify the design of CORP by modelling it in the Alloy model checker. We also implement CORP as a browser extension for the Chrome web browser and evaluate it against real-world cross origin attacks on open source web applications. Our initial investigation reveals that most of the popular websites already segregate their resources in a way which makes deployment of CORP easier.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. W3C: History of the World Wide Web. Technical report (1989), http://www.w3.org/Consortium/facts#history

  2. Pilgrim, M.: Dive into HTML5. Technical report, http://diveintohtml5.info/past.html#history-of-the-img-element

  3. Berners-Lee, T., Connolly, D.: Hypertext Markup Language – 2.0. Technical Report RFC1866, W3C (1995), http://tools.ietf.org/html/rfc1866

  4. Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: Proceedings of the 16th International Conference on World Wide Web, pp. 601–610. ACM (2007)

    Google Scholar 

  5. OWASP: XSS Prevention Cheat Sheet, https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

    Google Scholar 

  6. Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: NDSS (2007)

    Google Scholar 

  7. Jayaraman, K., Du, W., Rajagopalan, B., Chapin, S.J.: Escudo: A fine-grained protection model for web browsers. In: 2010 IEEE 30th International Conference on Distributed Computing Systems (ICDCS), pp. 231–240. IEEE (2010)

    Google Scholar 

  8. Wikipedia: Netscape navigator 2 (1995), http://en.wikipedia.org/wiki/Netscape_Navigator_2

  9. Zalewski, M.: Browser Security Handbook. Technical report (2011), https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy

  10. Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, pp. 921–930. ACM (2010)

    Google Scholar 

  11. OWASP: CSRF Guard (2007), https://www.owasp.org/index.php/CSRF_Guard

  12. Bortz, A., Boneh, D.: Exposing private information by timing web applications. In: Proceedings of the 16th International Conference on World Wide Web, pp. 621–628. ACM (2007)

    Google Scholar 

  13. Microsoft: Combating ClickJacking With X-Frame-Options. Blog (March 2010), http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

  14. Maone, G., Huang, D.L.S., Gondrom, T., Hill, B.: User Interface Security Directives for Content Security Policy (September 2013), https://dvcs.w3.org/hg/user-interface-safety/raw-file/tip/user-interface-safety.html

  15. Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: 2010 23rd IEEE Computer Security Foundations Symposium (CSF), pp. 290–304. IEEE (2010)

    Google Scholar 

  16. Jackson, D.: Software Abstractions: Logic. Language, and Analysis. The MIT Press (2006)

    Google Scholar 

  17. OWASP: OWASP Top Ten Project, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

  18. Hansen, R., Grossman, J.: Clickjacking. Blog (December 2008), http://www.sectheory.com/clickjacking.htm

  19. Facebook: Facebook, Washington State AG target clickjackers. Blog (January 2012), https://www.facebook.com/notes/facebook-security/facebook-washington-state-ag-target-clickjackers/10150494427000766

  20. Stone, P.: Pixel perfect timing attacks with html5 (2013), http://contextis.com/files/Browser_Timing_Attacks.pdf

  21. Kotcher, R., Pei, Y., Jumde, P.: Stealing cross-origin pixels: Timing attacks on css filters and shaders (2013), http://www.robertkotcher.com/pdf/TimingAttacks.pdf

  22. Jeremiah, G.: Introducing the ‘I Know...’ series. Blog (October 2012), https://blog.whitehatsec.com/introducing-the-i-know-series/

  23. Heiderich, M.: CSRFx (2007), https://code.google.com/p/csrfx/

  24. Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Securecomm and Workshops, pp. 1–10. IEEE (2006)

    Google Scholar 

  25. Oda, T., Wurster, G., van Oorschot, P., Somayaji, A.: SOMA: Mutual approval for included content in web pages. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 89–98. ACM (2008)

    Google Scholar 

  26. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 75–88. ACM (2008)

    Google Scholar 

  27. AdBlockPlus: HTTP Referer (2008), http://adblockplus.org/blog/http-referer-header-wont-help-you-with-csrf

  28. Johns, M., Winter, J.: RequestRodeo: Client side protection against session riding. In: Proceedings of the OWASP Europe 2006 Conference (2006)

    Google Scholar 

  29. Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 238–255. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  30. De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W.: CsFire: Transparent client-side mitigation of malicious cross-domain requests. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 18–34. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  31. De Ryck, P., Desmet, L., Joosen, W., Piessens, F.: Automatic and precise client-side protection against CSRF attacks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 100–116. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  32. Maes, W., Heyman, T., Desmet, L., Joosen, W.: Browser protection against cross-site request forgery. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, pp. 3–10. ACM (2009)

    Google Scholar 

  33. Czeskis, A., Moshchuk, A., Kohno, T., Wang, H.J.: Lightweight server support for browser-based CSRF protection. In: Proceedings of the 22nd International Conference on World Wide Web, pp. 273–284 (2013)

    Google Scholar 

  34. Balduzzi, M., Egele, M., Kirda, E., Balzarotti, D., Kruegel, C.: A solution for the automated detection of clickjacking attacks. In: ASIACCS 2010, pp. 135–144. ACM, New York (2010)

    Google Scholar 

  35. Maone, G.: Hello ClearClick, goodbye clickjacking! Blog (October 2008), http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/

  36. Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In: IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010) (2010)

    Google Scholar 

  37. Huang, L.S., Moshchuk, A., Wang, H.J., Schechter, S., Jackson, C.: Clickjacking: Attacks and Defenses. In: USENIX Security Symposium (2012)

    Google Scholar 

  38. Huang, L., Jackson, C.: Clickjacking attacks unresolved. White paper, CyLab (2011), http://mayscript.com/blog/david/clickjacking-attacks-unresolved

  39. Lekies, S., Heiderich, M., Appelt, D., Holz, T., Johns, M.: On the fragility and limitations of current browser-provided clickjacking protection schemes. In: Woot 2012, USENIX Security Symposium. USENIX (2012)

    Google Scholar 

  40. Hodges: RFC 6797, HTTP Strict Transport Security (HSTS) (November 2012), http://tools.ietf.org/html/rfc6797

  41. Telikicherla, K.C.: Analyzing the new social engineering spam on facebook - lady with an axe. Blog post (June 2013), http://bit.ly/FBSpamAxe

  42. Nafeez, A.: Stealing Facebook Graph API Access Token: Yet Another UI Redressing Vector (September 2011), http://blog.skepticfx.com/2011/09/facebook-graph-api-access-token.html

  43. Kotowicz, K.: Cross domain content extraction with fake captcha, http://blog.kotowicz.net/2011/07/cross-domain-content-extraction-with.html

  44. Google: Life cycle of requests in Chrome.webRequest API (2013), http://developer.chrome.com/extensions/webRequest.html

  45. Telikicherla, K.C.: CORP repository (October 2013), http://iiithyd-websec.github.io/corp/

  46. Alexa: Alexa top sites (October 2013), http://www.alexa.com/topsites

Download references

Author information

Authors and Affiliations

  1. Software Engineering Research Center, International Institute of Information Technology (IIIT), Hyderabad, 500032, India

    Krishna Chaitanya Telikicherla, Venkatesh Choppella & Bruhadeshwar Bezawada

Authors
  1. Krishna Chaitanya Telikicherla
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Venkatesh Choppella
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bruhadeshwar Bezawada
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of EECS, University of Michigan, 48109-2121, Ann Arbor, MI, USA

    Atul Prakash

  2. Faculty of Technology and Computer Science, Tata Institute of Fundamental Research, Homi Bhabha Road, 400005, Mumbai, India

    Rudrapatna Shyamasundar

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Telikicherla, K.C., Choppella, V., Bezawada, B. (2014). CORP: A Browser Policy to Mitigate Web Infiltration Attacks. In: Prakash, A., Shyamasundar, R. (eds) Information Systems Security. ICISS 2014. Lecture Notes in Computer Science, vol 8880. Springer, Cham. https://doi.org/10.1007/978-3-319-13841-1_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-13841-1_16

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-13840-4

  • Online ISBN: 978-3-319-13841-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation