Advertisement

CORP: A Browser Policy to Mitigate Web Infiltration Attacks

  • Krishna Chaitanya Telikicherla
  • Venkatesh Choppella
  • Bruhadeshwar Bezawada
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8880)

Abstract

Cross origin interactions constitute the core of today’s collaborative Word Wide Web. They are, however, also the cause of malicious behaviour like Cross-Site Request Forgery (CSRF), clickjacking, and cross-site timing attacks, which we collectively refer as Web Infiltration attacks. These attacks are a rampant source of information stealth and privacy intrusion on the web. Existing browser security policies like Same Origin Policy, either ignore this class of attacks or, like Content Security Policy, insufficiently deal with them.

In this paper, we propose a new declarative browser security policy — “Cross Origin Request Policy” (CORP) — to mitigate such attacks. CORP enables a server to have fine-grained control on the way different sites can access resources on the server. The server declares the policy using HTTP response headers. The web browser monitors cross origin HTTP requests targeting the server and blocks those which do not comply with CORP. Based on lessons drawn from examining various types of cross origin attacks, we formulate CORP and demonstrate its effectiveness and ease of deployment. We formally verify the design of CORP by modelling it in the Alloy model checker. We also implement CORP as a browser extension for the Chrome web browser and evaluate it against real-world cross origin attacks on open source web applications. Our initial investigation reveals that most of the popular websites already segregate their resources in a way which makes deployment of CORP easier.

Keywords

Web Browser Security World Wide Web Cross-site request forgery Access control policy 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    W3C: History of the World Wide Web. Technical report (1989), http://www.w3.org/Consortium/facts#history
  2. 2.
    Pilgrim, M.: Dive into HTML5. Technical report, http://diveintohtml5.info/past.html#history-of-the-img-element
  3. 3.
    Berners-Lee, T., Connolly, D.: Hypertext Markup Language – 2.0. Technical Report RFC1866, W3C (1995), http://tools.ietf.org/html/rfc1866
  4. 4.
    Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: Proceedings of the 16th International Conference on World Wide Web, pp. 601–610. ACM (2007)Google Scholar
  5. 5.
    OWASP: XSS Prevention Cheat Sheet, https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_SheetGoogle Scholar
  6. 6.
    Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: NDSS (2007)Google Scholar
  7. 7.
    Jayaraman, K., Du, W., Rajagopalan, B., Chapin, S.J.: Escudo: A fine-grained protection model for web browsers. In: 2010 IEEE 30th International Conference on Distributed Computing Systems (ICDCS), pp. 231–240. IEEE (2010)Google Scholar
  8. 8.
    Wikipedia: Netscape navigator 2 (1995), http://en.wikipedia.org/wiki/Netscape_Navigator_2
  9. 9.
    Zalewski, M.: Browser Security Handbook. Technical report (2011), https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy
  10. 10.
    Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, pp. 921–930. ACM (2010)Google Scholar
  11. 11.
  12. 12.
    Bortz, A., Boneh, D.: Exposing private information by timing web applications. In: Proceedings of the 16th International Conference on World Wide Web, pp. 621–628. ACM (2007)Google Scholar
  13. 13.
    Microsoft: Combating ClickJacking With X-Frame-Options. Blog (March 2010), http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
  14. 14.
    Maone, G., Huang, D.L.S., Gondrom, T., Hill, B.: User Interface Security Directives for Content Security Policy (September 2013), https://dvcs.w3.org/hg/user-interface-safety/raw-file/tip/user-interface-safety.html
  15. 15.
    Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: 2010 23rd IEEE Computer Security Foundations Symposium (CSF), pp. 290–304. IEEE (2010)Google Scholar
  16. 16.
    Jackson, D.: Software Abstractions: Logic. Language, and Analysis. The MIT Press (2006)Google Scholar
  17. 17.
  18. 18.
    Hansen, R., Grossman, J.: Clickjacking. Blog (December 2008), http://www.sectheory.com/clickjacking.htm
  19. 19.
    Facebook: Facebook, Washington State AG target clickjackers. Blog (January 2012), https://www.facebook.com/notes/facebook-security/facebook-washington-state-ag-target-clickjackers/10150494427000766
  20. 20.
    Stone, P.: Pixel perfect timing attacks with html5 (2013), http://contextis.com/files/Browser_Timing_Attacks.pdf
  21. 21.
    Kotcher, R., Pei, Y., Jumde, P.: Stealing cross-origin pixels: Timing attacks on css filters and shaders (2013), http://www.robertkotcher.com/pdf/TimingAttacks.pdf
  22. 22.
    Jeremiah, G.: Introducing the ‘I Know...’ series. Blog (October 2012), https://blog.whitehatsec.com/introducing-the-i-know-series/
  23. 23.
    Heiderich, M.: CSRFx (2007), https://code.google.com/p/csrfx/
  24. 24.
    Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Securecomm and Workshops, pp. 1–10. IEEE (2006)Google Scholar
  25. 25.
    Oda, T., Wurster, G., van Oorschot, P., Somayaji, A.: SOMA: Mutual approval for included content in web pages. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 89–98. ACM (2008)Google Scholar
  26. 26.
    Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 75–88. ACM (2008)Google Scholar
  27. 27.
  28. 28.
    Johns, M., Winter, J.: RequestRodeo: Client side protection against session riding. In: Proceedings of the OWASP Europe 2006 Conference (2006)Google Scholar
  29. 29.
    Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 238–255. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  30. 30.
    De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W.: CsFire: Transparent client-side mitigation of malicious cross-domain requests. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 18–34. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  31. 31.
    De Ryck, P., Desmet, L., Joosen, W., Piessens, F.: Automatic and precise client-side protection against CSRF attacks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 100–116. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  32. 32.
    Maes, W., Heyman, T., Desmet, L., Joosen, W.: Browser protection against cross-site request forgery. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, pp. 3–10. ACM (2009)Google Scholar
  33. 33.
    Czeskis, A., Moshchuk, A., Kohno, T., Wang, H.J.: Lightweight server support for browser-based CSRF protection. In: Proceedings of the 22nd International Conference on World Wide Web, pp. 273–284 (2013)Google Scholar
  34. 34.
    Balduzzi, M., Egele, M., Kirda, E., Balzarotti, D., Kruegel, C.: A solution for the automated detection of clickjacking attacks. In: ASIACCS 2010, pp. 135–144. ACM, New York (2010)Google Scholar
  35. 35.
    Maone, G.: Hello ClearClick, goodbye clickjacking! Blog (October 2008), http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/
  36. 36.
    Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In: IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010) (2010)Google Scholar
  37. 37.
    Huang, L.S., Moshchuk, A., Wang, H.J., Schechter, S., Jackson, C.: Clickjacking: Attacks and Defenses. In: USENIX Security Symposium (2012)Google Scholar
  38. 38.
    Huang, L., Jackson, C.: Clickjacking attacks unresolved. White paper, CyLab (2011), http://mayscript.com/blog/david/clickjacking-attacks-unresolved
  39. 39.
    Lekies, S., Heiderich, M., Appelt, D., Holz, T., Johns, M.: On the fragility and limitations of current browser-provided clickjacking protection schemes. In: Woot 2012, USENIX Security Symposium. USENIX (2012)Google Scholar
  40. 40.
    Hodges: RFC 6797, HTTP Strict Transport Security (HSTS) (November 2012), http://tools.ietf.org/html/rfc6797
  41. 41.
    Telikicherla, K.C.: Analyzing the new social engineering spam on facebook - lady with an axe. Blog post (June 2013), http://bit.ly/FBSpamAxe
  42. 42.
    Nafeez, A.: Stealing Facebook Graph API Access Token: Yet Another UI Redressing Vector (September 2011), http://blog.skepticfx.com/2011/09/facebook-graph-api-access-token.html
  43. 43.
    Kotowicz, K.: Cross domain content extraction with fake captcha, http://blog.kotowicz.net/2011/07/cross-domain-content-extraction-with.html
  44. 44.
    Google: Life cycle of requests in Chrome.webRequest API (2013), http://developer.chrome.com/extensions/webRequest.html
  45. 45.
    Telikicherla, K.C.: CORP repository (October 2013), http://iiithyd-websec.github.io/corp/
  46. 46.
    Alexa: Alexa top sites (October 2013), http://www.alexa.com/topsites

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Krishna Chaitanya Telikicherla
    • 1
  • Venkatesh Choppella
    • 1
  • Bruhadeshwar Bezawada
    • 1
  1. 1.Software Engineering Research CenterInternational Institute of Information Technology (IIIT)HyderabadIndia

Personalised recommendations